The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organisations. Although cyberspace offers opportunities for leading organisations, this environment is uncertain and potentially dangerous. It is a place where hacktivists and cybercriminals are honing their skills and governments are introducing new regulation and legislation in response to major incidents and public concerns. Organisations are forced to continually adapt and rapidly respond. Those that are informed and prepared for change will go a long way to securing their future.

To assist ISF Members, the annual ISF Threat Horizon report takes a two-year perspective of major threats, describing potential implications and providing recommendations to organisations.

This year’s report identifies nine compelling threats that are set out under three thought-provoking themes. These themes engage with particularly difficult cybersecurity challenges in a way that is relevant to senior business managers, information security professionals and other key organisational stakeholders. They are:

• Disruption divides and conquers – innovation is bringing new opportunities for business, but also malicious actors that seek to disrupt operations.

• Complexity conceals fragility – a cyberspace congested with people and devices is becoming more complex, exposing the fragility of the underlying infrastructure.

• Complacency bites back – organisations are too complacent, paying insufficient attention to threats concealed by international borders.

The ISF Threat Horizon report can be used in a variety of ways: stimulating discussion and debate, analysing threats and formulating potential business impacts and responses. It offers a basis for developing a forward-looking cyber resilience strategy, bringing clarity to the complex cybersecurity risks that sit just over the horizon.

Dangers accelerateTHREAT HORIZON 2017

THEME 1: DISRUPTION DIVIDES AND CONQUERS

1.1 Supercharged connectivity overwhelms defencesReasonably-priced and superfast gigabit connectivity will provide new business opportunities. However, it will also open new avenues for criminals to pursue destructive activity online.

Recommendations• Conduct robust resilience planning with suppliers.• Identify and assess risks from embedded devices.

1.2 Crime syndicates take a quantum leapCriminal organisations will become more sophisticated and migrate many of their activities online. Organisations will struggle to keep pace and the effects will be felt around the globe.

Recommendations• Prioritise the protection of the highest-value information.• Evaluate the costs and benefits of cyber insurance.

1.3 Tech rejectionists cause chaosIn response to socio-economic inequality, ‘tech rejectionists’ will instigate widespread social unrest and disrupt local economies. Organisations with supply chains in the affected regions will struggle to cope.

Recommendations• Conduct threat assessment in regions where the organisation

could be targeted.• Review risk appetite to account for chaos and disruption to

critical suppliers.

THEME 2: COMPLEXITY CONCEALS FRAGILITY

2.1 Dependence on critical infrastructure becomes dangerousWhole societies are dependent on ageing, poorly maintained and highly critical infrastructure. Connectivity failures will force organisations to update their resilience and invest in technology transformation programmes.

Recommendations• Update business continuity plans and conduct regular

simulations.• Assess the impact of disruption to important infrastructure,

such as cloud services.

2.2 Systemic vulnerabilities are weaponisedMalicious actors will weaponise systemic vulnerabilities in software systems of individual technology companies, threatening the integrity of Internet infrastructure.

Recommendations• Review risk assessment to consider widely used technologies

and suppliers.• Update organisational response plans to systemic

vulnerabilities.

INCREASING

- Dangers accelerateTHREAT HORIZON 2017Organisa�ons can use the ISF’s Threat Horizon reports to strengthen their resilience and reduce the chances of experiencing reputa�onal, opera�onal or financial damage. Foresight and prepara�on are essen�al now to deal with future challenges.

Listed below are the nine threats from this year’s report along with those from 2015 and 2016.

2 0 1 51 The CEO doesn’t get it

2 Organisa�on can’t get the right people

3 Outsourcing security backfires

4 Insiders fuel corporate ac�vism

5 Hack�vists create fear, uncertainty and doubt

6 Crime as a Service (Caas) upgrades to v2.0

7 Informa�on leaks all the �me

8 BYOC (bring your own cloud) adds unmanaged risk

9 Bring your own device further increases informa�on risk exposure

10 Government and regulators won’t do it for you

2 0 1 61 Na�on-state backed espionage goes mainstream

2 A Balkanized Internet complicates business

3 Unintended consequences of state interven�on

4 Service providers become a key vulnerability

5 Big data = big problems

6 Mobile apps become the main route for compromise

7 Encryp�on fails

8 The CEO gets it, now you have to deliver

9 Skills gap becomes a chasm

10 Informa�on security fails to work with new genera�ons

2 0 1 71.1 Supercharged connec�vity overwhelms defences

1.2 Crime syndicates take a quantum leap

1.3 Tech rejec�onists cause chaos

2.1 Dependence on cri�cal infrastructure becomes dangerous

2.2 Systemic vulnerabili�es are weaponised

2.3 Legacy technology crumbles

2.4 Death from disrup�on to digital services

3.1 Global consolida�on endangers compe��on and security

3.2 Impact of data breaches increases drama�cally

DISRUPTION DIVIDES AND CONQUERS

COMPLEXITY CONCEALSFRAGILITY

COMPLACENCYBITES BACK

FAILURETO DELIVERTHE CYBER RESILIENCEPROMISE

CONFIDENCE IN ACCEPTED SOLUTIONSCRUMBLES

NO�ONE LEFTTO TRUST IN CYBERSPACE

THE ROLE OF GOVERNMENTMUST NOT BE MISUNDERSTOOD

THE CHANGINGPACE OFTECHNOLOGYDOESN’T HELP

CRIMINALSVALUE YOURREPUTATION

REPUTATIONIS THE NEW TARGET FOR CYBER ATTACKS

CYBER RISK IS CHALLENGINGTO UNDERSTAND AND ADDRESS

!

20

16

2 0 1 7

2 0 1 5

THREATHORIZON2015 - 2017

!STILL A CONCERN

DECREASING

The themes and threats for 2017 are summarised below, along with some key recommendations arising from the full report.

2.3 Legacy technology crumblesAs digital connectivity grows, legacy technology will be further exposed to attackers. The damage from the resultant incidents will exceed anything that has come before.

Recommendations• Identify and assess organisational exposure to legacy

technology.• Update system architecture and plan modernisation.

2.4 Death from disruption to digital servicesDisruption of digital systems in transport and medical services will lead to verifiable deaths. Public pressure forces organisations to respond.

Recommendations• Assess the exposure to and liabilities of cyber-physical

systems. • Revise corporate communication and crisis response

mechanisms.

THEME 3: COMPLACENCY BITES BACK

3.1 Global consolidation endangers competition and securityAs the dominant providers of information services expand their global operations, customers will become more concerned about potential service disruptions and failures.

Recommendations• Identify and assess risk from dominant providers, where there

are few alternatives. • Explore diversifying the suppliers of critical services.

3.2 Impact of data breaches increases dramatically Data breaches will grow in frequency and size, increasing the operational impact and recovery costs. In response, governments will introduce additional data protection legislation and regulations.

Recommendations• Review potential jurisdictional liabilities based on the location

and volume of data handled. • Ensure liabilities for data breaches are clearly stated in supplier

contracts.

Threat Horizon 2017 CONTACTFor more information, please contact:

Steve Durbin, Managing Director

US Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: steve.durbin@securityforum.orgWeb: www.securityforum.org

Where next?

Threat Horizon 2017 contains detailed descriptions of nine key threats along with details of potential business impacts, recommended actions and other ISF material which enable you to build your cyber-resilience.We recommend that ISF Members:

• review the threats in the report, identifying those that are of high priority

• use ISF Live to become familiar with the techniques ISF Members have used to implement Threat Horizon

• consider how the contents of the Threat Horizon can be adapted, if necessary, to work best within their organisational culture: for example, to:

- develop a forward-looking cyber resilience strategy

- enable threat analysis and formulation of potential impacts and responses

- brainstorm risk treatments

• use the ISF Threat Radar with senior business managers to help categorise and prioritise threats and actions: particularly when time and budgets are limited

• give careful consideration to the recommendations in this report including IRAM2: The Next Generation of Assessing Information Risk, The Standard of Good Practice for Information Security: 2014, Time to Grow: Using Maturity Models to Create and Protect Value, Supply Chain Assurance Framework: Contracting in Confidence, and Cyber Insurance: Covering the Basics

• work with other organisations to collaborate on cyber security intelligence and strategies.

Threat Horizon 2017 is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report or running the ISF Threat Radar should contact Steve Durbin at steve.durbin@securityforum.org.

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

REFERENCE: ISF 15 02 02 Copyright©2015 Information Security Forum Limited. All rights reserved.