The security industry has a habit of using terms like “ever-advancing” and “always-evolving” in relation to security threats like malware. After a while those terms seem more like throwaways considering the frequency of use.
But then 2017 happened, and those descriptive words became more relevant.
We’ve seen more victims and breached records, more attack vectors, and a lot more money being extorted. Equifax lost 143 million consumer records in a single data breach, all because they weren’t patching software on a regular basis. The number of records breached at Yahoo! alone may hit 3 billion when it is all sorted out.
In other words, cybercriminals had a banner year in 2017 – financially and otherwise – and it doesn’t look like there’s a bust for this boom anywhere on the horizon.
Case in point, according to Cybersecurity Ventures’, the financial damage caused by cybercrime may hit $6 trillion by 2021. If you think that number is staggering, consider the fact that the estimate has doubled since just last year. On the flip side, according to Gartner, cybersecurity technology spending will hit $86.4 billion this year while Cybersecurity Ventures predicts a cumulative spending of $1 trillion from 2017-2021.
Putting this all into perspective, here’s a list of events and evolving trends that made 2017 stand out from the pack, for better or for worse:
1. Cybercrime is Great for the Job Market
Sometimes a very bad thing can bring about a good opportunity. More cybercrime and ever-advancing (see?) attack vectors mean more IT and security personnel will be needed to defend against it all. It’s already hard enough to find security pros to fill open posts, and the growing need will only serve to triple the number of unfilled jobs in security – rising to 3.5 million by 2021, according to Cybersecurity Ventures.
Cybersecurity has never been a bad career move, especially given that this particular segment of the job market has a zero percent unemployment rate.
2. The Growth of the Human Attack Surface
More people on the Internet means more opportunity for cybercriminals. According to TNW magazine, by the end of 2017 more than half (51%) of the world’s 7 billion people will be Internet users. That’s up nearly 100% in two years.
Cybersecurity Ventures goes on to predict that 75% of the world’s population will be Internet users in just four years, with 90% predicted to be online by 2030. In other words, the human attack surface is growing.
3. Cybersecurity Officially Becomes a U.S. Government Entity
Just this week the U.S. House of Representatives passed legislation that will change the designation of the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA).
The legislation assures that the agency will be “headed by a Director of National Cybersecurity and Infrastructure Security to lead national efforts to protect and enhance the security and resilience of US cyber-security, emergency communications, and critical infrastructure.”
These changes go beyond the U.S., as the European Union announced their own regulation around data protection in 2016 (GDPR) that is fast approaching the enforcement date of May 2018.
4. Governments Move to Ban Suspicious Security Software
Earlier this week the U.S. also passed legislation that officially bans the use of security software produced by Moscow-based Kaspersky Labs within civilian and military agencies. This follows concerns back in September that the technology has fallen under questionable influence by the Russian government.
In early December, the U.K. government started to make similar moves to ban Kaspersky software. It will be interesting to see if other security vendors will fall into this no-fly-zone in 2018.
5. Ransomware Goes Big
It’s well known by now that ransomware largely represents the biggest advance in cybercrime this year. Perhaps not the coding itself, but more through the scope and depth of its damage. Cybersecurity Ventures predicts the financial costs of global ransomware in 2017 will exceed $15 billion. Two years ago it was merely one-fifteenth of that amount.
Healthcare organizations have seen some of the biggest impact and it may only get worse. The numbers are high, but they are not hard to believe if you consider Danish shipping company Maersk will pay about $350 million to fix the damage caused by the NotPetya malware attack in late June.
6. Passwords Can Only Protect When They are Used
According to Verizon’s DBIR, a full 81 percent of confirmed breaches are due to weak, reused or stolen passwords. In our own research on the psychology of passwords, 91 percent of respondents understood the risk of reusing a password, yet 61 percent of them still do. It seems like the fear or forgetting a password outweighs what might seem like a remote chance of getting hacked.
These stats ring true when you read about New York’s Stewart International Airport whose backup systems were discovered to have no password protection. Exposed server data showed that airport staff, over an unknown period of time, did not have access to the TSA’s “No Fly” list. Ouch.
Another example involves Data analytics firm Deep Root Analytics that was hired by the Republican National Committee to gather political information about U.S. voters. A cyber analyst discovered that personal data representing nearly 200 million American citizens was kept on an Amazon cloud server without password protection for nearly two weeks.
Deloitte, HBO, Mandiant and several others had a particularly bad year when it came to password security hygiene. Perhaps a better password management system would have helped brace these firms against these breaches.
7. System Not Responding
An anonymous hacker successfully yanked down one-fifth of the dark web in February after he hacked Freedom Hosting, the company that hosts thousands of dark web domains. This gave me great satisfaction to know that cybercriminals around the world were dealing with a whole lot of 404 error messages while their sites went boom.
8. Bitcoin Valuation Cuts Both Ways
We’re ending the year on a different note. The super-fast increase in Bitcoin valuation (now about $16,500 per coin) presents both a plus and a minus for cybercriminals. For those who have already had a good run, collecting bitcoins along the way as ransom or just to run their businesses, it’s a big win.
For those who use Bitcoin as a means to pay ransom for data held hostage, they are going to have to adjust their approach or else paying ransom is going to be too expensive for almost everyone, and not just the modestly-sized school system or hospital.
It’ll certainly be interesting to see what 2018 holds. While it may get worse before it gets better, here at LastPass we remain committed to keeping your online information secure, no matter what threats come our way, and continuing to innovate is this ever-evolving (again!) industry.