New-school security awareness training company ID’s phishing, social engineering and ransomware trends as continuing to get worse in 2018
KnowBe4, Inc., the provider of the world’s most popular security awareness training and simulated phishing platform, shares an insider’s perspective of cybersecurity trends to expect in 2018. The list of six predictions are founded on the company’s deep insight into threats that organisations experience today and should expect tomorrow.
“I’d love to say that 2018 is going to be a lighter year in terms of cyber attacks and threats, but no one can afford to be that naïve,” said Stu Sjouwerman, KnowBe4 Founder and CEO. “The truth of the matter is that today’s world simply lives on digital data which means there is more and more for bad guys to try to steal. From our vantage point of watching how cybercriminals work and constantly “upgrade” their attacks, we felt it was important to share what we anticipate will happen in 2018. That allows organisations to prepare themselves and train their workforce to make smarter security decisions and create a human firewall as an effective last line of defence when all security software fails.”
KnowBe4 2018 cybersecurity predictions include:
- An exponential growth of the ransomware plague, especially the “as-a-service” strains. The massive ransomware attacks of 2017 aren’t going anywhere. Instead, they will grow exponentially and mutate to gain further traction. We’ll see a rise in ransomware attacks that also exfiltrate data, allowing cybercriminals a second way to ransom data through the threat of exposure. Additionally, ransomware-as-a service will continue to grow and will be the source of a significant percentage of attacks. Custom-made ransomware attacks will be reserved only for very high-value targets.
- Hybrid attacks will be used to distract organisations. We saw it happen in Ukraine last month when Bad Rabbit ransomware served as an obvious and intrusive attack while, simultaneously, a silent, hidden spear-phishing campaign was carried out. We will see this as a new criminal modus operandi through 2018; ransomware infections will be used as a distraction, so the bad guys can accomplish their other more devious goals. Additionally, we should expect to see an increase in multi-vector social engineering attacks leveraging ‘smishing’ (text) and ‘vishing’ (voice) along with traditional phishing (email) social engineering techniques.
- Automation makes detecting attacks harder. Phishing bots and intelligent scraping of social media and the Dark Web will make automated spear-phishing a very real, very hard-to-identify problem. The amount of data stolen in mega breaches over the past year—especially Equifax—makes it easy to automate mass spear-phishing emails that are both highly detailed and very effective social engineering attacks.
- Extortion scams will have a long tail. It’s bad enough to have your data held hostage until you pay a ransom 48 or 72 hours later. As we move into 2018, scams are going to extend that timeline, creating long-term or lingering extortion situations that are an ongoing nightmare for organisations and individual internet users alike. An example of this would be a ransomware attack that demands nude photos of the victim as “payment”, opening the door for continued blackmail.
- Search result tampering will drive users to compromised websites. Whether you call it search “tampering” or “poisoning”, 2018 will see an increase in search results that route users to compromised sites which exploit bugs in the workstation’s software, resulting in a complete take-over of their computer. Users will have to be particularly vigilant if they work in regulated industries such as Financial Services, Insurance and Healthcare, where personal identifiable information abounds.
- Blame-ware and “False Flag” operations will increase. Due to the recent European Union’s declaration that a cyber attack is an act of war, we’ll see more cyber propaganda operations that are engineered to spark conflict between countries, undermine democracies, and destabilize trust globally, making attribution very hard to determine.
Organisations that are not yet leveraging KnowBe4 to train their workforce to make smarter security decisions and create a human firewall as an effective last line of defence can download a number of free tools at www.knowbe4.com to test their users and their network.