Security Regs Could Create 'Cyber Havens'

A new report on network security threats says that if some countries adopt tougher security and user privacy regulations, companies may look for cloud service providers in countries where it is cheaper but with lax security. It’s what the Information Security Forum (ISF) calls "cyber havens." The ISF also warns that regulations that impose more disclosure of security weaknesses in the name of transparency may have the unintended effect of inviting cyberattacks on them.

The warnings are contained in the ISF’s report "Threat Horizon 2014: Managing Risks When Threats Collide," which also studied the growing sophistication of global cybercriminal enterprises, as well as the risk of new technology being used on corporate networks without the proper security vetting, such as with the bring-your-own-device (BYOD) phenomenon.

Some regulations are coming that will require organizations to disclose potential weaknesses in their networks so customers will be warned. But that may only invite the very attacks everyone wants to prevent--like advertising which door to the office has the broken lock.

"Organizations being forced to report security risks may also have as much to fear from their customers or business partners in terms of leaving them" as from cybercriminals, says Steve Durbin, global VP of the ISF, a not-for-profit organization that shares network security best practices.

The European Union (EU) has announced changes that require such disclosure and would affect non-EU businesses, Durbin says. Two new privacy bills were introduced in the U.S. Senate in 2011 that could follow the EU example. And already India has passed legislation that requires organizations processing personal data to obtain written consent from customers.

Also, as governments enact tougher customer privacy requirements, forcing organizations to invest more in network security, there could be a rush to the bottom elsewhere by companies offering cloud services at a lower cost, but in countries with weaker security regulation, Durbin says."I can imagine a situation where a cloud provider decides they’re going to set up shop in a cyber haven. They’re offering a service at a much reduced rate [compared] with someone who’s operating in a much more regulated environment," he says.

Small to midsize businesses looking to save money could be lured by a lower-cost service provider, perhaps not knowing the risk they may be taking. Durbin warns companies to be sure to ask the right questions of their prospective cloud provider. There’s also the risk that they may be a United States or an EU-based company that is unknowingly doing business with a provider that operates in a cyber haven.

"You could be moving into a bit of a minefield, and bear in mind that a lot of these cloud services are not bought by information security professionals; they are bought by business people on credit cards," he says.

To be sure, the information security industry continues to innovate to make networks safer, including those of cloud service providers. Data center services provider Equinix and infrastructure-as-a-service provider Tier 3 recently announced a partnership to run a private cloud computing environment on a public cloud service, allaying the security concerns of customers about operating in a multitenant environment.

Learn more about Strategy: Choosing the Right Vulnerability Scanner for Your Organization by subscribing to Network Computing Pro Reports (free, registration required).