There is lots of potential in many directions for cyber-security, threat intelligence and risk management in 2016 and I am sure there will be some startling stories. But the one thing I know for sure is that there will by hyper-growth in online extortion, hacktivism and mobile malware and a pivot for government agencies and corporations towards a much more offensive strategy for dealing with cyber security threats.
I think that both governments and enterprises of all sizes are beginning to recognise the benefits of cyber security foresight and acceptance that there will be cyber attacks – and that it is likely they will be hacked. We see changes in legislation coming down the line and increasing hiring activity around skilled cyber security analysts and officers within enterprises.
Enterprises are now evaluating their risk as it relates to their assets and their position in their supply chain to assess their vulnerabilities and respond with plans to protect and defend accordingly. Individual users are becoming much more aware of online threats and through training and education, are upping their game translating this heightened visibility into increasingly prudent preventative action. Malvertising is being forced to morph into more sinister approaches due to an almost 50% increase in the use of ad-blocking software in 2015.
This is good and bad, as the new approaches will have figured out a way around the software and will create new and innovative attack vectors that most users won’t see coming. Hackers are really good at evolving to adapt to new environments and for every defensive measure, there must be 50 ways to work around it.
An increase in the sophistication of psychological and analytical techniques and social engineering innovation will create a large bubble in the online extortion business driving hackers to expose even more incriminating information about their victims. Hopefully, the Ashley Madison breach will act as a lesson-learned deterrent, or at least a cautionary tale to help potential victims think twice before posting such potentially incriminating information.
If there is no basis for extortion, then it will be hard to extort.
So here are some of the things I believe we can expect to see during 2016:
• Evolving cyber criminals will develop new techniques and attack vectors to personalize hacks, potentially making 2016 the year of online extortion (unless we stop posting hyper-personal data in inappropriate spots).
• Mobile malware will surge along with the sales of smartphones and new online payment systems (these will create a target rich environment that will be impossible for cyber criminals to resist as these payment systems are particularly vulnerable to attack).
• There will be a significant increase in government regulations designed to increase protection, detection, arrest and prosecution of cyber criminals, but result instead in increased cost and difficulty related to compliance for all businesses.
• Significant fines and punishment for failure to comply with existing regulations affecting retail, consumer, healthcare, hospitality, finance and manufacturing industries.
• In spite of increased intention, most companies will not be able to staff cyber security experts in 2016, as the current unemployment rate for analysts is less than zero.
• There will be a reduction in malvertising but an increase in socially engineered intrusion and the resulting compromise and capture of administrative credentials will lead to an increase in successful breaches.
Now is the time to take decisive action to get ahead of all this by installing layered-defence technologies, training in identifying and detecting cyber attacks, moving to immediate compliance with all regulations affecting our and our customer’s industry sector, and developing an internal cyber defence capability as well as partnering with external specialist firms to provide it.
What you don’t want is your emails exposed, your internal documents made public, your assets compromised, your position in your supply chain used as a tool to breach a client company or your name in the paper.
If our assets aren’t more valuable than the investment required to get secure, our customers and reputational impact surely are. Let’s get moving.