Q&A: What the cyber risk landscape is likely to look like in 2014

KPMG’s information protection and business resilience UK and global lead Malcolm Marshall highlights cyber trends to emerge in 2014

Cyber risk is a major concern for businesses at the moment, how do you think cyber security will develop over the next 12 months?

As governments worry about the scale of the cyber security threat, we can expect to see more national standards emerge and greater pressure for voluntary compliance. The US National Institute of Standards and Technology’s cyber security framework and the UK government’s cyber security ‘kitemark’ are just two examples.

On the back of emerging standards we will see the cyber insurance market develop and begin to provide market incentives for compliance, whether that is a willingness to insure or reduce premiums. Non-compliance with standards will also lead to a legal debate over liability for incidents, testing the boundary between sensible and pragmatic risk management and negligence in implementing cyber security controls.

Is cyber crime likely to increase over the next 12 months?

Mobility is a cause for an increase in e-crime over the next 12 months. Organised crime will always follow the money with a growing range of malicious apps targeting online transactions, sophisticated spyware and attack techniques which exploit the link between the user’s mobile phone and their home computer. We can also expect more targeted attacks as criminals tailor their email campaigns and carefully choose their watering holes to lure in unsuspecting users. Social media offers a window into our lives, but not just for our friends and colleagues.

What impact do you think Snowden revelations will have on the way companies use the internet?

Snowden’s revelations have triggered a privacy debate which will continue to rage in 2014. Expect more disclosures, more calls for greater transparency over government actions, and more efforts by the Internet giants to persuade customers that their data is secure.

The Internet contributes more than 8% of the UK’s GDP, and this figure is predicted to grow to 12% by 2016. Global commerce demands a safe and secure network environment. Nations will be tempted to implement further legal and regulatory controls over the internet, but if we are not careful this will drive a balkanisation of the internet which will obstruct commerce.

Businesses are beginning to offer ‘cyber intelligence solutions’, is this likely to grow?

The number of firms offering cyber intelligence and claiming to mine the dark corners of the internet for information on threats and vulnerabilities will grow, as we see more and more commercialisation of intelligence collection and analysis, blurring the boundary between state and commerce.

Security companies will begin to put more of the Advanced Persistent Threat jigsaw together –  a euphemism for state sponsored cyber espionage. The picture on the box is likely to be one of extensive theft of intellectual property on a scale which erodes corporate and national competitive advantage.

Key financial institutions will automate the exchange of intelligence in real time, with other critical national infrastructure sectors on their coat tails. But vital questions remain – how useful is data in really understanding the threat landscape, and how can firms really harness it to make decisions on their security stance and the level of risk they are prepared to carry?

What would be your message to businesses and individuals regarding the internet and ever increasing cyber risks?

Do we really understand our dependency on the Internet? [Distributed] Denial of service [DDOS] attacks have been on the rise since 2012, growing in scale and sophistication. Network engineers do an amazing job of keeping the internet running, but many of the protocols at its heart remain insecure. Attacks on directory and routing services have grown in 2013, and we have seen denial of service attacks against banks and media sites often linked to international tensions elsewhere in the world. A major outage of a country’s internet service may be on the cards, but if not, we can expect numerous disruptive DDOS attacks against individual firms sometimes with extortion in mind.