What is the format?
Each year we ask security professionals to tell us what they think the single biggest security threat of the following year will be along with a one sentence explanation. This is a totally subjective answer (and many individuals naturally highlight problems that relate to their own solution).
What are the findings?
Out of 72 usable responses we found a strong leaning towards ransomware (11 responses) and employees (12) while IoT (6) and threats to critical infrastructure (5) were also raised by multiple individuals. The responses have been grouped below in the following sections:
- Employees (12)
- Ransomware (11)
- Repeated responses (14)
- Other suggestions (35)
How does this compare to results from the last couple of years?
Last year the single biggest threat suggested by security professionals was the Internet of Things with 26 responses, while ransomware – which has probably been the biggest threat of 2017 – was only mentioned twice.
In 2016, 14 of the experts we spoke to suggested employees and this seems to be firmly back on the list for next year.
Results of previous polls can be found here:
- What will be the single biggest security threat of 2016?
- What will be the single biggest security threat of 2017?
What did individuals have to say?
All usable responses are cut down to a single sentence and grouped by theme below.
Always the people
The reality is that your employees are and almost certainly will always be the biggest threat to cyber security.
Tim Hall, CTO at Blue Logic
The ‘soft underbelly’
Whether they are the negligent executives that fail to implement proper cybersecurity policies, unwitting insiders that fall victim to phishing emails, or naive employees that fail to appropriately patch and update their computers, people remain the soft underbelly that malicious actors will exploit to compromise an organisation.
Steve Lakeman, research team at ThreatConnect
Criminals more professional than the target
Cyber criminals are more professional, sophisticated and well-organised than ever before, which makes it tough for end-users to properly defend themselves - a ‘patch-work’ approach simply will not suffice, and digital cyber security must be a continuous and on-going process to succeed.
Eric Berdeaux, CEO at OXIAL
Taken for granted
Technology plays a massive part in our lives today, so much so that we typically take it for granted.
Richard Kennedy, Director of Cloud Services & Infrastructure at Xperience Group
The biggest cybersecurity threat in 2018 will be the one that catches organisations unaware; the malicious insiders that are even now quietly syphoning off data and secrets from their most secure databases, by taking advantage of a mainframe blind-spot that research shows exists in 84% of global organisations.
John Crossno, Product Manager at Compuware
People are your greatest asset – and vulnerability
As phishing attacks become more sophisticated and socially engineered attacks continue to rise, the real target isn’t infrastructure – it’s the user.
Joe Diamond, Director of Security at Okta
Junior staff often care less
Companies need to be aware of the threat of rogue insiders, particularly when it comes to people in more junior positions with access to sensitive data, who may be disillusioned or less security-savvy than more senior staff.
Andrew Avanessian, COO at Avecto
Insecure user behaviour
The single biggest security threat for 2018 will be the same as it was in 2017 – users – we need to accept that users will continue to behave insecurely, and deploy systems that will protect them by design when they make mistakes.
Fraser Kyne, EMEA CTO at Bromium
The inflection point for insiders
Cybercriminals, like any good business, are looking for the most cost effective model to achieve their goals; 2018 may be the year of an inflection point where it is more cost effective to utilise insiders instead of producing malware, resulting in a dramatic decrease in the amount of malware discovered.
Tim Brown, VP of Security at SolarWinds MSP
End user ignorance
Cyber security is still being treated as an IT issue and yet most of the biggest breaches resulted from some muppet clicking on a phishing email link, plugging a USB in or doing something just plain stupid, so how many companies now run regular cyber threat awareness update sessions for their staff (all staff!)?
John Davies, Director at Pervade Software
Privileged accounts holders
Users with elevated or privileged rights are still the primary target for hackers, and the tendency in recent data breaches shows that once passwords are stolen, organisations struggle to detect harmful actions executed with hijacked accounts - unless they can spot abnormal behaviour of their users.
Csaba Krasznay, Security Evangelist at Balabit
People are the weakest link
People are the weakest link in any organisation’s security chain – if cyber criminals can get through to employees, they are almost certain to be successful in hacking into the organisation.
Martin Ewings, Director of Regional Sales and Specialists Markets UK&I at Experis
Beyond WannaCry and Petya
We expect to see an increased number of ransomware attacks on higher value data, even more damaging than WannaCry and Petya; military institutions and banks could be next on the hit list, as hackers might look to exploit these hugely powerful institutions for even bigger financial benefits.
David Navin, Corporate Security Specialist at Smoothwall
The first house will be held to ransom
Hackers may go as far as locking owners out of their houses – by infiltrating their smart locks – until they pay to get back in.
Jason Hart, CTO of Data Protection at Gemalto
I think commodity ransomware will continue to be the biggest threat in 2018 - almost everyone is a target, and the effects can be devastating.
Chris Doman, Security Researcher at AlienVault
A lucrative revenue stream
Ransomware will continue to be a key threat next year – it’s neither new nor novel but it’s simple to write, has been proven to be effective, and can be an incredibly lucrative avenue for hackers to exploit.
Holly Williams, Penetration Tester at Sec-1
‘Go to’ strategy for criminals
As long as organisations remain vulnerable to attack and slow to recover, it will continue to succeed as a ‘go to’ strategy for cyber criminals.
Gary Watson, Founder and CTO at Nexsan
Beyond “spray and pay”
Ransomware will become more targeted by looking for certain file types and targeting specific companies such as legal, healthcare, and tax preparers rather than “spray and pray” attacks we largely see now.
Brian Baskin from the Threat Analysis Unit (TAU) at Carbon Black
Higher and higher ransoms
Targeted ransomware, because when essential services are targeted specifically, the value of the locked data is huge and the consequences are vast – meaning, the cyber criminals can demand higher and higher ransoms.
Linus Chang, CEO and Founder of Scram Software
Personally identifiable information
GDPR comes into effect next year and has the potential to carry very large fines for companies handling the PII of EU citizens; malicious parties may see this as an easy way to make financial gains by targeting PII in attacks and holding it to ransom.
Thomas Fischer, Global Security Advocate at Digital Guardian
Targeted for impact
Having witnessed the impact of this year’s high-profile ransomware attacks, such as the one that almost brought down the NHS, ransomware will continue to be even more targeted in 2018 as hackers seek top businesses, banks, healthcare institutions and other national-critical organisations to implement even more vindictive, sneaky, and potentially life-threatening attacks –leading to panic if organisations are unable to detect and stop incoming attacks quickly, before damage is done.
Ross Brewer, VP and MD of EMEA at LogRhythm
A targeted ransomware pandemic
In 2017, disruptive ransomware has become the weapon of choice for cyber-criminals due to monetisation which reflects the successful digital transformation of organised crime – as is evident from the nearly daily reports of cyber-attacks in the press, I only see this threat getting worse in 2018.
Chris Goettl, Manager, Product Management for Security at Ivanti
Linux ideal target
Ransomware will increasingly target Linux systems in an effort to further extort larger enterprises - for example, attackers will increasingly look to conduct SQL injections to infect servers and charge a higher ransom price.
Param Singh from the Threat Analysis Unit (TAU) at Carbon Black
Reports already show an increase of 280% in IoT attacks in the first half of 2017 alone, this will increase in 2018 with more and more devices becoming connected.
Patrick Clover, Founder of BLACKBX
The home front
The IoT-connected world that surrounds each and every one of us is getting more complex, sharing more of our data in evermore opaque ways and getting less easy for the average user to understand, let alone to have any hope of controlling a perfect security storm.
Nigel Harrison, CEO at Cyber Security Challenge UK
The unknown rising threat of IoT and botnets
We have already seen what IoT devices can do when pooled together by hackers to conduct a DDoS attack, imagine what will they be able to do when re-provisioned for Web Application, Credential Abuse or over the horizon threats.
Jay Coley, Senior Director of Security Planning and Strategy, EMEA at Akamai Technologies
The interface between the cyber and physical world
Proliferation of Attacks against Internet of Things (IoT) and Operational Technology (OT) such as Industrial Control Systems: These systems are the interface between cyber and the physical world and are poorly secured against attack and successful compromises have life safety implications.
Chris Day, CSO at Cyxterra
IoT security is non-existent
The biggest security threat relates to the Internet of Things and it finding growing acceptance - in cars, computers, even scales; but IoT security is non-existent.
Frederik Mennes, Senior Manager of Market & Security Strategy, Security Competence Center at VASCO Data Security
IoT a gateway to businesses
Due to the perfect storm of sprawling supply chains, rampant outsourcing, and the rise of IoT, 2018’s biggest security risk could be Third-party Access Point Attacks or TAP Attacks, in which hackers target businesses via vulnerable suppliers and partners.
Andy Waterhouse, EMEA Pre-Sales Director
The biggest cybersecurity threat in 2018 will be to critical infrastructure — their corporate IT networks as well as operational technology (OT) including devices for industrial control systems (ICS) and supervisory control and data acquisition (SCADA).
Justin Coker, VP EMEA at Skybox Security
“Stealth” hacks on critical infrastructure will require a new approach to security
Sophisticated cyber-attacks will become more unpredictable and take forms we have not seen before.
Salvatore Sinno, Chief Security Architect at Unisys
Ancient national infrastructure
We are likely to see a massive cyberattack on national infrastructure, similar to the attack that brought down the NHS, but this time with hackers targeting CCTV equipment – many of which are open to risk because they sit outside of high security IT and are not regularly updated with firmware.
James Wickes, CEO and Co-Founder at Cloudview
State sponsored actor attacking a major organisation or critical infrastructure
The political landscape is like a tinderbox right now, we just need one wrong tweet from a world leader directed at another, or a wannabe, and it could kick off a cyber war.
Andrew Martin, Founder and CEO at DynaRisk
Phishing for critical infrastructure
2018 will undoubtedly see a big increase in cyberattacks on critical infrastructure worldwide, with phishing continuing to be a key point of entry.
Alan Levine, Security Advisor at Wombat Security Technologies
Spear phishing (targeted phishing) will become more sophisticated, leveraging or impersonating respected brands and directing unsuspecting users to realistic destinations to harvest credentials and other personal information.
Fabian Libeau, VP EMEA at RiskIQ
Spear phishing attacks
In early 2017, 61% of InfoSec professionals reported experiencing spear phishing attacks, and this year has seen a number of high profile attacks hit the press, from Amber Rudd (responsible for cyber-security in the UK) to Tom Bossert (cyber-security advisor in the US) being affected.
Amy Baker, VP, at Wombat Security Technologies
Shortage of affordable skills
It may feel like a bit of an old chestnut, but a shortage of available and affordable people to fill gaps in cyber security positions at all levels continues to hold back progress – including both potential trainees, and people with experience in the field.
Dr Robert Nowill, Chairman of Cyber Security Challenge UK
Security teams becoming overwhelmed
I expect 2018 will be the year that security teams become totally overwhelmed by the sheer number of threats they face – which could potentially have catastrophic implications, as a result, organisations will face the choice of either making millions of security experts appear from thin air – ISACA predicted there’d be a shortage of two million by 2019 – or find alternative ways to use advanced intelligence, analytics and automation to deal with this critical problem.
Piers Wilson, Head of Product Management at Huntsman Security
These file-less attacks are capable of causing havoc and stealing data by using approved, native operating system tools, such as PowerShell.
Mike Viscuso, Co-Founder and CTO at Carbon Black
This type of malware operates by appending the attack to legitimate services and remaining in the memory portion of devices.
Raef Meeuwisse, ISACA governance expert and author of Cybersecurity for Beginners
The cryptocurrency bubble
With values continuing to climb, we are likely to see ‘normal’ people inflate the bubble and provide the demand for cybercriminals to supply the market with precious cryptocurrency.
Josh Mayfield, Platform Lead of Immediate Insight at FireMon
Lack of accountability
Next – instead of working hand-in-glove with a security services provider to protect customer data – too many of them will simply buy cyber-attack insurance, which is really just about passing the buck and does nothing to address the actual problem.
Srinivasan CR, Senior Vice President of Global Product Management & Data Centre Services at Tata Communications
Quite a few vendors are reducing the information they provide, while many individuals and the media are overhyping issues presented to the masses – this combination will eventually create a perfect storm of security misinformation that will cause issues that are actually critical to be overlooked.
Tyler Reguly, Manager, Vulnerability and Exposure Research Team at Tripwire
Even after all the publicity from incidents such as WannaCry, and with GDPR incoming, we still see a lack of basic cyber hygiene in the public and private sectors, as well as from individuals.
Vince Warrington, Director at Protective Intelligence
Packaged attacks for sale on the dark web
These readily available vulnerabilities are already known to the security community and the best possible defence is to patch all devices as soon as possible and use some sort of vulnerability management.
David Fearne, Technical Director at Arrow ECS
The key takeaway from the recent, major data leaks is that our communications systems are not secure.
Rick McElroy, Strategist at Carbon Black
Assuming that they are secure
Minimising the exposed ‘skin’ of a business through good practice and technology goes a long way, but planning for when the unthinkable happens is also key.
Mike Simmonds, CEO at Axial System
This is the ability of companies to be easily distracted by the latest bright and shiny security threats, resulting in a failure to concentrate on key security issues and adequately protect data.
Ian Kilpatrick, EVP of Cyber Security for Nuvias Group
New biometric technologies create new attack surfaces
There will be widespread adoption of machine-learning based facial recognition tools as many companies follow in the footsteps of technology giants such as Apple.
Barry Shteiman, Director of Threat Research at Exabeam
Unsanctioned enterprise messaging
As unsanctioned messaging platforms like Slack and HipChat spread, they enable rapid communication and file sharing, obviating the need for conventional tools like email and causing IT to lose visibility and control over corporate data.
Mike Schuricht, VP of Product Management at Bitglass
Half-hearted approach to risk
The biggest security threat will remain our half-hearted approach to this very real risk.
Oz Alashe, CEO at CybSafe
The most important threat comes from unauthorised technology installations by users, also known as Shadow IT - a major challenge for IT departments worldwide, increasing the attack surface of organisations and exposing them to serious cyber risks not to mention the risk of severe financial penalties following incoming regulation like GDPR.
Matt Middleton-Leal, General Manager of EMEA at Netwrix
Failure to monitor the security in the software development lifecycle
The biggest threat will be for organisations who fail to monitor the security in the software development lifecycle within the whole context of a client’s coding and IT infrastructure – the move towards open source tools and libraries created by third parties means IT suppliers need to build in a fail-safe approach to avoid exposing their software to vulnerabilities or breaches created much lower down the chain.
Phil Lea, Head of Security & Compliance at Advanced
Email will continue to be the biggest security threat in 2018 as it is the easiest and lowest risk way to directly attack employees with phishing, ransomware, and impersonation attacks.
Steve Malone, Director of Security Product Management at Mimecast
I think the biggest threats will be against “co-processors” (i.e. the chips that control things like cellular and Wi-Fi radios, instead of doing the main processing).
James Plouffe, Lead Solutions Architect at MobileIron
The biggest problem in a lot of the affected organisations has been patching old, well-known vulnerabilities.
Neil Anderson, Director of Security Services at Assure APM
Nothing will change
A new calendar year will not see breaches suddenly cease, or board members waking up to the threats they face.
Chris Pogue, Head of Services for Security and Partner Integration at Nuix.
Supply chain attacks
This is where software used widely by enterprises will be back-doored and operate as Trojans into corporate and enterprise environments.
John Bambenek, Threat Intelligence Manager at Fidelis Cybersecurity
Bricking of systems
Bricking of systems will be a 2018 trend as hackers effectively turn expensive hardware from modern computing devices to nothing more than inert mass. Examples of this include destruction-ware, some bios attacks, router attacks and anything that basically breaks computer and network hardware.
Sam Curry, CSO at Cybereason
False information influencing things other than the democratic process
2018 will see the increase in targeted attacks from nation state actors to industry, with more of a focus on financial gain than political or military advantage.
Joep Gommers, CEO at EclecticIQ
Voice channel fraud
Human beings at the end of the phone line are an enormous data security risk.
Ben Rafferty, Global Solutions Director at Semafone
Exfiltration of data from cloud-based storage will accelerate
Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) attacks will see massive tranches of data from organisations being taken from the cloud, without IT/security team even knowing.
Matt Walmsley, EMEA Director at Vectra
Lack of strategy
The single biggest security threat of 2018 will be the failure of businesses to implement a structured cyber security strategy.
Steven Kenny, Business Development Manager for Architecture and Engineering at Axis Communications
Evolution of the bad guys
The biggest cybersecurity threat in 2018 will be the speed with which the bad guys are evolving, which means that tried and tested cybersecurity defences are no match – the only way to remain protected is to adopt a dynamic approach to cybersecurity.
Maninder Singh, Corporate Vice President & Global Head of Cybersecurity at HCL Technologies
Target will evolve
Attack types will not change, rather the target of the attacks will evolve.
Ryan Wilk, VP at NuData Security
Broken software is by far the biggest security threat on planet earth right now.
Dr Gary McGraw, Vice President of Security Technology at Synopsys
Our recent Security in Enterprise research showed that 47% of organisations had experienced some form of malware or ransomware attack in the last two years, facilitated by the rise in unknown malware - I fully expect this will continue to be one of the biggest threats of 2018.
Shane Grennan, Director Regional Accounts for UK&I at Fortinet
The biggest security threat in 2018 will be the lack of discipline in both patching known vulnerabilities and analysing application systems for security-related weaknesses.
Bill Curtis, SVP and Chief Scientist at CAST and Executive Director at the CISQ (Consortium for IT Software Quality)
Cyberattacks are barely out of the news at the moment, and when conducting an M&A deal or other business-critical transaction, confidentiality and data integrity is of the utmost importance – meaning that all of the sensitive documents associated with a project need to be adequately protected.
Gary McKeown, Group Managing Director at Imprima
Compromised development environments
Hackers are going to the source, modifying standard software development tools in order to seed new applications with malware.
Gerhard Oosthuizen, CIO at Entersekt
Software supply chain
The biggest risk for 2018 is your software supply chain.
Josh Zelonis, Senior Analyst at Forrester
Lack of understanding of risk
The biggest threat to most organisations will continue to be a lack of understanding of where they have actual risk in their organisation, and the misallocation of security resources that generally results from this lack of understanding.
Jim Hietala, VP of Security at The Open Group
Large-scale data breaches
Public awareness and scrutiny of data breaches and how secure their data is will shift next year—not just because there will be more large-scale breaches, but because reporting rules will change thanks to GDPR.
Thomas Bostrøm Jørgensen, General Manager for EMEA at AllClear ID
Cyber security complacency
The biggest security threat that will hit businesses will continue to be attitudes in relation to cybercrime - the 'it will never happen to me' view; every year our DBIR shows that the same tactics - from phishing emails to the exploitation of weak passwords - keep succeeding; until people learn from the cyberattacks that are taking place across their industries and start to educate employees and change their behaviour, the oldest threats will continue to be disruptive.
Laurance Dine, Managing Principal of Investigative Response at Verizon
Open source management
The failure to properly manage and secure the open source components making up increasingly large portions of commercial and custom software will be one of the most significant cybersecurity threats to organisations in 2018.
Mike Pittenger, VP Security Strategy at Black Duck Software