10 Cyberthreat Predictions for 2016

Hilary Tuttle


March 1, 2016

cyber risk threats


Researchers agree that ransomware will continue to spread as a top attack method, with hackers holding data or entire websites hostage until businesses pay up. ThreatTrack Security found 38% of organizations have already been targeted by cyberextortion, and the number of “families” of this type of malware grew more than 600% last year, according to Bromium Labs. Some predict the modus operandi will shift slightly, with more attackers threatening to go public with the data rather than just taking it hostage. McAfee Labs also expects an increase in attacks on financial services and local government entities as they face greater pressure to restore critical operations as quickly as possible.


For years, many hackers have been motivated by the prospect of causing reputational damage, as seen with the Impact Team’s attack on Ashley Madison. These groups have recently receded a bit, however, either scaling back or having prominent members arrested. In 2016, we may see them come back in force, particularly as it is an election year. “This was the new twist to the data breach landscape in 2015, with thieves leveraging stolen data to embarrass or harm companies,” said Michael Bruemmer, vice president of Experian Data Breach Resolution. “If an organization has a polarizing or controversial mission, it should consider this scenario and how it will take care of its constituency should a breach occur.”


Experian and Forcepoint Security Labs anticipate threats specifically pegged to the U.S. election cycle. Experian predicted that one of the presidential candidates, their campaigns and/or major donor bases will likely be hacked, and the reliance on big data and social media create significant potential for an attack. Databases of registered voters, donors and other supporters abound, presenting vast amounts of data that are centralized and varyingly secured. Forcepoint believes attackers will also use campaign issues to craft better phishing attacks in order to push malware by creating fraudulent emails that appear to stem from political parties, candidates, voter registrations or online petitions.


While your Fitbit does not hold much worthwhile data for hackers to steal, it is a poorly-defended entry point to more valuable assets. The data on wearable devices can be used to craft more targeted phishing attacks, and accessing the devices can be a far easier way to get into connected smartphones or broader corporate infrastructure. As McAfee Labs predicted, “Poorly written wearable code will create a back door into your smartphone. Initially, we doubt that a smartphone will be completely compromised by an attack through a wearable device, but we expect to see the control apps for wearables compromised in the next 12 to 18 months in a way that will provide valuable data for spear-phishing attacks.”


According to McAfee Labs’ 2016 Threats Predictions, “The growth in cloud computing will create new vulnerabilities and threats. Traditional network and system infrastructures offered the potential to define clearly a perimeter to secure, whereas clouds and their breadth of organizational boundaries and distributed control points make that task more difficult. Attackers will increasingly target the cloud to take advantage of these frequently ill-defined boundaries.” Hackers may also target the public cloud, which offers a chance to move laterally and breach other virtual networks in the same public cloud. The volume of confidential data stored in the cloud makes an attractive target as well.


In a recent survey by PwC, 74% of small- and medium-sized businesses had experienced a security issue in the previous 12 months, and the widespread perception of these enterprises as “easy targets” will only see that number increase, Sophos predicted. “Lacking the security budgets of large enterprises, SMBs often apply a best-effort approach to security investments, including equipment, services and staffing,” the firm wrote. “This makes them vulnerable as hackers can easily find security gaps and infiltrate the network.” The costs of these breaches can be fatal for a small business, and the incidents can also pose significant risk to the larger enterprises and third parties with which a company works.


Security firm Veracode has found that a third of data breaches stem from attacks on apps, and RiskIQ reports that 17% of the top 150 apps contain malware. The open attack surface of mobile presents an easy target, and it is extremely difficult to defend against mobile malware once an app has been released. More vulnerabilities on the Android platform are revealed regularly and can take months to patch. They have not yet been exploited, but Sophos predicts the insecurity will be too tempting to ignore in 2016. While iOS has proven far harder to crack, hackers have proven their ability to do so, and the Apple App Store has been hit with a few malicious apps that avoided detection in the vetting process.


Social engineering has exploded as a tool in the hacker’s arsenal, whether these phishing scams spread malware, gain access to an organization’s network or induce wire fraud. Information security and law enforcement experts expect these attacks to continue, taking a significant toll on businesses. In its threat report, Sophos encouraged increased investment in protecting against these psychologically-pegged attacks and issued a reminder not to open documents unless users know who sent them and why, and be wary of warnings about macros. The firm has seen a surge in malicious code hiding in macros in seemingly legitimate documents, and expects this to grow in 2016.


The second half of 2015 was punctuated by increased scrutiny and more enforcement actions from regulators regarding the steps companies take to protect customer and employee data. Federal courts have granted the Federal Trade Commission the authority to require organizations to take security seriously and fine them for lapses. Fines for the unprepared or ineffective are also likely to rise due to imminent changes in data protection legislation, including the EU General Data Protection Regulation and the U.K. Investigatory Powers Bill.


Hackers have been breaking into industrial control systems since at least 2006, but as more of these systems are connected and more industries integrate a large number of connected devices and networked systems through the Internet of Things, all are likely to face a wider range of security vulnerabilities and threats. According to iSIGHT Partners’ cyberespionage intelligence practice, hackers caused a widespread power outage in Ukraine this holiday season. Officials also revealed that Iranian hackers infiltrated the control system of a small dam 20 miles from New York City in 2013, just a few years after American spies damaged an Iranian nuclear facility using the Stuxnet computer worm. Kaspersky Labs and other firms have listed targeted attacks on industrial control systems as the biggest threat to critical national infrastructure.

Hilary Tuttle is managing editor of Risk Management.