A new report on network security threats says that if some countries adopt tougher security and user privacy regulations, companies may look for cloud service providers in countries where it is cheaper but with lax security. It’s what the Information Security Forum (ISF) calls "cyber havens." The ISF also warns that regulations that impose more disclosure of security weaknesses in the name of transparency may have the unintended effect of inviting cyberattacks on them.
The warnings are contained in the ISF’s report "Threat Horizon 2014: Managing Risks When Threats Collide," which also studied the growing sophistication of global cybercriminal enterprises, as well as the risk of new technology being used on corporate networks without the proper security vetting, such as with the bring-your-own-device (BYOD) phenomenon.
Some regulations are coming that will require organizations to disclose potential weaknesses in their networks so customers will be warned. But that may only invite the very attacks everyone wants to prevent--like advertising which door to the office has the broken lock.
"Organizations being forced to report security risks may also have as much to fear from their customers or business partners in terms of leaving them" as from cybercriminals, says Steve Durbin, global VP of the ISF, a not-for-profit organization that shares network security best practices.
The European Union (EU) has announced changes that require such disclosure and would affect non-EU businesses, Durbin says. Two new privacy bills were introduced in the U.S. Senate in 2011 that could follow the EU example. And already India has passed legislation that requires organizations processing personal data to obtain written consent from customers.
Also, as governments enact tougher customer privacy requirements, forcing organizations to invest more in network security, there could be a rush to the bottom elsewhere by companies offering cloud services at a lower cost, but in countries with weaker security regulation, Durbin says.
