As 2016 quickly approaches, I thought that my readers would enjoy hearing the predictions of a panel of respected industry insiders and experts. While the forecasts are not identical, several concepts were mentioned by multiple folks - so take notice. We can expect to see more attacks leveraging social engineering and social media based information, advanced ransomware, Internet of Things related security problems, and more advanced products that require less human intervention.
One theme however seems consistent across all the predictions: we will face serious cybersecurity challenges in 2016. So be prepared, and here's to a cyber-safe 2016.
Rohyt Belani, Co-Founder and CEO, PhishME
With millions of active daily users across various popular social media platforms and many of those managing corporate accounts, social media provides the perfect opening for a targeted attack. In 2016, we can expect to see an upswing in phishing and spear phishing attacks that leverage information found on social media, particularly with major events like the presidential election drumming up unusually high social media activity and making social networking platforms like Facebook a goldmine of personal information and a hotbed for cybercrime. In the coming year, organizations will need to be more mindful than ever about the information being shared on both employee and corporate social accounts to prevent employees from accidentally arming attackers with the information needed to successfully phish a company.
Dr. Guy Bunker, SVP Products, Clearswift
Unfortunately, it looks like phishing attacks and targeted information borne threats will continue to grow, as cyber-criminals look to find more sophisticated ways to get to their end goal. Malware will be more frequently delivered from "trusted" servers which have been compromised; these will be able to be switched on and off from delivering malware at will. This will make the need for more proactive protection even more important. Classifying a website will no longer be a guarantee of its security. Similarly, malware will also increasingly evade sandboxes as it becomes more "intelligent" - once more increasing the need for a more proactive blanket approach to dealing with active content attempting to enter the organization.
Shira Rubinoff, President, SecureMySocial
Criminals, nations, and anyone else seeking to hack will continue to exploit social engineering as a primary means of digital "breaking and entering." We will see more instances of oversharing on social media leading to spear phishing which in turn will lead to breaches. A growing number of businesses will start to reward employees for practicing good cyber-hygiene, and to punish employees who do not. Internet of Things technologies will create new security risks and raise stakes: connected industrial systems, medical devices, and other "appliances" will enable breaches to have far more severe repercussions than ever before. Hopefully, in 2016 we will see more women enter the information-security profession - but we still have a long way to go.
Malcolm Marshall, Partner and Global Leader, Cyber Security, KPMG
In 2016, we will see that consumers care about security shock - more businesses will realize that sophisticated customers actually care about security in the products and services and will realize that security, ease of use and "coolness" are not mutually exclusive. Also, Internet of Things (IoT) Security will cause a product liability crisis - having failed to learn their lessons from 20 years of enterprise cyber security failings, many companies are failing to build security into the design of products that incorporate IoT, many of them don't understand the technology that's being embedded into their products and services and placing too much reliance on third party suppliers. 2016 could be the year that this really blows up in someone's face, hopefully not literally.
Dimitri Alperovitch, CTO and Co-Founder, Crowdstrike
Data and information will continue to be weaponized, as criminals and hacktivists leak data publicly in order to cause significant damage to businesses, reputations, and even governments. Hackers are currently building massive databases that include multiple types of data (insurance, health, credit card) to present a "full picture" of an individual. It's one thing to have your data stolen and another to have it used against you, so we'll continue to see individuals', corporations' and public entities' info used against them as a weapon in 2016.
Corey Thomas, President and CEO, Rapid7
We will see a greater gap between the well-managed and the poorly-managed, our security version of income inequality. The poorly-managed will continue to ignore, pay lip service, and rely on mostly on controls. The well-managed will recruit teams directly or through partnerships and build effective programs.
Tom Kellermann, Chief Cybersecurity Officer, Trend Micro
1. Cyberattacks will become increasingly destructive. Attacks on the integrity of data will abound.
2. A ransomware crimewave will surge across America. The use of Cryptowall 4.0 will explode.
3. Cyber attacks against mobile devices will become the primary attack vector of choice.
4. Watering holes will flourish. Corporate websites and mobile apps will become hot zones for secondary infections.
Ken Levine, CEO, Digital Guardian
I expect 2016 to bring new and more sophisticated implementations of ransomware and wiper attacks, both of which can wreak havoc on a company, taking critical systems offline and halting operations.
As more and more data is released in the large-scale attacks that take place every day, it is likely that creative social engineering attacks in 2016 will use stolen credentials from previous data breaches to access further sensitive information.
The Internet of Things will also be a major target in the upcoming year. Hackers will be seeking to either compromise connected devices for control and denial of service, or to use those devices to track people. One example of this would be looking at power consumption to determine when a person is home or not. Another could be how connected cars can allow a hacker to track a person's location.
Dr. Hugh Thompson, CTO/CMO/Senior Vice President, Blue Coat Systems
Many cybercrime groups are running like companies, and they will quickly move to industrialize ransomware with the goal of monetizing stolen data at a time when there may be less security investments in certain sectors. For most people, it isn't shocking anymore when their credit card data gets stolen, but that differs from data such as healthcare records that might be embarrassing, invasive , or harmful to a person. Stealing this type of data, like someone's medical history that does not expire and cannot be reset, will unfortunately give attackers the luxury of time to build and infrastructure to monetize that data.
Ross Hogan, Global Head, Kaspersky Lab - Fraud Prevention Division
Mobile malware, specifically mobile banking Trojans, are on a trajectory to become much more prevalent for banks and financial institutions in 2016. Our Q3 IT Threat Report found mobile banking Trojans experienced a four-fold increase over the previous quarter. Additionally, we have seen an increase in malware families that are gaining root access rights on users' devices. Not only does this give the attacker complete control of the device, it makes it exceptionally hard to remediate - even persisting through a full factory reset. These attacks will pose a significant problem for many financial institutions, who have thus far ignored the threats mobile devices pose.
Igor Baikalov, Chief Scientist, Securonix
2016 is promising to be another "fun" year in cyber security. Nation-states will continue battling for the domination of Internet backbone and infrastructure components. Mobile botnets will utilize every possible communication channel to become more resilient. The IoT fad will evolve into household terrorism - a smart toaster can really ruin your morning by mounting a DDoS attack on your coffeemaker. Data breaches will decrease in intensity, as there's where little left to steal, but identity fraud and spear-phish-based penetrations will flourish due to easy availability of private, sensitive information.
Dr. Engin Kirda, Co-Founder and Chief Architect, Lastline
We will see more sophisticated, targeted breaches utilizing malware that is more evasive against sandboxing solutions. Social-engineering attacks are still effective, and they will continue to be used as an important component of cyber-attacks. We will hear more of attacks against smartphones. Many Android devices are not being patched, and this will have at a cost. We will hear of more cases where Internet of Things devices such as home cameras, home automation systems, etc., are being used in attacks and hosting malicious services such as botnets."
Benjamin Jun, CEO, HVF Labs
Microservices will change the build vs. buy debate as identity management and customer data will be increasingly migrated to specialized cloud services in 2016. Developers will insert vetted services and code into their own software, avoid building from scratch, and obtain a security level better than most homegrown offerings. And, for companies who insist on build-your-own, relief is coming in 2017 when container technologies will allow in-house teams to practically manage and integrate microservices of their very own.
Philip Lieberman, CEO & President, Lieberman Software
This year we will see a major revolution in how firewalls are installed, configured and run that deliver more value with less human tuning. Software Defined Networking (SDN) will become fully operational and deliver better performance and security. There will be a major shift as companies finally give-up trying to do their own security and move the responsibility to others with strong capabilities. Various software manufacturers will try unsuccessfully to migrate into the managed services and consulting services businesses with disastrous consequences.
Rod Schultz, Vice President of Product, Rubicon Labs
The world will become keenly aware of the frantic superpower race to build a Quantum Computer and will begin to understand this high-stakes contest may be as critical for world cybersecurity just as the race for atomic weapons was for world security after WWII. The run-of-the-mill data breach will no longer be a simple "one and done" attack. Instead, data breaches will simply become the first step an attacker takes in an elaborate process for theft, extortion, blackmail, and false trust." Security will supplant style as the #1 concern in the auto capitals of the world, as automakers face the same challenges in securing over-the-air updates as Apple and Google do with phones, tablets, wearable devices and computers.
George Rice, Director of Payments, HP Enterprise Security (Voltage)
PCI data is going to continue to be interesting and valuable to criminals. Mobile payment (i.e. consumers using their mobile devices as a payment card replacement) will be a hot topic in 2016. Data security needs to be of equal, or greater, priority than EMV for most businesses. Businesses will need to use both pre and post authorization tokens in order to fully protect their payment ecosystem against data breaches.