Like any other year, 2015 had its mix of ups and downs in the world of security. A fine line exists between the threats that we face and the solutions we have at our disposal; any slip-up on the part of defenders can make an existing problem that much worse.
The coming year will not be any different. In 2016, cyber extortionists will devise new ways to target its victim’s psyche to make each attack “personal”—either for an end user or an enterprise. Threats will evolve to rely more on mastering the psychology behind each scheme than mastering the technical aspects of the operation. Reputation is everything, and threats that can ruin an individual’s or a business’ reputation will prove to be effective and—more importantly—lucrative. Security vendors will need to work together with law enforcement and would-be victims to help combat these evolving threats.
Online extortion will continue to grow in 2016.
Extortion in one form or another has been a key part of cybercriminal activity for many years. For consumers, it has taken many forms, ranging from fake antivirus, to police Trojans, up to today’s crypto-ransomware. Fundamentally, the threat remains the same: we have your data, we are denying access to it, give us money or else.
These criminal syndicates are quite profitable. Estimates point towards “earnings” that are in the millions of dollars. This is essentially a “risk-free” activity for many cybercrime groups which results in a considerable amount of profit, and it shouldn’t be a surprise that this has turned into one of the biggest threats facing ordinary users today.
Moving forward, we can expect more threats that attempt to extort money from users. More than just data, other things that users find valuable and are online could become targets as well. Consider what happened to some of the users of Ashley Madison, who faced threats over their (alleged) membership in the dating site. Similar attacks on the reputations of users may happen in the near future.
Enterprises and other large organizations will face their own reputation risks due to data breaches.
There are few things more damaging to an organization than a major data breach that exposes their innermost secrets. Companies like Sony and the Hacking Team learned this, much to their regret.
Hacktivists respond to incentives as well as anyone else. Instead of merely defacing websites and/or carrying out denial-of-service (DoS) attacks, hacktivists with more capabilities might well try to steal a company’s most valued secrets and leak these to the public.
This constitutes a new kind of threat as far as data breaches are concerned. Traditionally these are either for-profit attacks by cybercriminals or information theft carried out by nation states. Attacks by hacktivists may well differ from these previous threats and need to be treated accordingly.
Despite the risks of data breaches, organizations will fail to adopt policies to help protect themselves, such as creating Data Protection Officers.
As one can see, protecting an organization’s data is becoming a more and more complex task. New regulations imposed by governments such as the EU Data Protection directive only makes this task harder: aside from the “normal” risks associated with threat actors, mandates imposed by regulators must also be considered in planning an organization’s security posture.
Ideally an organization would have an executive specifically in charge of handling these issues; one could call the job that of a Data Protection Officer (DPO). The role calls for expertise not just in technical risks to an organization’s data, but for how to handle the legal requirements that are now being imposed as well.
Many organizations remain blissfully unaware of their responsibilities to protect their data and those of their users. Even more companies may be aware, but have no plans to review their existing policies to deal with new regulations.
Attacks on consumer-grade smart devices will prove fatal – directly or otherwise
More and more devices and items are being connected to the Internet, with shipments expected to grow at 67% annually for the next five years. As these devices a greater part of the daily lives of users, their security shortcomings become more apparent and problematic. Vulnerabilities are already known to exist in devices ranging from baby monitors, to cars, to gasoline pumps.
These devices are very slowly patched – if at all. As a result, known vulnerabilities are in the wild for longer periods than they would be in, say, PCs, where software vendors regularly release patches. This toxic combination of day-to-day importance and lack of security may cause injuries – or worse, fatalities – to users due to the failure of smart devices.
More details about these predictions can be found at The Fine Line: 2016 Trend Micro Security Predictions.