5 cybersecurity threats that crushed businesses in 2016
Almost everyone was affected by cybercrime last year. Cybersecurity threats ran wild. Distributed denial-of-service (DDoS) attacks took down Netflix, Amazon, and Reddit, among others. Business email compromise (BEC) affected the Democratic National Convention (DNC), which accidentally made cybersecurity an unofficial theme of the 2016 presidential election. If your interactions with the front of cybercrime were limited to a few hours unable to stream Netflix, count yourself lucky.
If the thought of 2017 security trends makes you want to hide your head under a pillow, you're far from alone. Criminals are getting slimier and greedier, which means it's officially time to bite back. Last year, the top cybersecurity offenders were mobile malware, ransomware, identity theft, and third-party attacks—and some things haven't changed. Join us as we review five major security themes of 2016 and what they mean for the months to come.
Way too many companies suffered a fiscal hit all because one guy opened the wrong attachment. Ransomware can enter your system in a number of ways, but these attacks place a lock on your system or data until the fee is paid. Security expert Evan Bundschuh believes the cybercriminals behind ransomware attacks will only get greedier in the months to come, anticipating demands in the $50,000–$100,000 range.
This is really serious. Researchers are saying more than 50 percent of businesses have been hit with ransomware, and it's now security pros' top fear. There's even been mass confusion about the FBI's recommendations; in the past year, they changed their position from "don't pay" to "pay," and no longer dispense advice. What you can do is improve perimeter and email security, and make sure you've got frequent offline/off-site backups criminal's can't lock.
2. DDoS attacks
This just in—cyber attacks against IoT devices tripled in the last year. By the end of the year, 90 percent of all security attacks were directed at connected devices. Even if your organization's router wasn't recruited to a botnet army, you likely felt the burn of the Mirai Dyn attack that took down Reddit, Netflix, Amazon, and virtually all our favorite web services.
Forensics of Mirai indicate that the attack didn't require particular sophistication, thanks to the massive amount of connected devices with poor built-in security, default passwords, or missing credentials. If you haven't updated your IoT security credentials or invested in printers and other devices with up-to-date security, the time is now.
3. Advanced persistent threats (APT)
Advanced persistent threats may not have received the same level of attention as DDoS in 2016, but they were happy and active in its shadow. Highly sophisticated malware remained the scourge of many businesses. In one case, the super-complex StrongPity watering hole attack affected hundreds of international systems, which security analysts described as "quite clever."
If you really want to feel scared, think about the fact that cybercriminals and their malware are getting smarter. They're also not uniform; some sources estimate that over 400 million unique strains of malware have been identified since 2013. Use this messaging as inspiration to get super active about security. We don't know exactly what next year's worst malware will look like, but we know it'll be ugly.
4. Cybercrime marketplaces
Cybercrime is beginning to look less like some pimply kid in his parent's basement and more like e-commerce stores and tech startups. Despite the shutdown of one major DDoS-services-for-hire forum, there's really no decrease in the volume of attacks. Flashpoint director Allison Nixon states that sophisticated hackers are attracting clients through above-board marketing, like paid advertising and search engine optimization, and e-commerce sites.
What you should take away from all this is the latest trend in crime marketplaces is the sale of access to your network. That's right—if some script kiddies get you with phishing, they may sell credentials to a truly scary group. Security CEO Israel Barak believes that this gross, growing industry is just more proof you need to think about security in terms of broad protection, not on a per-threat basis.
5. Business email compromise
Ever heard of John Podesta? The infamous DNC email hack of 2016 was just one example of BEC. While methods of gaining control over a target's email can vary, Podesta was tricked by a fake password reset link. Forbes also points to malware-containing files and links as ways BEC can originate.
Even if your email doesn't contain sensitive information—news flash, it probably does—you should worry about BEC. If you're a CEO, a hacker can use access to your actual email to impersonate you, gain information, or do pretty much whatever else they want. Some sources predict BEC will overtake APT as a major source of headaches in the year to come.
No one is safe in the year to come. It's a hairy world out there when it comes to cybersecurity threats that could continue to crush organizations. Let's be real: You'll probably be the target of an attempted DDoS, BEC, APT, or another form of attack. But the inevitability of a security issue doesn't mean you're out of luck—it just means that victory with a secure network and endpoints will taste all the sweeter.