1 January 2016

16 Predictions for 2016

DECEMBER 27, 2015 / BY DAN LOHRMANN
The Top 16 Security Predictions for 2016
More security predictions than ever before. As I examined hundreds of expert forecasts for 2016 and beyond, with cyber trends and predicted technology events from top companies, it is hard to be optimistic about our online situation. And yet, the combined predictions tell us an important story about online life. So where is cyberspace heading? What surprises await us? Here's your annual one-stop roundup of what security experts are telling us will happen next.
As top security companies, technology magazines, cyber experts and security bloggers came out with their predictions for 2016, it is clear that the global cybersecurity industry continues to lose ground to the bad guys online.

For reminders and those who like to keep score, here is a list of the top security predictions that were made last December regarding the 2015 year that is ending this week.
Also, in this 2015 year-end summary, I explain how 2015 was the year that data breaches became much more personal — even intimate.

So what can possibly get worse (and hopefully better) in 2016? Only time will tell for sure — but thousands of security gurus give it their best shot each year. In order to help, I compile their wisdom into one place for easy access.
Therefore, here’s my “Guide to 2016 Security Predictions,” for readers who want to see the specific company prediction details as we head toward New Year’s Day 2016. If you want to jump to conclusions, my cyber prediction award-winners follow at the end.

The Top 16 Security Predictions by Company or Magazine

1) Symantec: Symantec leads with attacks on the Internet of Things (IoT) and Apple iOS attacks growing dramatically. An impressive Symantec list of 2016 security predictions overall.

2) Last December, Raytheon/Websense successfully predicted 2015 health-care concerns in their security predictions overview. This year,Raytheon/Websense leads with predictions about attacker trends (increased abuse of newly created infrastructure), end-user behavior in a post-privacy society and evolving business behaviors as a result of cyberattacks and data breaches — including a surge in cyber insurance.

3) McAfee (Intel Security): McAfee Labs offer a five-year cybersecurity look ahead in infographic form. They predict a growing attack surface, difficult-to-detect cyberattacks, new device types and much more. They also cover growth in “integrity attacks” where hackers change the data to do harm.

4) FireEye: FireEye offers a free prediction report on their 2016 webcastwhich leads with security concerns with Apple devices in 2016 as well as IoT security problems.

More sophisticated forms of ransomware attacks.

Also, there will be “Increased Attacks on Industrial Control Systems.”

5) Trend Micro: Trend Micro leads with “2016 will be the year of online extortion.” Second, “At least one consumer-grade smart device failure will be lethal in 2016.”

I really like Trend Micro’s presentation of their 2016 security predictions. In fact, I give them top honors for the best online graphics, clearest presentation, and easiest-to-understand security prediction summary of all security companies and bloggers I reviewed. After each straight-forward prediction, you can click on the button to get more details.

6) Kaspersky: The Kaspersky blog offers a nice narrative of various cyber trends that could lead to major events in 2016. Some of these include: “Blackmailing and squeezing money for stolen photos and hacked accounts.”
Also car hacks will grow: Culprits probably won’t focus on the systems themselves, but rather on the special protocols, which are implemented to enable communications between cars. “Compromise them — and you’ll be able to send fake commands to cars. These actions can lead to a crashes of expensive cars and even to lethal consequences. ...”

7) Sophos: Sophos offers their 2016 cybersecurity threat predictions. Like others, they lead with mobile threats rising, IoT platform vulnerabilities and small and medium-size businesses (SMBs) seeing more attacks.

8) Alert Logic: Alert Logic offers some optimistic 2016 predictions about the cloud — such as: “2016 will be the first year people choose cloud because of the security benefits.” This sets them apart and puts them in the top group.

9) Network World: Network World’s Jon Oltsik again offers this list, a bit different from other predictions. Leading his 2016 prediction list were: “Greater focus on cyber supply chain security, and the consumerization of authentication.” He also predicted that cyber insurance is set to boom (with others who predicted this).

10) IDC: IDC offers many technology predictions for the CIO Agenda, with #6 By 2016, 70% of IT organizations will shift their focus to advanced 'contain and control' security and away from a perimeter mentality.

"It's time for organizations to reframe their security from the old, reactive threat-oriented model to an advanced, proactive, predictive, and integrity-oriented approach," says Mike Rosen, vice president of research with IDC's IT Executive Programs (IEP).

11) IBM: IBM offers several intriguing 2016 security predictions. A few include:
(More) companies and governments to use block-chain encryption.
Cyber intelligence as a service is coming.
Vulnerability curators will become prevalent.
More data breaches will lead to spikes in cyber-spending.
Financial orgs create own fusion centers — leave managed security services.

12) Computer Science Corp. (CSC): Dan Hushon, CSC’s chief technology officer, offers technology trends to watch. Some predictions are on security such as: “As context increases, cybertargets increase.” That is, as data becomes more contextually rich, it becomes more valuable to the enterprise — and to cybercriminals as well.

13) Business Insider offers: “How vulnerable IoT devices are changing the cybersecurity landscape.” This is a deeper look at vulnerable IoT systems:

- Research has repeatedly shown that many IoT device manufacturers and service providers are failing to implement common security measures in their products.

- Hackers could exploit these new devices to conduct data breaches, corporate or government espionage, and damage critical infrastructure like electrical grids.

- Investment in securing IoT devices will increase five-fold over the next five years as adoption of these devices picks up.

14) Forbes Magazine Online: Forbes leads their security prediction list for 2016 with the “leadership over luck theme.” Here’s an excerpt:

Unfortunately in most respects, 2016 won’t change much: users will still click on malicious links; IT will still be bad at patching; the bad guys will still attack; and the tide of misery from breaches will continue. What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organization to high ground based on a well-considered, security-first strategy. ...

15) LogRhythm offers 10 interesting predictions such as: “An uptick in all-in-one home surveillance systems.”

We are seeing more motion sensing/camera/recording devices in the home that can be managed through personal devices. This type of technology will continue to expand, and with this expansion, hackers will try to exploit them or cause chaos.

Also: A rise in the use of mobile wallet apps. Like having virtual money and an ID in one’s pocket, mobile wallet apps are at the intersection of marketing and payments. And although a mobile wallet is convenient, it is directly tied to one’s mobile phone, which is a critical access vector for cyber threats.

16) Imperva: Imperva has some fascinating and big predictions worth reading, including contractors getting more scrutiny in “Cyber Pat Downs.”

Some of the other notable predictions include lists from eWeek (on IoT changes coming), CIO Magazine, Microsoft, Gartner, TheVarGuy (who says security still gets top bill in 2016), Forrester, SC Magazine, Varonis, Infosecprofessional.comand Threatstream.

Some lesser-known lists include: The Hacking Insider predicting a big round of security mergers and acquisitions in 2016 as big companies scoop up smaller ones.

SafeBreach thinks more breaches will be triggered by third parties.

Also, here’s an industry trend prediction: Fortune Magazine says that the cybersecurity start-up boom will end in 2016. I’m not so sure, but it is a bold prediction.

Finally, Informationsecuritybuzz.com predicts that CISO roles will be expandingand will become much more complex.

Security Prediction Accolades:

And the category winners are …

Best Overall Series of 2016 List of Security Predictions: Trend Micro for their clarity, simplicity (easy to understand), helpful Web presentation and supporting prediction details. (Be sure to click on the red button at the bottom.)

Most Upbeat: “2016 will be a very good year for cyber-security professionals.” I couldn’t find any predictions saying fewer data breaches, fewer online problems or better global cybersecurity overall. However, SC Magazine pointed out the silver lining for cyber pros. SC Magazine UK

Most Popular: New IoT cyberattacks in many different consumer and professional categories. Data breaches causing harm in many IoT categories, from cars to homes to hospitals to wearables. (Almost everyone is predicting this.)

Most Overlooked: “Emergence of hacking for good.” More organizations, like Anonymous, will be leaving the dark side and hacking for the public good. They are more motivated by the notoriety and publicity on social media than for financial gain. Teens are learning to program on their own; high schools are introducing technology and coding to get this generation aware of and more proficient in this industry. LogRhythm

Runner-up for Most Popular: More mobile malware, including a surge in new mobile ransomware. This security prediction was big last year as well, and includes mobile payment systems. (Again, just about everyone.)

Some scary twists on this theme might be a ransom needed to start your car? This would be very bad publicity for cars — even worse than last year’s Jeep hack, which seemed theoretical to most people.

Most Long-term Impact: “Companies and governments will begin to use block-chain encryption to protect against cyberthreats.” IBM


Also tied is “Ad blocking will shake up the advertising industry and destroy malvertisements.” Trend Micro

Most Geopolitical: “A look ahead at the future of war.” Defenseone.com — This piece offers many cyber and traditional security topics, including: “The Post-Post-Snowden World” and “Drone Regulation and Cyber Testing.”

Runner-up for Geopolitical: “Cyber criminals walk into the arms of terror groups.” Zscaler

Terror organizations are continually searching for new avenues to instill fear and require significant funding to fulfill their hateful agendas. Skilled hackers can aid on both fronts. Cyberattacks can clearly be used by terrorists to obtain intelligence for future attacks and we’re already seeing early signs of cyberattacks being used to cause physical damage. Last year, hackers caused significant damage to a German steel mill when they disabled systems responsible for controlling a blast furnace.

Most Unique: Growth in Integrity (of data) Attacks — McAfee predicts bad guys will start to change data rather than just stealing it in 2016.

Most Professionally Relevant: The changing position of the CSO — reporting to a board. Historically the CSO has reported into the CIO, as security was considered a component of IT, but this is changing. A recent Palo Alto Networks report highlighted Europe as the only region to show a sizable shift from CISO/CSOs reporting to the CIO, moving from 50% in 2012 down to 33% in 2015.

Focus on cyber, its value and its impact is increasingly making it a board-level debate and elevating the investment and engagement, moving the CSO from a technical lead to a business risk leader. Information-age.com

While this trend has been around for a while, will 2016 be the year that CSOs and CISOs have a new org structure?

Prediction Needing Most Enterprise Office Attention: “Multi-factor authentication (MFA) will become more ubiquitous. It will be leveraged in the identity management platform to secure all applications rather than being restricted to individual apps.” David Meyer, co-founder & VP of Product Management at OneLogin

Least Likely Prediction: “The Cybersecurity Startup Boom Will End in 2016.”Fortune

Really? Will our global security needs go away? I don’t think so, with all of the predicted problems. Of course, a big recession in the USA could cause this — but not the Internet need for more innovation in cyberspace security.

Most Scary: “The lights will go out from a cyber breach.” A big critical infrastructure breach is coming. Unlike last year, numerous companies predict a major hit to the supply chain or utility companies. Is a cyber Pearl Harbor coming? (Many predictions of this.)

Also, “At least one customer-grade smart device failure will be lethal.” Trend Micro

Most Specifically Bold: “New warehouses of stolen data.” Stolen personally identifiable information sets are being linked together in big data warehouses, making the combined records more valuable to cyber attackers. The coming year will see the development of an even more robust dark market for stolen personally identifiable information and usernames and passwords. McAfee

Sounds as if the bad guys will catch the “big data” vision ...

Most Creative: “BoT - Botnet of Things” - Imperva

Most Likely: Political hacking — The use of social media will be a key factor in the race for the White House (and other parliaments of countries worldwide), just as in many other electoral issues. The power of social media is phenomenal; it will make or break even the best.

Irrespective of which media is used and no doubt there could be even more mediums to choose from by the time the next election is on us. A key factor here is that ‘personal’ data of the candidates will be used and at ‘risk. ...’ Security Gladiators

This has already happened once in 2015, and will certainly happen again in 2016.

Top Outside Factor Affecting Cyber Crime: Bad guys getting better and meaner. “The Battle Between Ransomware Gangs and Malware Distribution Networks Will Heat-Up.”

From early beginnings in Russian-speaking counties, ransomware has evolved and spread into Western Europe, the United States, Canada, Australia, Europe and Asia. It is likely that some of the gangs responsible for the original ransomware are part of this expansion, but other established criminal gangs are also becoming involved. Clearly, the fraud is profitable for criminals and is likelyto increase. Symantec

Newest Malware Prediction: “The emergence of Ghostware.”

In 2014, we predicted the emergence of “blastware,” malware designed to destroy both itself and the host system if it was detected by antivirus software. Rombertik, though somewhat overblown in the media, gave the first hint of what this kind of software could do to infected systems. We expect blastware to continue to surface, especially in cases of hacktivism and state-sponsored cybercrime.

owever, ghostware takes this concept further. Whereas blastware leaves the ultimate indicator of compromise (a crashed or disabled system), ghostware is designed to extricate data and then erase indicators of compromise before it can be detected, making it very difficult for organizations to track the extent of data loss associated with an attack. Fortinet


Happening in 2015 but Growing Stronger in 2016 Trend: “Security Gamification and Simulation Will Tackle the Security Awareness Challenge.”

Internet security relies on the human element as much as it does on technology. If people were more skillful, they could help reduce the risks they faced. This is as true of consumers avoiding scams as it is of government employees avoiding the social engineering in targeted attacks.

In this context, security gamification will be used to turn “the desires of the moment” into lasting changes of behavior by using the psychological rewards and instant gratification of simple computer games. Security Gamification could be used, for example, to train consumers to be wary of phishing emails or to generate, remember, and use strong passwords. Symantec sees a big market opportunity and a great need for this kind of training in 2016.

(Note, for full disclosure: I work for a company that is already implementing security awareness training using gamification, interactive content and fun techniques that bring culture change and huge benefits. Trend is accelerating.)

Final Wrap-up with a Summary of Prediction Trends

Last year, the hacking critical infrastructure theme was much more muted in security predictions for 2015 than in predictions for 2016. Almost every major security company predicted some major life-altering utility (such as power) outage as a result of a cyberattack against utilities or supply chains. Reports and white papers released in 2015 backed-up these assertions, so it may be time to buy that generator or dust off your 72-hour emergency plan.

What is missing? Not much on a hospital medical device being hacked to cause a serious health issue(s) or even death.

Trend Micro did say that “At least one consumer-grade smart device failure will be lethal in 2016,” but that is not the same as predicting murder by cyberattack.

After a drone almost hit this skier, perhaps a consumer (non-military) drone will cause serious harm in 2016 after being hacked.
Or, what about a successful cyberattack on Wall Street or on an air traffic control system or plane?

While these dramatic predictions seem almost movie-like, they mask a broader set of cyber trends that are accelerating as we head into 2016:

- Physical and cyber threats are merging as never before.

- A rise of the significant impact from insider threat and blended cyber threats.

- Shortages in skilled cyber professionals continues to grow as threats increase. Indeed, new products are being released with vulnerabilities. History is repeating itself with cybersecurity.

My thanks go out to all of the great security predictions and companies that continue to put such a huge emphasis on this end-of-the-year ritual each November/December.

Finally, because we are in the midst of difficult and often discouraging cyber battles, I leave you with these three quotes from Winston Churchill:

- "I always avoid prophesying beforehand, because it is a much better policy to prophesy after the event has already taken place."


- "If you're going through hell, keep going."

- "Success is not final, failure is not fatal: it is the courage to continue that counts."

How will online events play out in 2016? We shall know soon enough.

No comments: