With the end of 2016 fast approaching, it’s certainly not too soon to think about what the cybersecurity threat landscape will look like in 2017. Our experts shared their thoughts about the current risks that will continue to plague infosec teams next year, and they offer predictions about how threats may morph in the coming months.
Joe Ferrara, CEO, on Ransomware and BEC
In the last 12 months, the escalation of ransomware and business email compromise (BEC) has been significant. It's hitting the midmarket a lot more frequently, and it's an extremely productive effort for hackers. With continually evolving methods and strategies, hackers are able to leverage ransomware in their favor.
In 2017, the industry will see this ongoing flurry of ransomware attacks and damages increase, and more demand will be generated for solutions that address more than just the technology infrastructure of a company. The human defense factor is powerful, and I believe we will see these threats driving interest in security awareness and training from enterprises next year.
Trevor Hawthorn, CTO, on Healthcare and a Generational Shift
On Healthcare Security
Healthcare is still incredibly susceptible to the accelerated phishing activity we see moving into 2017. The industry continues to have resource constraints that make it difficult to prioritize security — particularly if the belief is that focusing on cybersecurity would come at the expense of patient care or pressing administrative tasks. And as is the case in other industries, shortages of infosec funding and cybersecurity talent, leave healthcare organizations struggling to identify the areas most deserving of a first response.
Consolidation within healthcare has also resulted in a degree of organizational chaos. There are time, schedule, and other systemic challenges that make these environments difficult to secure — but throwing in the towel only leads to greater susceptibility…and greater liability and risk.
We feel that in 2017, cybersecurity and healthcare professionals need to collaborate on a long-term plan to address vulnerable infrastructures. We encourage a blend of technical safeguards and staff training, and we feel that this type of merger will help to calm any organizational chaos they may be faced with.
On the Next Generation
Generationally, we see a gap on the awareness side almost as much as on the talent or skills side. When the internet became prominently used in the 1990s, security was not a top concern. So little was known about the threat landscape and its potential impact on individuals, and formalized attacks on organizations seemed like something that would never involve or impact end users.
Those early users are still in the workforce and operating online with devices every day, and there is still a lack of understanding of how personal behaviors can impact organizational security. But millennials — who have been raised on connectivity — also exhibit extremely risky behaviors. Technology is such an extension of “self” that there is tendency to trust and explore almost everything. Though the disconnects have different root causes, they are equally damaging to these individuals, the companies they work for, and their networks.
We believe 2017 will see a greater focus on smart skepticism and a more emphasis on cyber hygiene. We also expect to see cybersecurity become a more consistent part of educational programs for students of all ages, even down to elementary schools. The generation still in grade school today is being given the tools and resources to better protect their personal information and devices, which is a major step forward in widespread security awareness.
Our unique approach to security awareness training can help you address cybersecurity threats in 2017 and beyond.
Amy Baker, VP of Marketing, on Mobile Device Security and Partner Relationships
On Mobile as a Breach Source
We expect phishing and spear phishing to continue to be huge issue in 2017, carrying on the “another day, another email leak” trend we’ve seen in 2016. (Retrospectively, 2015 didn’t see nearly as many phishing attacks, and the rise in volume will only be exacerbated by the fact that organizations are still lagging behind on delivering effective security awareness training to end users.)
That said, we think 2017 could be ripe for a highly publicized breach with a mobile device as the initiation point. The security industry has wondered for years when this will occur; though it hasn’t happened yet, it is a very real possibility that should be treated as an ongoing significant threat vector. Given that the number of connected devices continues to skyrocket, next year we expect to see a larger focus — by enterprises and end users alike — on keeping mobile devices secure. This could prove particularly critical in a landscape where mobile phone encryption may be weakened, pending decisions made at the federal level.
On Partner and Supplier Relationships
Brands and vendors are looking at the security prowess of their partners and suppliers with a sharper lens in 2016, and we expect that to continue in 2017. With the understanding that securing their own infrastructures and employees is of top importance, organizations are beginning to scrutinize external entities that may negatively affect the secure environments they've invested in thus far. Enterprises are requiring that their partners invest in specific security approaches, such as security awareness and training, for them to become partners.
Kurt Wescoe, Chief Architect, on Protecting Privacy and the IoT Threat
On Privacy and Multi-Factor Authentication
The data privacy conversation for the average consumer must change in 2017, particularly as new government officials are faced with the debate of end-user privacy vs. potential national security issues. What needs to be understood is that context determines the impact a breach of privacy has on an end user or organization. The lack of control on that context when hacked is the negative end result that pro-privacy advocates will need to shed light on to end users and constituents influencing governmental and societal initiatives.
On a tangential note, we expect to see multi-factor authentication change pretty dramatically over the next 12 to 24 months. Authentication is likely to become more biometric in nature in the not-too-distant future, but as those technologies are perfected, organizations will begin to move away from mobile options in favor of dedicated devices. Though mobile devices helped to speed adoption and lower implementation costs (two benefits to tapping into existing technology), we don't expect mobile two-factor and multi-factor authentication to exist in their current forms by the end of 2017.
Overall, the trend we expect to see is security taking a higher priority over convenience to help combat compromised accounts, with authentication evolving into processes much more complex and acute.
On IoT Security
The Internet of Things (IoT) has already posed a unique threat to the security landscape, and it’s one that isn’t immediately visible to a consumer's untrained eye. Easy procurement of cheap IoT devices or WiFi-enabled products introduces a serious level of risk that most are unaware of.
In 2017, we'll need to answer to a lot of the mistakes that have been made in the name of faster go-to-market strategies and lower costs of goods. It’s essential that we continue educating consumers and employees on not only what makes a secure (vs. risky) IoT device, but also what the potential impacts of an insecure device could mean for privacy and organizational insurance policies.Furthermore, safe usage training for these devices needs the support of brands, vendors, and cross-vertical influencers to move the needle. In 2017, we’ll start seeing a larger rally from these players to brand themselves as being providers of secure devices rather than focusing solely on delivering the latest, coolest-looking wearable or smart home device, and that will be a welcome change given that the latter message has taken precedence in marketing efforts so far.