Think Information. Think Security.
The class of targeted attacks known at APTs (advanced persistent threats) is no longer reserved for Fortune 500 companies. As predicted by leading network security experts, APTs have started to infiltrate small- and medium-sized businesses (SMBs) at an alarming rate. And they are proving to be just as devastating, regardless of the size of the organization or the motive for the attack.

Historically, APT attacks have been created by sophisticated hackers using advanced attack techniques and blended-threat malware. But now, we’re starting to see smarter, every day malware criminals speed up the evolution of APTs and make small and mid-sized organizations even bigger targets. According to Jeremy Grant, senior executive advisor for the U.S. Department of Commerce’s National Strategy for Trusted Identities in Cyberspace program, hackers are going after small businesses because they typically have more money and information than individuals and are less protected than large corporations, according to Wired.

Security risks continue to affect large and small businesses intentionally and unintentionally. And the increased use of removable media, mobile devices, remote working and and social media mean opportunities for security breaches are plentiful. Increased reliance on third-party suppliers supporting business activities also opens companies up to wider exposure beyond corporate boundaries.

Given the number and seriousness of information security breaches, you would expect people to have developed a better awareness and common set of practices to protect sensitive data and the numerous devices this data is now stored on or accessible from.

A company’s own employees are a much bigger threat to IT security than hackers, a new survey shows. Here are top ways users threaten security – and why IT departments fail to stop them.  IT departments are typically much more concerned about the security threats posed by user negligence than they are about being attacked by outsiders, according to a recent survey conducted by Irish magazine ComputerScope and IT distributor Data Solutions.

Among the 278 IT pros surveyed, 80% said they are concerned about the impact of careless employees on IT security. In comparison, just 15% are concerned about attacks from external hackers.

What's in store for security in 2013?

On the information security front, 2012 was notable in numerous ways: for Muslim hacktivists launching distributed denial-of-service (DDoS) attacks against U.S. banks, the FBI busting alleged LulzSec and Anonymous leaders, eccentric antivirus founder John McAfee's flight from justice, the apparent data security missteps of the former director of the CIA, as well as a nonstop stream of website hacks, defacements, and data breaches.

Expect more of the same for 2013, and then some. Here are some of the top information security trends -- and vulnerability warnings -- that experts are calling out for the upcoming year:

Things already sounded fishy in Steubenville, Ohio, where the alleged gang rape and kidnapping of an unconscious 16-year-old by two of the town's high-school football players has turned into a complex web of accusation, shock, and, well, Instagram photos. But conflicting reports over an already emotional case became that much more complex today when a WikiLeaks-style site dumped new information about team boosters, the town sheriff, and the alleged "Rape Crew" online — information rounded up, of course, by the anonymous hacking collective known as Anonymous.

It rose to national prominence last month when The New York Times ran a lengthy report from Steubenville, on the August incident and its intersection of football, the law, and social media.

While hacking is often seen as an outlet for criminality, terrorism and protest in equal measures, perhaps 2012 saw teenage angst join the list of reasons to scan for network exploits and vulnerabilities. Just ask the 15-year-old Austrian boy who broke down in front of police this April when asked why he’d hacked into 259 company websites in the space of 90 days earlier this year.

His efforts – which saw him stealing masses of company data from businesses around the globe – were an attempt to impress friends in an online hacking forum. To be fair, the fact that Europol was investigating his activities before he’s even legally allowed to have a drink should reward him with a reasonable amount of respect among his peers.

Security experts have long prescribed to the idea that good security comes from “Defense in Depth”.  This principal describes ways in which layers of protection or security controls are placed on top of each other to provide different levels of protection for sensitive information.  Unfortunately, most experts would agree that the weakest link in the information security chain is ‘people’.  One of the vectors of attacking this ‘human layer’ of security is through Social Engineering.

Social Engineering is defined as “any act that influences a person to take an action that may or may not be against their best interest” (source “The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules”, CRC Press, 2012).  We see Social Engineering in multiple areas of our daily lives such as through advertisements, marketing, parenting, teaching, mentoring, etc.  In most cases, attempting to influence behavior in a positive way is a good thing; however, when this influence is done in a negative manner or with malicious intent, it can lead to a compromise or other devastating consequences.

IT and information security is a business enabler, said Peter Wenham, a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management. However this seems not to be a generally held view, but why would this be so?

For Peter, the information security professional in a company is not getting this message across to those that matter, partly because those individuals are not seen as professionals in the way accountants or lawyers are; and partly because those in the infosec role are not able to effectively communicate with the board and senior management. This line of thinking leads to infosec being treated as a secondary issue and not staffed as a full-time function or even defined as a unique role. It would help a great deal if infosec were covered in management training in the first place.

Information security has never been so important, with cybercrime, industrial espionage and denial of service attacks, not to mention employees losing laptops containing customer details and intellectual property. However, there is an in-built tension between the corporation and its employees.

IT managers should always be careful to ensure that the technology they provide to their users is efficient, effective, robust and secure. These are all important attributes that take time to evaluate, implement and test. As a result, the evolution of corporate computing and mobility has necessarily been slow.

The problem is that computers and mobile devices have evolved more rapidly, increasing in functionality and ease-of-use, and coming down in cost. Workers bought them for their own use, realised how much more productive they were than the office devices and demanded to use them for work.

It’s been fashionable in military circles to talk about cyberspace as a “fifth domain” for warfare, along with land, space, air and sea. But there’s a sixth and arguably more important warfighting domain emerging: the human brain.

This new battlespace is not just about influencing hearts and minds with people seeking information. It’s about involuntarily penetrating, shaping, and coercing the mind in the ultimate realization of Clausewitz’s definition of war: compelling an adversary to submit to one’s will. And the most powerful tool in this war is brain-computer interface (BCI) technologies, which connect the human brain to devices.

Outside the body, recent experiments have proven that the brain can control and maneuver quadcopter drones and metal exoskeletons. How long before we harness the power of mind-controlled weaponized drones – or use BCIs to enhance the power, efficiency, and sheer lethality of our soldiers?