The current situation is not good, and is unlikely to get better. All boards need to take action to deal with current risks; they also need to ensure that they are able to cope with future ones.
A number of significant trends mean that information security will become even more challenging in the years ahead.
The use of distributed computing is increasing. Computing power has migrated from centralized mainframe computers and data processing centres to a distributed network of desktop, laptop and micro computers, and this makes information security much more difficult.
There is a strong trend toward mobile computing. The use of laptop computers, Personal Digital Assistants (PDAs), mobile phones, digital cameras, portable projectors and MP3 players has made working from home or on the road relatively straightforward, with the result that network perimeters are becoming increasingly porous. There are many more remote access points to networks, and the fast-growing number of easily accessible endpoint devices increases the opportunities to break into networks and steal or corrupt information.
There has been a dramatic growth in the use of the Internet for business communication, underpinning the development of Instant Messaging, wireless, VoIP and broadband. The Internet provides an effective, immediate and powerful method for organizations to communicate on all sorts of issues. This exposes all these organizations to the security risks that go with connection to an unregulated environment and deployment, in an enterprise setting, of tools originally designed for consumers – and which have little or no enterprise strength security capability.
Better hacker tools are available every day, on hacker websites that, themselves, proliferate. These tools are improved regularly and, increasingly; less and less technologically proficient criminals – and computer literate terrorists - are enabled to cause more and more damage to target networks.
Increasingly, hackers, virus writers and spam operators are co-operating to find ways of spreading more spam: not just because it’s fun, but because direct e-mail marketing of dodgy products is highly lucrative. Phishing and other internet fraud activity will continue evolving and will become an ever bigger problem.
This will lead, inevitably, to an increase in blended threats that can only be countered with a more effective combination of technologies and processes.
Increasingly sophisticated technology defences, particularly around user authorization and authentication, will drive an increase in social engineering derived hacker attacks.
In an increasingly threatening environment, directors need to take appropriate action to deal with risks to their business from threats to their information and technology assets and infrastructure. They don’t have time to re-invent the wheel, to solve the security problems afresh at every organization, nor do they need to. Information insecurity is a common problem and a common, best-practice solution has emerged: ISO 27001 provides a vendor-independent, system-agnostic information security framework that any organization anywhere in the world can apply to help manage its information related risks.