As we look ahead to 2018, some are predicting new and novel cyberthreats, such as ransomware attacking people through Internet of Things- (IoT-) enabled home appliances. While such dystopian visions may indeed come to pass, what’s clear to us is that end-user risk will continue to play a critical role in an organization’s cybersecurity.
IDG Connect’s recent poll of 72 security professionals supports this train of thought as well. When asked what they saw as the single greatest security threat of 2018, the largest group of responses pointed to the risky behaviors exhibited by employees. The second largest group focused on ransomware — a threat typically associated with dangerous end-user behavior, such as clicking on spoofed links.
According to one respondent, “Whether they are the negligent executives that fail to implement proper cybersecurity policies, unwitting insiders that fall victim to phishing emails, or naïve employees that fail to appropriately patch and update their computers, people remain the soft underbelly that malicious actors will exploit to compromise an organization.”
Below, we highlight five cybersecurity predictions our staff anticipates for 2018. These forecasts underscore the ongoing danger of successful phishing attacks and the role security awareness training plays in preventing them.
#1: Attackers will continue to be creatures of opportunity.
We believe the primary targets for cybercrime will be financial services, retail, and healthcare — in part because previous attacks have been so successful — but all companies that rely on internet connectivity to conduct business should expect increasing cyber risk in 2018.
Wombat Security Advisor Alan Levine cites three reasons for this increased risk:
- First, “attackers are more advanced, and their attacks are generally successful, and so they will persist,” Levine says.
- Second, “the greater reliance on IoT will present new vectors for attack. Managing vulnerabilities in this space will be even more difficult than managing vulnerabilities inside a typical enterprise datacenter operation.”
- Finally, he notes, “major enterprises continue to lack the foresight, diligence, and focus to defend against cyberattacks of all kinds.”
The last point has also been raised by Laurance Dine, managing principal of investigative response at Verizon. “The biggest security threat that will hit businesses will continue to be attitudes in relation to cybercrime — the ‘it will never happen to me view,’” Dine told IDG Connect. He went on to say that the same tactics will keep succeeding “until people learn from the cyberattacks that are taking place across their industries and start to educate employees and change their behavior.”
#2: Phishing attacks will remain the most common and dangerous cyberattack method.
“While smishing will become a more successful and prominent vector for cyberattacks, the very prevalent and dangerous email phish — which comes in many forms — will persist as the most common vector for cyberattacks,” says Levine. “We will see more ransomware attacks, more identity theft, more large — and even multinational — data breaches, and all of these will begin with a simple phish.”
Phishing is certainly nothing new, but the sophistication of phishing attacks is likely to increase in 2018. McAfee Labs predicts that phishing attackers will increase their use of machine learning in an “arms race” against defenders, according to its 2018 Threats Predictions Report. “Machine learning could help improve their social engineering — making phishing attacks more difficult to recognize — by harvesting and synthesizing more data than a human can,” according to the report.
What were your resolutions for 2017? We recommended increasing collaboration this year. It's not to late to make this a goal for your organization!
#3: Spear phishing attacks will pose an increasingly pervasive threat.
As noted in our State of the Phish™ Report, 61% of infosec professionals reported experiencing spear phishing attacks, in which criminals gather information on key individuals in an organization to create a personalized and convincing phishing email. This year has seen a number of high-profile attacks hit the press, from Amber Rudd (the UK’s Home Secretary) to Tom Bossert (Homeland Security Advisor in the US). Amy Baker, Wombat’s VP of Marketing, expects these attacks to be increasingly pervasive in 2018.
“The ideal strategy against these threats, because technology often doesn’t catch spear phishing attacks, is a proactive, comprehensive training program,” says Baker. “We recommend knowledge assessments, simulated attacks, and interactive training supported by an integrated solution where technology is able to detect risky behavior and automatically deliver relevant ‘just-in-time’ training.”
It’s hard to overstate the importance of security awareness training in reducing the risk of social engineering and successful spear phishing attacks. One survey respondent told IDG Connect, “As phishing attacks become more sophisticated and socially engineered attacks continue to rise, the real target isn’t infrastructure — it’s the user.”
#4: The GDPR and NIS Directive will increase challenges for global organizations in terms of educating their entire workforce.
With the NIS Directive and the General Data Protection Regulation (GDPR) coming into play early next year, end-user security training will play a considerable role in ensuring compliance. “Some companies, likely US-based but with European customers or suppliers, will fail their mission to comply with GDPR in particular, and the results will be very public and very expensive,” says Levine. When this happens, he says, “there will be shockwaves and, hopefully, global enterprises will then revise their cyber missions to dedicate themselves to improved cyber defense.” Quality, targeted end-user security awareness and training will be essential in this regard.
#5: Money won’t be the only motivation for attackers.
Not all cyberattackers are motivated by money, and their purposes will continue to diversify in 2018. “We think about the impact of identity theft as a primary purpose, because identities have financial significance,” says Levine. “But we rarely think as well about the potential for attacks directly against data integrity,” he says. “I believe that new purpose is on the horizon, and the results might be devastating — a complete breach of confidence may result, and then we will all need to rethink how and why we connect to the internet and compute.”
On a similar note, the aforementioned McAfee report predicts an increase in ransomware attacks intended to cause “outright system sabotage, disruption, and damage,” rather than traditional ransomware extortion. “Ransomware-as-a-service providers will make such attacks available to countries, corporations, and other nonstate actors seeking to paralyze national, political, and business rivals,” the report stated.