If 2017 was any indication, 2018 will not be a boring year for cybersecurity. Last year, we suffered world-wide ransomware attacks, saw one of the biggest data breaches in history, countless phishing attacks and Russia’s manipulation of social media. Unfortunately, cyber attacks will only get more sophisticated, thus it is important that cyber security is not far behind.
If you are anxious about what 2018 will bring, you are not alone. And in order to battle that anxiety, we have come up with 5 cybersecurity predictions for 2018.
IoT developers will need to tighten up security
With the popularity of Internet-connected things, developers have to produce more and more Internet of Things (IoT) devices. However, with such mass production, one important part is left behind. Security. A lot of IoT devices lack basic security and thus are vulnerable to attack, which crooks are happy to take advantage of. IoT devices lacking security can be take over and turned into a giant botnet, which could be used steal data, DDoS and brute force attacks. Three of the biggest botnets, for example, are speculated to take over at least a million devices a month. Many of those devices could be much harder to take over if they had even the most basic security. The lack of proper security is especially worrying because those giant botnets could cause a lot of damage.
Developers will be forced to tighten up the security for their IoT devices, but the lack of clear guidelines could make it difficult. Companies need clear regulations that would force them to secure their products. Without them, we could be seeing millions of potentially vulnerable devices that can easily be taken advantage of.
Ransomware will continue to dominate but targets may shift
Ransomware is becoming more profitable with every year, and with ransomware-as-a-service (RaaS) becoming widely available to everyone, that is unlikely to change any time soon. Many hackers are tempted to turn to cybercrime, and it is a no-brainer why, seeing as it is estimated ransomware made $5 billion in 2017. That is five times the estimated amount ransomware made in 2016 . And that is only the estimated amounts, the real numbers are probably much higher.
While ransomware will remain one of the top threats, it is likely that targets will change from big businesses to smaller ones. Regular users will still get infected, that is unlikely to change any time soon, but the ones that are targeted specifically are likely to be smaller businesses. With cyber attacks like WannaCry and NotPetya, big companies are becoming more aware of their cybersecurity and thus are investing more money into prevention measures. Smaller ones, on the other hand, do not think they are a likely target, thus their security can be more lax and they would be more likely to pay the ransom. And ransomware developers/distributors are very much aware of that.
Healthcare institutions already have targets on their backs, and that will likely remain unchanged in 2018. They are the targets that are most likely to pay, as restoring functionality as soon as possible is essential. It is a new low for cyber criminals, but evidently they are not concerned with such things. Thus, healthcare services need to prepare for worst-case scenarios and always be ready.
It can be very difficult to prevent an attack, if it is done right. However, if proper measures are taken prior to the attack, dealing with it may not be as disastrous. Many business/institutions now have backup but lack the preparation to implement data recovery from backup when needed. Just after New Year, a hospital in Greenfield, Indiana paid a ransom of $55,000 after ransomware managed to infect their systems, despite having backups. Hospital representatives said while backups could have been used to restore services, it may have taken too long, days or even weeks. Businesses/institutions will have to realize that if someone really wanted to attack them, they would likely succeed. Not only will they have to make sure their security is top notch, but will also have to ensure they can deal with an attack adequately.
State-sponsored attacks will likely be more common
This is a rather worrying prognosis but ones that features in most cybersecurity predictions for 2018. These attacks would not be carried out with the intent to make money, but rather to obtain highly classified information and disrupt critical services. Healthcare, transportation and communication services, power plants and water supply services are especially vulnerable to attack as they are part of critical infrastructure whose functionality is vital. And we already have examples of a successful attack on a critical infrastructure service. An attack on a power grid in Ukraine in 2016 left parts of Kiev without power for an hour. While an hour is hardly a disaster, many cybersecurity specialists fear that it was merely a test run. Unfortunately, it can be very difficult to prevent such attacks as they would be very sophisticated and well-funded.
However, it is not everyone who should be concerned with this. With the media flashing alarming headlines about state-sponsored hacking attacks left and right, it is not difficult to become concerned. However, businesses need to focus on the threats that could affect them, instead of preparing for every single scenario and state-sponsored attacks. It is unlikely that a smaller companies will become targets of such an attack, thus they should focus on threats that are more likely to hit them, such as ransomware or phishing attempts.
Bad user cybersecurity habits unlikely to change
We would like to say that in 2018 users will become more aware of their cybersecurity but that is unlikely to happen. As was the case every single year since the beginning of the Internet, users have been notoriously bad at securing their online accounts. Weak, easy to guess and commonly used are the terms many specialists could use to describe a lot of passwords used by the general public. As has become tradition, SplashData has released the worst passwords of 2017 list , and it’s as bad as you would imagine. Based on data released from data breaches, the most popular password remains ‘123456’, with ‘password’ and ‘12345678’ in 2nd and 3rd places respectively. Passwords like ‘hello’, ‘qwerty’ and ‘blahblah’ can also be found in the list.
Not only that, many do not take further steps to secure accounts. Gmail, for example, has had 2-step-verification for years, and yet only 10% of all users use it. And while some may have legitimate excuses, such as not having their phones handy, many are just not that concerned. There is a lot of personal information in an account, and the email is usually connected to various other accounts, which could also be compromised as a result.
Based on data from years before, these tendencies to properly secure accounts are unlikely to change and many users will continue to potentially put their personal information in jeopardy.
Data breaches will continue to occur
2017 was an especially bad year for cybersecurity, and we saw one of the biggest data breaches in history, when credit monitoring company Equifax reported a breach that leaked the personal information of around 145.5 million people. The company was heavily criticized for not only not ensuring the security of highly personal information but also for disclosing the breach two months after is happened. Uber also got into trouble for disclosing a breach that occurred in 2016 a year later, essentially not telling 57 million customers and 600,000 drivers that their personal information was possibly leaked.
Breaches happen every year, and 2018 will not be an exception. It can be very difficult to prevent them, especially if proper security measures are not taken to ensure data security. Hopefully, the breaches reported in 2017 will be a wake up call for many companies and institutions handling personal information. And if a company cannot prevent a breach, the least they could do is inform those affected. However, for that to happen, governments will need to have clear regulations about how users’ personal information and data breaches should be handled and how much time is allowed to pass before customers have to be informed. Without those kinds of regulations, companies will be allowed to do as they please and conceal critical information.
We may also see an increase in identity theft as a result of the data breaches from the year before. Equifax, for example, offered one year of free credit card monitoring, and it will stop in 2018, possibly leaving thousands or even millions of people exposed.