Industry executives and experts share their predictions for 2018. Read them in this 10th annual VMblog.com series exclusive.
Contributed by Amy Baker, VP of Marketing and Alan Levine, Security Advisor, Wombat Security Technologies
Phishing Will Continue to Be a Key Point of Entry
2017 was saturated with cyber-attacks from Petya to KRACK, and this trend has no end in sight. 2018 will likely include further cyber-attacks at an increased rate with a key point of entry resulting from phishing attacks. With both the threat of further attacks and the looming compliance change with the NIS Directive, GDPR, end user training is an organization's best line of defense in the fight against these vicious attacks.
In 2018, all organizations that rely on internet connectivity to conduct business will see their cyber risk grow. For many, there remains the dangerous notion that ‘this won't happen to me, it's the other guys problem.' Key industries that are vulnerable include the financial services, retail and healthcare. With the key point of entry for attackers found in phishing, we will see this evolve into many forms of phishing such as smishing, SMS phishing. These attacks will persist as the most common vector for cyber-attacks. Smishing will be a new danger, but phishing will remain by far the most dangerous method for cyber-attacks.
Amy Baker, VP of Marketing shares the following prediction:
"Spear Phishing Attacks: In early 2017, 61% of InfoSec professionals reported experiencing spear phishing attacks, and this year has seen a number of high profile attacks hit the press, from Amber Rudd (responsible for cyber-security in the UK) to Tom Bossert (cyber-security advisor in the US) being affected. The ideal strategy against these threats, because technology often doesn't catch spear phishing attacks, is a proactive comprehensive training program. We recommend knowledge assessments, simulated attacks, and interactive training supported by an integrated solution where technology is able to detect risky behavior and automatically deliver users relevant ‘Just in Time' training. This will help us defend against this increasingly pervasive threat."
Alan Levine, Security Advisor says:
"The NIS Directive: 2018 will undoubtedly see a big increase in cyber-attacks on critical infrastructure worldwide, with phishing continuing to be a key point of entry. Therefore, end user training on how to recognize these risks is a considerable factor in the fight against cybercrime and in ensuring compliance with the NIS Directive which is coming into play on the 9th May, 2018 and will fine relevant businesses up to £17million for non-compliance."
- All verticals -- that is, all companies that rely on Internet connectivity to conduct business -- will see their cyber risk grow in 2018. The reasons are three-fold:
- Attackers are more advanced, and their attacks are generally successful, and so they will persist.
- The greater reliance on IoT (Internet of Things) will present new vectors for attack. Managing vulnerabilities in this space will be even more difficult than managing vulnerabilities inside a typical enterprise data center operation.
- Major enterprises continue to lack the foresight, diligence, and focus to defend against cyber-attacks of all kinds.
There remains the dangerous notion that 'this won't happen to me, it's the other guy's problem.' Even enterprises that understand and appreciate their cyber risk still have not assigned the right amount of attention to their cyber defense programs. This trend will continue, and so cyber risk will continue. Financial services, retail, and healthcare verticals will be primary targets, because 'that's where the money is,' and because previous attacks against these verticals have been so successful.
- While smishing will become a more successful and prominent vector for cyber-attacks, the very prevalent and dangerous email phish -- which comes in many forms -- will persist as the most common vector for cyber-attacks. We will see more ransomware attacks, more identity theft, for large -- and even multi-national -- data breaches, and all of these will begin with a simple phish. Yes, smishing will become a new danger, but phishing will remain by far the most dangerous method for a cyber-attack.
- The GDPR and NIS regulations will result in very public, poster-child kind of negative publicity. Some companies, likely US based but with European customers or suppliers, will fail their mission to comply with GDPR in particular, and the results will be very public and very expensive. In 2018, when this happens, there will be shockwaves and, hopefully, global enterprises will then revise their cyber missions to dedicate themselves to improved cyber defense. As it has always been, quality, targeted end-user awareness training will be pivotal.
##
About the Authors
Amy is VP of Marketing at Wombat. She has 25 years of experience marketing a wide variety of business to business technology products and services including cyber security, telecommunications, healthcare technology, information technology, physical security and biotechnology.
Alan serves as a security advisor at Wombat. He is the former CISO for two Fortune 500 companies, with 20 years spent leading global cybersecurity programs. He was a founding member of the Microsoft Security Council, Oracle's GRC Council, and other supplier/customer committees. He is currently Board Chair and founding board member of Carnegie Mellon University's Chief Information Security Officer's Executive Program.