There were a few things that caught us by surprise in 2017. It’s good to reflect on those when thinking about the future. The first was the rise of using quasi-legal click harvesting and cryptocurrency mining to make money. Criminals are finding ways to make money while staying on the right side of the law (or at least hanging out in the gray area). The other trend we saw was on the defense side: We are seeing companies rolling out security programs very successfully after an attack has occured. It turns out that some executives need proof of what can happen before committing resources to the problem. Though that makes sense as far as human psychology goes, we continue to encourage our customers to think proactively to avoid the trouble in the first place.
We suspect that 2018 will continue to bring new challenges on the security front, including everything from run-of-the-mill invoice phishing to highly targeted spearphishes that go well beyond CEOs and CFOs. Here are our full security predictions for 2018.
User Education Will Prove Successful
Since phishing attacks are still one of the most common threat vectors today, user education is an excellent place to focus your security resources for 2018. We expect to see strong continued adoption of these types of programs, especially at small and midsized businesses that can’t afford a huge security team.
The user education programs that will be most successful are the ones that are hands-on, have executive buy-in, and leave the door open for employees to report suspicious activities spotted in the wild. For details on how to do this, review our set of tips on how to build a successful user education program.
Consequences for Clicking
We are also starting to see a trend toward businesses doling out consequences to those who click on phishing attacks and other online threats. As executives become more aware of phishing attacks, there will be more human resources consequences for people who click on them. We have heard about whole departments being terminated for not following the organization’s policy around wiring money. While this may not be the best way to deal with threats over the long term, we do expect to see more of these types of consequences in 2018.
Social Engineering Will Ramp Up
Fraud attacks continue to work, especially those that rely on social engineering. While W2 fraud and CEO fraud are already quite common, we suspect there are new vectors coming in 2018 (if only we could look into a crystal ball and tell you what they will be!) We believe attackers will be looking for ways to bring scale to social engineering attacks and increase their effectiveness.
While these types of attacks can be quite sophisticated, they can still be defeated with really strong user education, so we recommend that you continue to place your focus on educating the whole organization about potential attacks, current ongoing threats, and ways to keep the organization secure.
Phishing Can Be an Opportunity
On the defensive side of things, here’s a new way to look at attacks: While you may get a lot of griping and pushback when you try to implement a new security measure like multi-factor authentication or password management, you’ll get less of it if you implement right after an attack occurs.
Organizations tend not to be very friendly to this type of change, but that’s not true when it’s a direct response to a phishing attack. So use this opportunity to talk to folks and build a relationship. Create an open-door policy so they will report strange emails, and change the relationship folks have to security. Then use the window to implement tools like MFA that will keep the whole organization safer.
Power Of The People Will Win Out
Amid all of these attack vectors and increasingly sophisticated threats, getting people reporting phishes and stopping any clickers you have still stands the best chance of defending your organization successfully. We strongly recommend that, in addition to investing in user training like on-demand phishing education, you also choose a DNS-based security solution that includes the ability to report phishes.
Through the iterative approach of training, protection, and retraining any clickers, you can better protect yourself from social engineering attacks like phishing.
Want to give it a try? Sign up for a free 30-day trial of Strongarm and start 2018 out on the right foot.
This is a Security Bloggers Network syndicated blog post authored by Todd O'Boyle. Read the original post at: Speaking of Malware | The Strongarm Blog – Strongarm Malware Protection