David Marshall | November 25, 2016

Wombat Security 2017 Predictions: What's Ahead for the New Year

Experts from security awareness and training platform Wombat Security predict what's ahead for 2017

Through its security awareness and training software, Wombat Security helps organizations teach their employees secure behavior, adding another level of protection between cyber criminals and sensitive data. Wombat's Security Education Platform is continuously evolving to help organizations and their employees stay informed. Experts from the Wombat team take a look ahead to 2017 to see what trends we'll continue to see and what new issues might arise.

Joe Ferrara, CEO, Wombat Security

In the last 12 months, the escalation of ransomware and BEC is significant. It's hitting the midmarket a lot more frequently, and it's an extremely productive effort for hackers. With continually evolving methods and strategies, hackers are able to leverage ransomware in their favor. In 2017, the industry will see this ongoing flurry of ransomware attacks and damages increase, and more demand will be generated for solutions that address more than just the technology infrastructure of a company. The human defense factor is powerful and will see a boost in interest from enterprises next year.

Trevor Hawthorn, CTO, Wombat Security

The endpoint protection space has grown in the last year, and more people will continue to look to these solutions in 2017. While more attention has been given to endpoint security solutions to identify threats and attempted attacks, they can't catch everything. When users are the ones opening the flood gates to attackers by putting in their own credentials to a malicious or compromised set up, that's a behavior change issue that can only be addressed with ongoing investment in security training and education.

Healthcare is still incredibly susceptible to the accelerated phishing activity we see moving into 2017. The industry continues to have resource constraints making it hard to put security above patient care or other administrative tasks. Similar to the challenges the cyber security industry is facing, shortages of funding and talent make it difficult to prioritize needs and the areas most deserving of a first response. The pattern of consolidation within healthcare has also resulted in a level of organizational chaos. With a lack of time available for busy staff to complete trainings and other systemic challenges, it can make the environment much more difficult to secure, and can therefore lead to more vulnerability. Next year, cyber security and healthcare professionals will need to collaborate on a long-term plan to address vulnerable infrastructures with better technology and security awareness that overrides any organizational chaos they may be faced with.

The Internet of Things has already posed a unique threat to the security landscape, one that may not be visible to a consumer's untrained eye. Easy procurement of cheap IoT devices or Wi-Fi enabled products introduces a serious level of risk that most are unaware of. In 2017, we'll need to answer to a lot of the mistakes that have been made in the name of a fast go-to-market strategy or lower cost of goods. Educating consumers and employees on not only what makes a secure (vs. risky) IoT device, but also what the potential impacts of an insecure device could mean for your insurance policy or privacy, is essential for effectiveness. Furthermore, safe usage training for these devices needs the support of brands, vendors and cross-vertical influencers to move the needle. We'll start seeing a larger rally from these players to brand themselves as a secure device, versus just the latest cool-looking smart home device or wearable messaging that has taken precedence in marketing efforts so far.

Generationally, we see a gap on the awareness side almost as much as on the talent or skills side. When the Internet became prominently used in the 90s, security was not a top concern. So little was known about the threat landscape and its potential impact on you as an individual user that formalized attacks on organizations seemed so far away from a detrimental hit closer to home. Those early users are still in the workforce and operating online with devices every day, and the continued lack of awareness and understanding of security best practices is damaging to themselves, the companies they work for and their networks. The generation still in grade school today is being given the tools and resources to better protect their personal information and devices, which is a major step forward in widespread security awareness. In 2017, we'll see a greater focus on smart skepticism.

The privacy conversation for the average consumer must change in 2017, particularly as new administrations are faced with the debate of end user privacy versus potential homeland security issues. What needs to be understood is that context determines the impact a breach of privacy has on an end user or organization. The lack of control on that context when hacked is the negative end result that pro-privacy advocates will need to shed light on to end users and constituents influencing governmental and societal initiatives.

Amy Baker, VP of Marketing, Wombat Security

The security industry has wondered for years when a mobile device will finally become the initiation point for a major breach. While it hasn't happened yet, it is certainly a possibility and should be treated as an ongoing significant threat vector. In 2017, we'll see a larger focus from enterprises and end users on keeping mobile devices secure, particularly in a landscape where mobile phone encryption may be weakened, pending decisions made at the federal level.

Brands and vendors will be looking at the security prowess of their partners and suppliers with a sharper lens in 2017. With the understanding that securing their own infrastructure and employees is of top importance, they'll start to scrutinize external entities that may negatively affect the secure environment they've invested in thus far. These enterprises may require that their partners invest in specific security approaches, such as security awareness and training, for them to become partners. Companies experiencing pressure to elevate security capabilities before inking a deal or partnering with a major seller for their products will be much more likely to take those security awareness and education considerations seriously.

Phishing will continue to be a huge issue in 2017. In 2016, it's been another day, another email leak. Retrospectively, 2015 did not see nearly as many attacks here compared to 2016, and the problem will persist without the right security training for users in all industries. Wombat's measurement of various industries' performance in security awareness and phishing susceptibility have pointed us to telecommunications, retail and healthcare as the verticals that need the most improvement if they're to mitigate the volume and impact of threats.

Behavior change will still be the standard of success in a security awareness program. In 2017, there will be greater adoption of cyber security education initiatives as part of normal practice and budget planning. The concept of securing people and not just technology will be the driving factor in 2017, when entities and business leaders recognize the need to invest in education for employees, not just setting and forgetting software or firmware solutions.

Kurt Wescoe, Chief Architect, Wombat Security

Multi-factor authentication will change over the next 12-24 months to become more biometric in nature. Due to a realization by companies that want to identify hacked accounts, this will be a change driven by the enterprise community. Duo-mobile and mobile multi-factor will not exist in their current form by the end of 2017, as it will evolve into a process much more complex and acute.