#3: Spear phishing attacks will pose an increasingly pervasive threat.
As noted in our State of the Phish™ Report, 61% of infosec professionals reported experiencing spear phishing attacks, in which criminals gather information on key individuals in an organization to create a personalized and convincing phishing email. This year has seen a number of high-profile attacks hit the press, from Amber Rudd (the UK’s Home Secretary) to Tom Bossert (Homeland Security Advisor in the US). Amy Baker, Wombat’s VP of Marketing, expects these attacks to be increasingly pervasive in 2018.
“The ideal strategy against these threats, because technology often doesn’t catch spear phishing attacks, is a proactive, comprehensive training program,” says Baker. “We recommend knowledge assessments, simulated attacks, and interactive training supported by an integrated solution where technology is able to detect risky behavior and automatically deliver relevant ‘just-in-time’ training.”
It’s hard to overstate the importance of security awareness training in reducing the risk of social engineering and successful spear phishing attacks. One survey respondent told IDG Connect, “As phishing attacks become more sophisticated and socially engineered attacks continue to rise, the real target isn’t infrastructure — it’s the user.”
#4: The GDPR and NIS Directive will increase challenges for global organizations in terms of educating their entire workforce.
With the NIS Directive and the General Data Protection Regulation (GDPR) coming into play early next year, end-user security training will play a considerable role in ensuring compliance. “Some companies, likely US-based but with European customers or suppliers, will fail their mission to comply with GDPR in particular, and the results will be very public and very expensive,” says Levine. When this happens, he says, “there will be shockwaves and, hopefully, global enterprises will then revise their cyber missions to dedicate themselves to improved cyber defense.” Quality, targeted end-user security awareness and training will be essential in this regard.
#5: Money won’t be the only motivation for attackers.
Not all cyberattackers are motivated by money, and their purposes will continue to diversify in 2018. “We think about the impact of identity theft as a primary purpose, because identities have financial significance,” says Levine. “But we rarely think as well about the potential for attacks directly against data integrity,” he says. “I believe that new purpose is on the horizon, and the results might be devastating — a complete breach of confidence may result, and then we will all need to rethink how and why we connect to the internet and compute.”
On a similar note, the aforementioned McAfee report predicts an increase in ransomware attacks intended to cause “outright system sabotage, disruption, and damage,” rather than traditional ransomware extortion. “Ransomware-as-a-service providers will make such attacks available to countries, corporations, and other nonstate actors seeking to paralyze national, political, and business rivals,” the report stated.