By Sungard AS
Cyber security never stands still. As businesses wake up to the need to prioritise information security, cyber criminals are becoming increasingly creative in following the money trail. So, it's crucial to look back on what we have learned over the past twelve months, and what the year ahead holds in terms of emerging and evolving threats.
What have we learned from 2016?
With increasing emphasis on everything being connected and always on, 2016 was the year that hacking went mainstream. Even the presidential campaign wasn't immune to hacking scandals and data leaks.
There was growing recognition of the small-business sector's vulnerability to cyber crime. A 2016 report by the Federation of Small Businesses (FSB) – "Cyber Resilience – How to Protect Small Firms in the Digital Economy" – revealed that small and medium enterprises (SMEs) are actually more likely to be targeted than larger companies, with two-thirds reporting some kind of attack over the last two years.
According to the FSB, the most-common forms of cyber attack in 2016 were phishing emails, spear-phishing emails and malware attacks. These cyber-crimes cause a disproportionately high impact to small businesses compared to large enterprises when adjusted for organisational size, further magnified by their reliance on the internet for growth.
5 key cyber security trends for 2017
#1 – Ransomware has come of age
Since ransomware first appeared in 2005 in the form of Trojan.Gpcoder, this threat has grown in maturity and sophistication. In a typical ransomware attack, business-critical or sensitive files are encrypted and held for ransom. In 2017, Trend Micro predicts 25 percent growth in this form of malware as it spreads to internet-enabled devices, point-of-sale (POS) systems and even automated teller machines (ATMs). Self-propagating varieties are now able to infect hundreds of machines in very short timeframes, and most firms don't have the resources in place to deal with these attacks in real-time.
#2 – A worsening skills shortage
With more than a million vacant positions worldwide, there is a worrying shortage of skilled IT security workers – and hackers know it. Larger enterprises are starting to realise the importance of hiring a Chief Information Security Officer (CISO), but there is a dearth of digital and cyber security skills among small businesses who don't have the budgets to employ top talent, leaving them dangerously exposed. The fight against malicious attacks needs to be collaborative – involving engagement between multiple small businesses, enterprises and government – rather than the David versus Goliath battle that business owners face today.
#3 – Hacking humans with 'social engineering'
It might seem far-fetched to imagine that cyber criminals can just ask someone for their password and they'll hand it over. But social engineering does just that. Scammers nurture trust with tactics such as impersonation (sending emails or texts from your known contacts with links or downloads), or using "baiting" schemes via social networking (such as too-good-to-be-true deals on classified or auction sites). They often request confirmation of financial information or passwords. There are thousands of variations (and counting) on social engineering attacks, so don't let curiosity lead to careless clicking.
#4 – Attacks get smarter - and less traceable
Hackers are becoming increasingly organised and 'business like', using malware in ever more creative and devious ways to get through company defenses to monetize their nefarious activities. They may be based in countries outside their victims' police jurisdictions, or exploit the Dark Web to hide and communicate with like-minded criminals as well as purchase even more damaging attack vectors. While direct attacks will continue to be an issue, of growing concern is longer-tail data mining. The data gathered may be used in more advanced future attacks or sold on the Dark Web for others to do the same.
#5 – Third-party risk management
If you've built an excellent security system and have all the right policies in place, your customers may still be at risk unless you've subjected your third-party suppliers to the same level of scrutiny. Or your own vulnerabilities may mean your business is exploited to gain access to larger, more-lucrative targets in your commercial network. There are notable examples – Target and Home Depot spring to mind – where security breaches were perpetrated by criminals who obtained and compromised a third-party vendor's credentials. Make sure you manage risks across your supply chain.
The major attacks that dominated the headlines in 2016 have generated great uncertainty about the future of cyber security. However, by ratcheting up your defenses, staying abreast of the threat landscape, and wisely managing your digital activity, you can make your business a tougher nut to crack and deter would-be cyber criminals.