1. The U.S. elections cycle will drive significant themed attacks
Attackers will use the attention given to political campaigns, platforms and candidates, as an opportunity to tailor social engineering lures. Others will focus on hacktivism, targeting candidates and social media platforms. In addition to the obvious social engineering of threats around the political campaigns, platforms and candidates, the tools and infrastructure of those involved with the political process will be targeted (ie. Candidates, news sites, support groups). Hacktivists may reveal unwelcomed personal details or use compromised accounts to spread false information appearing to come from the candidate. Security lapses and gaps in defenses will prove costly for those who are not diligent during this time.
2. Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
Hacks targeting mobile devices and new payment methodologies will impact payment security more than EMV. The increase in non-traditional payment methods on mobile devices or via beacons and smart carts will open up the doors for a new wave of retail data breaches.
3. Forgotten maintenance of the Internet will become a major problem for defendersas costs rise, manageability falls and manpower is limited
Like barnacles on a boat, the cost of security maintenance will begin to grow and create massive problems with the Internet and security practices. A surprising number of the most popular websites on the Internet are not as secure as they should be with respect to certificates. Additional problems include: old and broken javascript versions that invite compromise; rapid OS updates and new trends in software end-of-life processes that cause havoc; and new applications built on recycled code with old vulnerabilities. All of these ghosts of Internet past will come back to haunt in 2016.
4. The addition of the gTLD system will provide new opportunities for attackers
The number of gTLDs as of November 2015 exceeds 700 domains, and about 1,900 more are in the waiting list. As new top-line domains emerge, they will be rapidly colonized by attackers well before legitimate users. Taking advantage of domain confusion, criminals and nation-state attackers will create highly effective social engineering lures to steer unsuspecting users toward malware and data theft.
5. Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented
Insurance companies will mature their offerings with qualifications, exceptions and exemptions allowing them to refuse paymentfor breaches caused by ineffective security practices, while premiums and payouts will become more aligned with underlying security postures and better models of the cost of an actual breach. Further, insurance companies will greatly affect security programs, as requirements for insurance become as significant as many regulatory requirements (PCI, HIPAA, ISO 27001).
6. The Internet Of Things (IOT) will help (and hurt) us all
The boundaries between corporate and personal devices have become blurrier, causing increasing friction and security challenges affecting critical infrastructure. Industries that utilize a large number of connected devices and networked systems in the course of their everyday business, such as healthcare, are likely to face a wider range of security vulnerabilities and threats.
7. DTP adoption will dramatically increase in more mainstream companies
As a result of the very public breaches of 2015, predicted changes in cyber insurance, increased visibility in the boardroom for all things cyber and continued worries about data loss, there will be a more aggressive adoption of data theft prevention strategies outside of its traditional financial services installation base.The prevailing assumption among security teams will become ‘we are already compromised” to help them strengthen their ability to deal with the inevitable.
8. Societal views of privacy will evolve, with great impact to defenders
Increasing frequency of data breaches, such as the many seen in 2015, are changing the way we think about personally Identifiable Information (PII). Further breaches and loss of PII will drive major shifts in the way in which privacy is perceived. Just as the last decade saw the introduction of “the right to be forgotten,” anticipate that within the next decade similar large shifts in privacy rights and expectations will emerge.