Data breaches and ransomware took center stage in 2017. Not surprisingly, they will continue to cause concern for companies worldwide in 2018. However, these types of attacks are not the only ones you need to consider when developing your security and data privacy strategies. Experts are making some alarming predictions on what companies might have to face in 2018. Here are four predictions you should be aware of:
1. Cybercriminals Will Scam Businesses Out of $9 Billion Using Nothing More Than Emails
Posing as executives, suppliers, and other trusted contacts, cybercriminals use highly personalized emails to scam businesses out of money. The U.S. Federal Bureau of Investigation (FBI) refers to these attacks as Business Email Compromise (BEC) scams. Trend Micro predicts that losses from BEC scams will exceed $9 billion in 2018.
In a BEC scam, cybercriminals first obtain the information they need to carry out the attack. They might send out phishing emails that try to trick employees into divulging details about the business or the individuals within it. Alternatively, the phishing emails might install malware that obtains sensitive business data, such as financial account records. Social engineering techniques are also used to get information. For example, cybercriminals might call the company or visit social media websites (e.g., LinkedIn, Facebook).
Once the cybercriminals have the information they need, they create a BEC email that looks like a legitimate email from that business or from an organization it does business with (e.g., a supplier). They spend a lot of time creating each email in the hope that its legitimacy will not be questioned. There is a lot at stake — the average payoff of a successful BEC scam was $67,000 (USD) in 2017, according to Statista.
2. IoT Attacks Will Surge, Thanks to Hackers’ Greed and Devices’ Poor Design
In the past, hackers typically conducted Internet of Things (IoT) attacks to cause mayhem. For example, in April 2017, hackers unleashed malware that damaged the systems of Internet-connected devices —better known as Internet of Things (IoT) devices — so extensively that the devices became useless.
Forrester researchers believe the focus of IoT attacks will change in 2018. Rather than trying to create chaos, hackers will increasingly use vulnerable IoT devices to access networks in order to steal sensitive data and spread ransomware. Once hackers know there is money to be made, there will be a surge in the number of IoT attacks.
Also fueling the increase in the number of attacks is the fact that many IoT devices are not secure by design, according to Trend Micro researchers. Plus, patching IoT devices can be difficult if they are in hard to reach locations (e.g., security camera mounted on a wall) or built into machinery. All it takes is one vulnerable device to become an entry point to a network.
3. Not Taking GDPR Noncompliance Seriously Will Cost Some Companies Dearly
Starting on May 25, 2018, companies that conduct business in the European Union must adhere to the General Data Protection Regulation (GDPR). However, Gartner analysts predict that more than 50% of companies affected by the GDPR won’t be in full compliance with its requirements by the end of 2018, let alone the May deadline.
GDPR is designed to protect EU citizens from privacy and data breaches. Noncompliance with this legislation can result in hefty fines. The maximum fine, which is reserved for the most serious violations, is €20 million (around $24 million USD) or 4% of a company’s annual global turnover (whichever is greater). The fine structure is tiered, so companies with less serious infractions will incur smaller fines.
There are several reasons why companies might not be in compliance with GDPR. For starters, they might not realize that they need to comply. Even businesses located outside of the European Union fall under GDPR’s jurisdiction if they have customers who live there. Any organization that processes or holds the personal data of EU citizens is required to comply.
There is also confusion as to what constitutes personal data. A 2017 Trend Micro survey of more than 1,000 businesses worldwide revealed that 64% are unaware that customers’ birthdates are classified as personal data. Similarly, many companies do not consider customers’ physical addresses (32%) and email addresses (21%) to be personal data.
4. Hackers Will Increasingly Use Cryptojacking to Steal Computers’ Processing Power
When people visit websites, their web browsers run scripts provided by those sites. These scripts enable the visitors to see, hear, and interact with the sites. Some scripts, though, have a more sinister purpose. They hijack the computers’ processing power without the visitors’ knowledge or consent. This power is used to mine (aka earn) cryptocurrencies such as Monero and Bitcoins. This type of attack is known as cryptojacking.
Cryptojacking activity increased significantly at the end of 2017, according to researchers at Malwarebytes. They expect there will be a lot more of this activity in 2018. While cryptojacking started as a way for website owners to earn more money, cybercriminals have now jumped on the bandwagon. In addition to adding these scripts to their own malicious web pages, they hack into legitimate sites and insert the scripts in them.
Although cryptojacking is not used to steal data from computers or extort money from their owners, it can be detrimental to businesses. The extra load on the processors can make the computers sluggish, which can hurt productivity. It can also cause processors to overheat, which might lead to computers freezing or crashing. Plus, cryptojacking can result in a higher utility bill. One experiment found that it can add as much as $5 a month per computer in the United States.
Be Prepared for What 2018 Might Bring
Which of these dangers your company might face depends on many factors, such as where your customers are located and the extent to which your employees use email and web browsers. We can assess your organization and help you develop effective security and data privacy strategies to mitigate the risks.