IT Security in 2016: Phishing and Ransomware Remain Challenges

If any of you out there like to watch the show "The Profit" on CNBC, you and I would most likely become instant friends. For those of you that have never seen the show, the basic premise is that a billionaire (Marcus Lemonis) helps struggling businesses turn their operations around through financial and operational oversight. During the course of a season, often times there will be an episode or two that are progress reports where he takes us, the viewers, back to businesses he previously invested in to see how they are doing. We are going to do the same thing with this blog: A progress report.

Back on January 5th of this year, I wrote a blog post that discussed what I thought might be the top trends in Information Security in 2016. Since we are 3/4 of the way through the year, let’s look at that post, see how things are going, and if I will become the next Nostradamus!

There were 4 topics that I thought would be significant in 2016. They were:

• Healthcare
• The Internet of Things (IoT)
• Business Email Compromise
• Phishing/Spear Phishing/Malware Campaigns

As we enter the home stretch of 2016, I think that it is safe to say that all four of these topics have been in the headlines when it comes to IT Security. Healthcare and Phishing/Spear Phishing/Malware have dominated the headlines and have often times been linked together. Healthcare became a huge target for Ransomware, which is distributed through Phishing/Spear Phishing emails. While we didn't see as many major breaches in healthcare this year (yet), one can argue that 2015 would be almost impossible to top as an astounding 112 million healthcare records became exposed though 268 breaches. So far in 2016, there have been 187 Healthcare related breaches totaling 13,572,733 patient records exposed. While we are not hitting 2015 numbers, remember that this does not include Ransomware attacks as they are not breaches since no patient data is exposed.

The Internet of Things (IoT) continues to be a concern. Medical devices, wearables, and other internet connected devices continue to be a target of attacks and possible access points to a network. While we haven't gotten a major, headline-grabbing attack, it is coming. As Dwayne Melancon, CTO of Tripwire, points out, these devices were made with low cost in mind, not security, hence the risk moving forward. 

Business Email Compromise could have been included with the Phishing/Spear Phishing/Malware category. To me, this is a bit different but the foundation is still there in that these attacks take advantage of people. Phishing gets you to click on a link, Business Email Compromise (Whaling, Email Spoofing, Corporate Account Takeover, etc.) tricks you into thinking an email is legitimate when it isn't. Since 2015, there have been a 1300% increase in these types of scams/attacks. The newest flavor of this scam is a fraudulent email directed at Human Resources or Payroll asking for PII on employees. As you can see, these scammers are getting more and more creative with their tactics which is why we need to be on our toes to stay ahead of the game.

Finally, Phishing/Spear Phishing/Malware. I don't need to say much about this as it is obvious what is going on. But, did you think that Ransomware would become such a revolution in IT Security? I didn't but it has! New versions and strains of Ransomware come out daily. I don't see this trend going away anytime soon as the attacks and methods continue to evolve.

So what do we do? Well, first you should have a strong Information Security Program in place. If you're not sure where to start, download our eBook on the Center for Internet Security Top 20 Critical Security Controls. These are 20 effective IT Security Controls that you can put in place quickly to strengthen your security position. Remember, IT Security is not a sprint, it is a marathon! Check back in December for a full recap on these topics. If I missed any or if there are any you want to share, drop a line in the comments or on Social Media!