From Ashley Madison to the United States Office of Personnel Management – and many, many others in between – what we now know is targets for cyber criminals and nation-state hacktivists have only broadened in 2015. But, in 2016, will the good guys make any progress toward stopping the bad? Or, can we expect another year of more inventive and damaging attacks?
It wasn’t all that long ago, if you ran a bank, you had a vault for major asset protection. If you owned a convenience store, you locked the doors. Today however, everyone has such valuable digital-based assets available to cyber criminals that no one should believe they are immune from looming threats. And, despite rapid changes across the security landscape, many of these problems in the New Year will remain constant.
While predictions are everywhere, anticipating the next wave of threats can be an insightful way in looking at what’s to come. Below are a few we will be watching for in 2016:
Destructive attacks worsen in size and scope
A more diverse group of cyber criminals is displaying a greater variety of motives and desired destructive outcomes as they go after both traditional (financial services, retail, government) and non-traditional (power plants, consumer sites & applications) victims. An example of this is the recent arrest of hackers in the JPMorgan Chase attack, where the hack was not the endgame but rather a means to a larger end. This trend will continue in 2016, during which time these adversaries will change their tactics and techniques on a daily basis as their sophistication levels rise substantially.
Think about Sony where the attacks were focused on getting the business to change its ways, versus seeking money or goods. These attackers will aim at a much broader target set in 2016. Businesses and government entities that have never seen themselves in the crosshairs, will move into scope for these diversifying attackers. No one should go unprotected. Unfortunately, no measure will one-hundred percent prevent adversaries from getting on the network, but those that work on firming up their security practices will be in a much stronger position to mitigate attacks and reduce the aftermath.
Social engineering gets personal
Social engineering is certainly nothing new, yet it remains one of the greatest threats organizations encounter, and will increase in scope and severity in 2016. As hackers find new, more sophisticated ways to target human vulnerabilities, convincing people to give up strictly confidential information, the ultimate risk will increase for us all. In the coming year, we should expect to see an exponential increase in creative methods for social engineering ‘at scale.’
Much like the CEO/CFO spoof earlier this year where a fake email exchange was created between the CEO and CFO of a company, then sent to a person inside the organization who had access to wiring corporate funds, bad actors will be developing even more targeted tactics to access critical data through very personal approaches. They will pick one company, then one unsuspecting individual within that company to prey on. Using information on that person, gleaned through the sites they’ve visited or data the hacker has purchased, the bad actors will convince the good ones to unknowingly betray themselves, and ultimately the organizations for which they work.
Fortunately, a little attention to detail and ongoing vigilance can go a long way. While employees can create serious vulnerabilities for an organization, with some coaching and follow-through, they can also be one of the best defenses against social engineering attacks. Much like the CDC never gives up on creating vaccines for new strains of the flu, companies shouldn’t give up on educating their employees and making them the strongest link in the security chain.
Public/private partnerships strengthen, too late
Cyber attacks have become a dire threat to privacy, national security and the global economy. Many people believe the best way to slow the impact may be a public-private partnership between government and business. Yet, while plenty of promising discussions have taken place and progress toward this goal has been made, legislative and diplomatic frameworks will be too little too late in 2016. Privacy and cyber security are not mutually exclusive, but balancing the two interests requires a great deal of cooperation and the some serious compromise.
In the end, no matter how much cooperation takes place, cyber crime moves too fast for our current legislative framework. The goal of fostering trust and sharing between the two sectors should remain, as there is no doubt they can help each other in the long run. But, the reality of a world where the public and private sectors truly partner to resolve cyber threats is still years away.
While none of us have a crystal ball, one isn’t needed to predict high-profile security breaches will continue to make the news in 2016. If they haven’t already, organizations of all shapes and sizes should replace the “if we get hacked” mindset with a “when we get hacked” one – no one is immune. Budget dollars for 2016 should be put aside for cyber security investments and employee security training programs should be considered.
The good news is that those investments will start paying off in the not too distant future. Despite the fact that hackers will remain victorious in 2016, we will begin to experience some relief in 2017, and can expect the cyber tides to turn in favor of the good guys in three years’ time.