Below is a list of the top ten IT security concerns for businesses in 2018. These are not in a particular order and we will keep them brief.
1: A Twist on Vendor Attacks:
The old logic says that the easiest way into a big company that has tight security, is through a little vendor company that has weak security (think Target) still holds but there are obvious new ways to exploit vendors. In 2018 we expect the bad guys to hack small vendors, then send your company real invoices for products and services you either did buy or often buy, but have the money sent to the attackers bank account.
2: Artificial Intelligence & Machine Learning Used by Attackers:
In the last few years we have seen AI get used by IT security companies like McAfee, CarbonBlack and Trend to block corporate attacks. Now the bad guys are starting to using Artificial Intelligence to both find vulnerabilities in security solutions and to evade security solutions. Most recently some crypto-code named Cerber was found to be successfully using AI and more is on the way.
3: Fake Email Domains:
It costs less than $10 to buy a domain and get email hosting set up so it is easy for hackers to buy a domain that is very similar to yours and then send emails as the CEO or CFO requesting changes. If your CFO is “email@example.com” and your payables clerk receives an email from “firstname.lastname@example.org”, do you think they would notice the change? I have seen this scam myself in 2017 and we expect it to take off in 2018.
4: Bitcoin / Blockchain Attacks:
In addition to using BitCoins and other cryptocurrencies to make it near impossible for police authorities to track payments made to bad guys, blockchain technology itself holds the keys to billions of dollars in cryptocurrency like Ethereum and BitCoin. As new cryptocurrencies have their Initial Coin Offerings, hackers will go after the developers to find vulnerabilities they can exploit. If you think all the cryptocurrency companies on this massive list of cryptocurrencies have 100% security, I have some swamp land to sell you. 🙂 .
5: Fake News & Cyber-Propaganda Attacks:
By now we are sadly familiar with how a relatively small budget can effect political parties. The Russian attacks on the Democrats and support of Republican candidates is estimated to have cost far less than $1m . With all of dozens of major elections coming in 2018 (think Cuba, Egypt, the US…) hackers will be sure to exploit companies involved in the election. However, beyond trying to affect the outcome of elections, hackers are expected to try and extort money from nearly any company using the same techniques. If your company is facing thousands of upset customers over a never ending string of bad press, real or not, they are going to be interested in paying to make that bad news stop. Cyber-criminals now have the expertise to create and propagate fake news that can effect your share price, senior management bonuses, client retention, and even employee satisfaction. No one wants to work for or with a company that has made some nasty environmental cover-up or has a pedophile for a CEO.
6: Mobile Device Hacks:
In 2018 cell phones will be an even larger target than in the past. The majority of Smartphones still do not run an effective antivirus program and are unencrypted. Worse, like Social Media, the ability to impulsively respond to a request on a Smartphone is easy. People often click links, download files or approve changes on their Smartphones without the slightest understanding of what they could be installing or giving away. While major manufacturers like Samsung and Apple are much better at patching today than they were in years past, many second and third tier manufactures let their products languish with old code ripe for known attacks.
7: Attacks As A Service (AaaS):
The “As A Service” model simply means that you need nothing onsite to make it happen. Terms like Software As A Service (think Google Docs or Word Online…) and Platform As A Service are now common so it should not be a surprise that there are real companies selling attacks that require you to have nothing but money. This means that in 2018 we expect to see more targeted attacks on companies that are being paid for by competitors and even disgruntled employees.
8: Fake GDPR Enforcement:
As companies start to be aware of the new EU based General Data Protection Regulations (GDPR) that come into effect in May 2018, many will quickly become aware that in practical terms, it applies to nearly all midsize and larger companies. As it stands today, how fines will be issued and how they will need to be paid is not clearly defined and attackers will take advantage of this, especially with smaller firms that have minimal EU exposure. We expect to see official looking GDPR fines sent to hundreds of thousands of companies starting in the summer of 2018. Some of the fines will refer to real events that genuinely breached GDPR but were not being enforced by the EU and some will be pure fiction. A fraction of those fake fines will get paid to hackers purely based on the recipients ignorance.
9: IoT & IIoT Platforms:
Internet of Things (IoT) and Industrial Internet of Things (IIoT) are simply devices and machines that are connected to the internet. Drones, security camera’s, and even your next fridge are likely IoT devices. Machine shop C&C lathes and other industrial hardware are the next category of IoT devices called IIoT. These millions of devices provide places for hackers to route through and hide behind as well as shut down. Imagine you are a drone manufacturer and a hacker finds a way to turn off the propellers in flight; how much would you pay in extortion money to make sure that did not happen? What if you are a window manufacturer and several of your critical new machines just stopped working, or started destroying product, how much would you pay to get that control back?
10: Ransomware Continues:
Cryptolocker and friends are just so successful they are going to continue to flourish and grow in 2018. It is so easy to fool an employee into clicking on a file that encrypts everything they have access to. This is particularly challenging for small and mid-size companies with questionable backups so they are much more likely to pay ransomware fees to get their business back in operation. If you want to be scared, read this lovely December 2017 article on the expected 2018 ransomware attacks.
If you liked this article and want more you will likely find this Trend Micro: Security Predictions For 2018 to be interesting too.