We've all heard the old classic, "The 12 Days of Christmas." While we all enjoy a good song about a partridge in a pear tree, Trend Micro has updated this seasonal standby, counting down the top threats to be aware of heading into 2018, from least to most pressing. Let's look at the vulnerabilities and potential points of attack to take into account for next year's priorities:
This year saw the rise of some increasingly dangerous ransomware samples, including NotPetya and WannaCry. The latter in particular garnered 300,000 infections for hackers, resulting in losses topping $4 billion. Ransomware will continue to be an especially impactful threat next year which should be built into security planning and employee education and awareness.
2. Business Email Compromise
BEC attacks currently represent one of the most pressing threats for enterprises, with employees from across the business being targeted with sophisticated, legitimate-looking emails. The FBI reported that BEC scams have cost companies $5.3 billion so far. What's more, losses will only increase as BEC schemes continue to be leveraged by attackers.
3. Threats to the supply chain
An attack on the supply chain could halt business, and not only for one organization, but for every company connected to that supply chain. Olavsrud reported that in the past, attacks have caused groups to be locked out of supply chain systems and lose manufacturing capabilities due to an attack on this area of the business.
Enterprises will have to be particularly vigilant when it comes to bridging gaps in supply chain security in order to maintain beneficial relationships with suppliers, partners and customers.
The ISF found that 2017 experienced a considerable increase in cybercrime due to Crime-as-a-Service, and that this trend will continue in the months to come.
"In 2018, CaaS will allow 'aspirant cybercriminals' without much technical knowledge to buy tools and services that allow them to conduct attacks they would otherwise not be able to undertake," CIO senior writer Thor Olavsrud wrote.
5. Lack of employee awareness and training
Between sophisticated phishing and social engineering techniques, employees still represent a weak link in enterprise security. Without the proper training and awareness, this gap can become increasingly large, creating gaping holes through which hackers can exploit and breach the company.
It's imperative that employees are educated about the most recent threats, as well as the responsibilities as part of the company's security posture.
6. Old vulnerabilities
Trend Micro's 2017 Midyear Security Roundup highlighted older vulnerabilities that continue to trip up enterprise security efforts, and it isn't difficult to see why these vulnerabilities remain a concern. Although new threats will undoubtedly emerge, weaknesses and attack strategies that hackers have been using for months – if not years – are still proving successful for attackers.
Much of this has to do the fact that some organizations are not putting security patches in place with urgency. This leaves considerable holes open for cyber attackers to leverage. However, as Trend Micro's report points out, limitations including the use of legacy hardware shouldn't stop enterprises from securing their infrastructures.
"Vulnerability shielding and virtual patching can help protect enterprises from both old and new threats – for both old and new systems," the report stated.
7. Sophistication of new threats
"The first half of 2017 saw the emergence of 382 new vulnerabilities."
In addition to the use of older, previously identified vulnerabilities, hackers have also been apt at spotting weaknesses before security researchers and software vendors. The first half of 2017 saw the emergence of 382 new vulnerabilities impacting top-used platforms from Microsoft, Apple and Google, according to Zero Day Initiative researches.
8. Ensuring alignment with regulatory rules
Emerging regulatory rules will also impact security efforts as enterprises work to ensure that their systems and strategies provide protection, and also come in step with industry standards. As CIO noted, the European Union General Data Protection Regulation, or GDPR, will be a pressing priority next year.
"It isn't just about compliance," noted Information Security Forum managing director Steve Durbin. "It's about making sure you have the ability across your enterprise and supply chain at any point in time to be able to point to personal data and understand how it's being managed and protected."
9. Connected devices and the IoT
As the capabilities of technology increase and disruptive systems are deployed in new industries, they will become prime targets for hacking and malicious activity. Trend Micro noted this pattern within connected devices being utilized within smart factories in industrial and manufacturing settings. By next year, more than one million connected, robotic devices will be utilized in this capacity, and it's imperative that any organization – within industrial environments and beyond – using connected devices ensure that these are properly protected.
10. Exploit kits
The InfoSec Institute noted that law enforcement has made sweeping efforts to take down the malicious organizations behind several key exploit kits. However, this doesn't mean that this threat can be discounted. In fact, attackers will continue to create and sell kits that enable even the most novice cybercriminal to breach sensitive data.
11. Mobile threats
Unsurprisingly, the mobile platform will continue to be a top attack vector for hackers next year. As enterprises continue to enable employees to use their mobile devices for enterprise pursuits, it's imperative that security is in place to prevent unauthorized access and ensure sensitive data remains secure.
12. Keeping up with executive board expectations
The Information Security Forum also identified misalignment between board expectations and IT security functions as a leading threat heading into 2018. When executives expect more than the IT team and the company's security solutions are able to deliver, it can create considerable risk and potentially result in a damaging breach event if this mismatch isn't addressed.
Experts suggest that security leaders continually engage with the executive board to ensure that everyone is on the same page, and that expectations don't outpace current capabilities.
Our list may not have quite the jingle of the Christmas carol favorite, but keeping these threats in mind can help IT and business leaders position their company for protection and success heading into 2018.