Securing 2017: Predictions for the year ahead
Throughout 2016, we’ve seen large companies regularly appearing in the press as victims of cybercrime. Data breaches, malware infections, and social engineering attacks have become common and almost expected.
Unfortunately, all signs point to this trend continuing in 2017. Tech innovations and an increase in connected devices mean more gateways for cyber criminals to access sensitive networks and data, with the Internet of Things, drones and mobile payment systems likely to be significant targets next year. Here is what businesses should be expecting:
More attacks on mobile payment systems
We are using our smartphones more than ever – research by Deloitte found that collectively, US citizens look at their smartphones over 8 billion times a day. We incorporate mobiles into as many of our everyday activities as possible, from walking to our diets and making payments.
Major retailers are keen to take advantage of this and stay ahead of the competition by adopting the newest near field communication (NFC) and radio frequency identification (RFID) mobile payment systems, such as Apple Pay and Android Pay.
In a way, this is great news, making payments easier, quicker and more convenient. But many people assume that their phones are automatically secure, and will download a variety of potentially harmful free apps and files. This belief in the intrinsic security of smartphones, combined with the inevitable security flaws in emerging mobile payment systems, will amount to expected attacks on digital and mobile payment systems in 2017.
The Internet of Things will be increasingly under threat
Securing the Internet of Things has been a highly scrutinized topic this year. Every object seemingly has the potential to become a connected ‘thing’, from heaters to shoes and coffee machines.
Of course, many are concerned that these devices are another way for criminals to access valuable information. At the other end of the scale, some people believe that because these devices don’t look like, or necessarily operate in, the same way as laptops and tablets, they are not prone to the same vulnerabilities. However, as we saw with the Dyn DDoS attack that took down Twitter, Netflix, CNN and GitHub earlier this year, one vulnerability in a connected device can lead to widespread consequences.
We must also seriously consider the value of the data that can be accessed via these connected devices. We are likely to see an increase in targeted ransomware attacks, and if an attacker takes control of a businesses’ lights or access controls, companies won’t have much choice but to pay up.
Social engineering attacks will become even more of an issue
Humans are and will continue to be, the weakest link in the cybersecurity operations of any company. Although security technologies are bound to evolve in 2017, if employees are not educated about basic cybersecurity measures, we will likely see a rise in data breaches.
Criminals are aware that employees will always be an easy target, and therefore their attacks will become even more targeted in order to continue manipulating people into disclosing sensitive information. These attacks may include sophisticated spear phishing emails, criminals posing as contractors to gain access to a building and steal company data, and monitoring keystrokes to discover passwords.
The string of data breaches in the past couple of years also means that a growing amount of information is available about a large number of individuals – certainly enough for a criminal to put together a convincing phishing email.
Drones will be used to launch attacks
In 2017 we are likely to see an increase in physical attacks carried out by drones. Drones are becoming more widespread, but awareness of them as a threat to organizations is limited.
Drones can be used to attack short-range networks such as Bluetooth and Wi-Fi connections, and could, therefore, be used to record keystrokes from Bluetooth keyboards or intercept communications across a network. Often, these connections are less secure as many companies may assume that no one will be able to get close enough to affect them. This is likely to change with the increased availability of drones next year and as attackers become more creative in their attempts to access valuable information.
Increased likelihood of attacks on infrastructure
With the desire to make everything connected comes the evolution of bigger and grander connected systems. Smart cities are the perfect example of this. In a similar way to Internet of Things devices, these systems offer hackers another way to access a vast database of critical information and services – only these attacks could have much larger consequences, affecting energy and water supplies of entire cities or regions.
Even cities that aren’t ‘smart’ are vulnerable, often due to aging infrastructure and complex supply chains. Companies associated with critical infrastructure often have vast supply chains, therefore if an employee working for a contractor or supplier falls victim to a phishing scam it could potentially bring down the electricity supply of an entire town.
Overall, whilst 2017 may look bleak in terms of cyber security, innovations in connected devices, mobile services, and smart cities all offer a multitude of benefits for businesses. However, companies need to be realistic about the threats that these innovations pose, and be proactive in preparing for an attack.
Even with the chain-reaction of breaches that we saw this year, as ever, many companies are likely to bury their heads in the sand when it comes to cybersecurity. But, with the new General Data Protection Regulations coming into force in 2018, businesses may pay a hefty price for ignoring cyber threats in the near future. Therefore, 2017 is the year for businesses to put a robust cybersecurity strategy on their list of new year’s resolutions.
About the Author: Andrew Avanessian is Vice President of Avecto. With over 15 years’ of experience in IT infrastructure, architecture, and security, Andrew has established Avecto’s consultancy and technology divisions into world-class offerings. In his role, Andrew regularly provides security and consultancy advice to global enterprises, including some of the world’s biggest brands. An author and guest speaker at numerous security events, Andrew’s latest book, The Endpoint Security Paradox was published earlier this year. Andrew has also made numerous appearances on BBC News, CNBC and BBC Radio Five Live discussing security best practice.