Russian hackers, questionable email servers, exploding smartphones, and the unprecedented US election: 2016 was filled with internet security and data management issues. But as internet-connected devices make their way into every part of our lives, cyber-criminals are taking note and advancing toward an entirely new category of threats. Here are some 2017 predictions from Richard Henderson Global Security Strategist at Absolute, an endpoint security and data risk management product company.
1. Household Devices are the Source of a Major Breach
As more and more devices connect to enterprise networks, IT and security teams are ill-prepared to deal with the security considerations around them. Most IT teams are already stretched thin supporting the typical desktop/laptop/telephony infrastructure all organisations need, so what about IoT? Ensuring that the untold scores of connected devices are safe to use inside a corporation’s walls is no easy task, but it cannot be ignored. From printers to refrigerators to the fitness tracker on your wrist, all have been shown to be vulnerable to exploits. The situation will only escalate as new versions are released and device manufacturers stop patching outdated devices. We expect that this problem will come to the forefront in 2017 with a massive breach resulting from an infected or compromised device unknown to IT teams monitoring the network.
2. Enterprises will Ban IoT Devices on the Company Network
I’ve been talking about the inherent threats surrounding connected devices for quite some time, and 2016 proved that machine-to-machine attacks are here to stay. Millions of connected devices have been subverted and used to launch Distributed Denial of Service (DDoS) attacks on scales that weren’t even conceived of in the past. Major sites are knocked off the internet in a blink, causing e-commerce grinds to come to a halt. Millions of dollars are lost in revenue, clean-up and additional defences. What’s an organisation to do when devices inside their networks are exploited and used in attacks elsewhere? What sort of liability will companies face when it’s determined that the thousands of internet-enabled security cameras being used to monitor their facilities are being used to take out online properties? It’s likely that conservative and risk-averse corporations will declare such devices off limits for their IT teams to use. They will either require the most stringent of routing and security controls added to them or just ban their use outright.
3. Imposter Apps Feed Data Brokers
Imposter apps, also known as “me-too” apps that try to cash in on tidal waves of popularity when the next big app hits, are not new or novel. Both Google and Apple have been swatting down these copycats with limited success for years, but the torrent continues unabated. In the world of Android, many of these apps are thinly-veiled clones rife with adware and spyware – whereas in the iOS world, Apple’s walled garden has, with some very rare exceptions, done a much better job of keeping those apps out. The following year will bring with it a whole host of new, malicious impostor apps that pretend to be popular programmes, but are really designed to syphon off every little bit of personal information on your device and send it back to someone who will bundle it up and sell it to illicit data brokers. Among the most targeted will be young adults, who have shown they hold little value in keeping their information private in recent research.
4. A Stolen Device Will Uncover Major Political Scandal
As we saw in 2016, securing email seems to be very difficult for politicians… from hacked email servers to leaked files posted online, it’s clear that politicians and their staff need to beef up their security game by many orders of magnitude. But with all the attention being put on securing backend infrastructure, groups will forget to educate and secure the endpoint devices being used by the politicians themselves. A stolen laptop without full disk encryption or asset tracking software can very easily be broken into and ransacked. Why hack the hardened email server when you can just get the emails from the user directly? Expect to see at least one embarrassing incident where leaked emails that came directly from a stolen device are sent to the press. Don’t forget, the inauguration of President-Elect Trump is January 20, 2017, so expect this prediction to jump-start the new year.
5. 2017 Data Breaches Will Dwarf 2016
2016 may go down in the history books as the year of the breach… it’s estimated that more than 2 billion pieces of stolen data were pilfered from companies before 2016 was complete. We keep preaching about the dangers around data breaches, but it seems the message isn’t being heard. From misconfigured servers leaving entire databases free to download, to leaked troves of emails, the number of breaches continue to grow. We firmly believe that 2017 will make 2016 pale in comparison. Based on the extensive adoption of cloud services, third-party processing of data, and the huge attack surface that’s available to attackers – I predict we’ll see 4-5 billion records exposed this coming year. Attackers are hitting networks with a level of unrelenting assault simply unimaginable a couple years ago… and they’re not going to slow down. Defense is a seemingly herculean feat: defenders have to get it right 100 percent of the time. Attackers? They only need to be right once.
