Over the next two years, the ISF believes that rapid advances in intelligent technologies and the conflicting demands posed by heightened national security and individual privacy will erode organizations' ability to control their own information.
New surveillance laws intended to improve national security will require communications providers to bulk-collect data that could reveal corporate secrets, Durbin says. Organizations won't be able to define the security arrangements around these data reservoirs, and they could become attractive targets for attackers who have the knowledge and capability to extract and exploit the data stored in them.
At the same time, Durbin says, new data privacy regulations like the European Union's General Data Protection Regulation (GDPR) will make it more difficult for organizations subject to them to monitor the behavior of insiders. The GDPR requires that organizations be transparent about their use of tools to monitor user behavior, which Durbin says will give malicious insiders exactly the information needed to bypass such controls.
Meanwhile, technological innovation will continue to outpace regulations. Durbin says increasingly mature AI in automated systems will start to make independent decisions that will contradict defined business rules, disrupt operations and create new security vulnerabilities.
While many of these factors will be out of the direct control of your organization, Durbin says business and security leaders can prepare for these threats through considered risk assessments, open and honest negotiations with communications providers, taking legal counsel to understand the effects of new regulations and building a workforce ready for the adoption of advanced technology.
Surveillance laws expose corporate secrets
Some governments have already begun creating surveillance legislation that requires communications providers to collect and store data related to electronic and voice communications. The ISF anticipates that the trend will continue over the next two years.
The intention of such legislation may be to identify and monitor terrorists and other such groups, but the data collection will necessarily sweep up a great deal more information, including sensitive data from organizations.
The ISF notes motivated attackers will quickly recognize the value of this data, know where it is and how to get it, and have the capability to analyze, interpret and exploit it. Such information could reveal things like plans for mergers and acquisitions, IP under development and details of new products in the pipeline.
The ISF argues that five factors will combine to make it a question of when, not if, data stolen from a communications provider will expose secrets:
- No organization will be able to avoid the collection of their data; it will be a legal requirement.
- The data is likely to be stored in multiple locations by multiple external parties — each applying different levels of security.
- The increasing volume and impact of data breaches across the globe suggests the data won't be adequately protected.
- Attackers seeking to exploit the data are likely to be better funded and more motivated than the people responsible for protecting it.
- The potential value from analyses of the data will make it an obvious target for well-resourced, highly skilled and determined attackers, including organized criminal groups, competitors, terrorist groups and nation states.
Sign up for CIO Asia eNewsletters.