A few years ago, cyberattacks against corporations were on the margins of news and media. For many people, a data breach conjured associations with dated 1990s movies and warranted little attention. But after the devastation waged against Target, Home Depot, JP Morgan, and most recently Sony, people have realized they are no joke.
Data breaches cause serious damage, to the tune of $146 million out of Target's pocket, and an estimated $200 million and a major motion picture release (as well as endless embarrassment) for Sony. The recent climate begs the question, what's in store for 2015?
"It's sad and embarrassing, but I think the cybercriminals will overrun [the cybersecurity] industry in 2015." Pat Peterson, the founder of cybersecurity firm Agari, tells Inc. "Even if you're a small restaurant chain, a health care provider, or a startup, there is gold in your data and criminals are going to figure out how to monetize that in ways you can't imagine."
Peterson bases his dire prediction in part on criminals' boundless inventiveness and resourcefulness. Target's breach, for example, started from criminals infiltrating the chain's heating and ventilation vendor, while J.P. Morgan's breach originated within the website of a charity the bank was funding.
Even more disturbing, Peterson says, high-profile hacks like those represent just a small portion of the criminal activity that's taking place. "We only hear about only one percent of serious attacks. Sony is the noisy tip of the iceberg and is barely representative of the serious criminals and nation-state actors that are doing far more nefarious things every day," he says. "They don't go out and publicize it. They do the opposite. For every cyberattack we hear about, there are 10, 100, 1,000 others that fly below the radar."
Inc. spoke with Peterson, who is well-known in the security world for hunting spammers, about what to expect in the war over your data in 2015. Below, check out his four predictions for the new year.
1. Hackers will focus on medical records
Peterson says that health care, a $3 trillion industry, offers a trove of information that's worth its weight in gold. Just one doctor visit results in all of your health and financial information shuttling between multiple parties without much protection. "Our data shows that there is a 10X premium on medical records over personal and financial records in terms of value of a data breach," he says. "This is where a lot of criminals are focusing because these records are not protected like a bank vault at all."
Think about what's in your medical records: your social security number, credit card numbers, bank information, and all your medical history. Not only can hackers sell that information piece by piece, but they can also just sell your entire profile. "If you knew how many parties your information goes through, you'd think twice about going to the doctor," Peterson says.
2. More credit card fraud goes online.
Nearly half of all credit card fraud happens in the United States. While the majority of the world transitioned to more-secure chip-and-PIN credit card systems, the U.S. still uses swipe-and-sign cards that expose customers, banks, and retailers to more risk. But come October 2015, all new credit cards in the U.S. will be embedded with the microchip and retailers will update their credit card readers. It'll be a slow process, but the chip-and-PIN cards are harder for criminals to manufacture. The result will be a shift in credit card fraud from the physical world to online.
"If you're a retailer, hallelujah. Pop the champagne, because your fraud department will have a slow year. Now, when criminals get into 60 million records at Target or 80 million at Home Depot, they won't be able to take blank credit cards, program them, and send people out to buy gift cards and high-value, re-sellable items, because chip-and-pin credit cards will stop that," Peterson says. "That means all the traffic has to go through the online channel. Criminals will be doubling down on using stolen credit card numbers online. Payments companies and e-commerce sites will see all of that activity going through their sites--making it a busy 2015 for them. By 2016, almost all the traffic will be diverted to online retailers."
3. Email will remain as a theater for cyberattacks.
Email is still the easiest way for criminals to breach your business's security. Be careful about which emails you open and watch out for phishing emails and social engineering. Do not click links inside messages and do not download attachments unless you're expecting them. This is how hackers trick you into logging into your bank account or install malware onto your computer.
"It's remarkable how central email remains. Even though email is not the headline of these big cyberattacks, if you look behind the scenes of the Target breach and the celebrity photos breach, it all began with one of these phishing emails. We believe the Sony breach started with the same old email game," Peterson tells Inc.
"Email remains one of the sharpest weapons with the longest reach for hackers. It won't stop in 2015," he continues. "Like in past years, phishing emails follow the news--if in ebola is in the news, you'll get an email from your doctor or the CDC with a 'helpful' link or attachment to open. Next year, as Republicans try to repeal Obamacare, you'll see emails from insurance companies."
4. Watch your reward points.
Hackers also will be trying to steal your airline miles and your company's rewards points. Criminals will use rewards points to get free travel, cash back, or as a way to get more of your financial data. "Airline miles and hotel points are being stolen and monetized in clever ways. We think this will happen more frequently next year," Peterson says.
So far, Agari hasn't seen major data breaches pinpointing rewards points. Watch out for your customers' accounts, though--hackers will be waging phishing campaigns against individuals.
"We've seen cases where reward points are a good stepping-stone attack--you may not give up your credit card information, but you may give up your hotel or travel information," Peterson says. "Then the criminal can log in in your account and find out where you live, your credit card number, and use it to figure out your password and social engineer victims to get more information."
Although he paints a bleak picture of what's to come in 2015, Peterson says some help may be on the way. Agari is moving away from the whack-a-mole style of counterattack the cybersecurity industry has traditionally used. "The way the Internet works today means that is not effective. What we have done is decide to remake the ecosystem," he says. "Within two years, we're going to create a new technology model and get the biggest companies on board. That is a prerequisite to solving the problem."