Top cyber threats in the coming year include nation state cyber espionage, a rise in data integrity attacks and more attacks harnessing Internet of Things (IoT) devices, Stroz Friedberg, an Aon company, notes in its 2017 Cybersecurity Predictions report.
“We believe that the year 2017 will bring the intensification of longstanding trends that cyber security professionals today are vigilantly monitoring, while several new or enhanced challenges will present themselves in force,” the report points out.
Including six predictions for 2017 to help security professionals and business leaders prepare for the most significant cyber threats, the report released Thursday further offers recommendations on how to increase resilience in the face of these threats.
The anticipated intensification of cyber risks in 2017 will likely necessitate a shift in the approach used by business to manage those threats, it suggests.
Along with threat intensification will be “new challenges and a blurring of lines between the actions and responsibilities of the state, markets, businesses and civil society,” Ed Stroz, co-president and co-founder of the specialized risk management firm, cautions in a company statement.
“In terms of risk, this looks like nation states adopting the ‘whistleblowing’ tactics of hacktivists, and criminals with relatively small resources being able to commit huge-scale, nation state-style attacks on banking systems or even critical infrastructure,” the cyber report explains.
Advises Stroz: “The flood of fake news and nation state-backed attacks in this past year’s election are just a sign of things to come, as attackers find new ways to seek faster and wider access to data and exploit sensitive information.”
The report’s six predictions for 2017 are as follows:
There will be an increase in IoT devices compromised, harnessed as botnets, and used as launching points for malware propagation, SPAM, DDoS attacks and anonymizing malicious activities. “While the conversation around IoT devices is beginning to switch from functionality to security, words have yet to be translated into actions. As long as this rapidly growing body of devices are unsecured, expect to see criminals exploiting them as an empowering platform from which to launch major attacks and they will often be directed at third parties,” the report warns.
Cyber espionage will continue to influence global politics and will spread to the upcoming elections in Latin America and Europe, with Russia, China, Iran and North Korea remaining regions of great concern as they continue to develop deep pools of cyber crime talent. “Cyber espionage and nation-state cyber warfare will escalate this year until it reaches a point that could be the cyber equivalent of the Cuban Missile Crisis,” the report notes. “Expect highly skilled criminal groups that previously targeted the critical infrastructure of major regulated industries to move on to non-top tier targets with weaker defences, but equally valuable data, such as credit unions, less mature financial institutions, healthcare institutions, and manufacturing supply chains.”
Criminals will seek to sow confusion and doubt over the accuracy and reliability of information, impairing decision-making across the private and public sector. “In 2017, organizations will prioritize protecting themselves against data integrity and sabotage after an incident in which criminals successfully manipulate information, such as company earnings, news announcements, voter information or the operational controls of a system such as energy grids,” the report states.
With the move by organizations to continue to leverage evolving technologies, including the cloud and IoT, and shore up perimeter defences, criminals will increase their focus on the human element as an entry point, with social engineering tactics becoming more targeted, cunning and effective. “Increasing employee awareness and education, enforcing policies and implementing new technologies around employee behaviour analytics to combat evolving and existing exploits will be essential,” the report contends.
Increased pressure from regulators worldwide will push in-house red teaming capabilities to accelerate, and companies that are not in the cyber business will face the challenge of recruiting, motivating and retaining highly technical cyber talent (a global shortage of 2 million cyber security jobs is predicted) to keep their red teams at the forefront of cyber security. “To meet the demand for these skills, there will be a concerted effort to build new marketplace strategies and education programs to strengthen the talent pool,” the report states.
Financial services industry and other regulated sectors will be early-adopters of making cyber security due diligence a critical part of the pre-mergers and acquisition (M&A) due diligence process. That said, “it will take additional high-profile deals to be impacted negatively by cyber security issues before cyber due diligence in pre-deal negotiations is taken seriously.”
Stroz Friedberg contends that an understanding of existing and emerging cyber risks is more relevant than ever before given cyber security’s influence on international security, politics, economic stability and transactional crime.
While the 2016 prediction that cyber insurance prices would increase has yet to be statistically proven, the report points out, “2016 witnessed a significant uptick in demand for cyber insurance, particularly in the wake of high-profile cases.”
Citing Aon Benfield’s Reinsurance Market Outlook, released this past September, the report adds that “with approximately US$1.7 billion in premium, annual growth for cyber insurance coverage and product is running at 30% to 50%.”
With regard to regulation, strong movements in cyber security policy and regulation is anticipated, with the regulatory push in some countries focusing on increasing national security while in others, governments using it to increase protectionism.
“As governments firm up their online regulatory regimes, we might see some positive effects, such as increased security innovation and public awareness,” the report notes.
“Mostly, however, we think that businesses will be burdened by the need to interpret what a fragmented global regulatory landscape means for their operations,” it adds.
The report includes the following recommendations:
optimize cyber security posture by continually assessing and prioritizing cyber threats and vulnerabilities, as well as improving incident response readiness;
evaluate insider risk by ensuring the organization’s formal program is current;
conduct M&A pre-deal cyber due diligence early, performing this alongside compliance and financial due diligence;
assess, protect and leverage both intellectual property and commercially valuable information; and
consider self-regulation by adopting higher security standards in products and services prior to going to market, even if cost is prohibitive.