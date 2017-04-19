BakerHostetler began publishing its Data Security Incident
Response Report in 2015. Although we were the first law firm to do
so, inspiration for the report came from similar reports that
cybersecurity firms issue. We will be publishing our 2017 Report on
April 13, 2017, containing statistics and insights from the 450+
incidents we led clients through in 2016. We think companies can
use our report as a "crowdsourced" tool for identifying
risks/threats, response metrics and risk mitigation investment
priorities. As a preview to the release of our 2017 Report, we
thought it would be helpful to provide a similar crowdsourced
summary of the 2017 cybersecurity predictions from Mandiant, Stroz Friedberg, Crypsis, Kroll, Protiviti, Wombat and TrendMicro to see what commonalities and
trends exist. It didn't take long to determine that nearly
everyone identified ransomware, social engineering and the internet
of things (IoT) as high on the list of cybersecurity risks for
2017.
Ransomware
Ransomware typically takes the form of software that
surreptitiously encrypts vital data on your computer system and
demands payment in exchange for the decryption key so you can get
your data back. If you don't pay the ransom, you lose your
data. The amount of ransom varies from a few hundred dollars to
several thousand. In the past, threat actors would write their own
ransomware code. However, given ransomware's track record of
effectiveness, threat actors incapable of coding the software
themselves can simply buy "plug and play" ransomware
through an illicit market.
Social Engineering
Tricking people is as old as ... well, people, and the
cybersecurity world is not immune to the practice. It's a
reality that the Achilles' heel of cybersecurity is the human
element. Technological defenses go only so far. The alarm system on
your house could be impenetrable, but not if you give away the
passcode. Trickery in the cybersecurity world is generally called
"social engineering." Social engineering uses deception
to trick people into disclosing personal information so that it can
be used for fraudulent purposes. Phishing is a ubiquitous social
engineering practice that typically takes the form of an email
disguised to look legitimate (sometimes appearing to come from a
co-worker or boss) and attempts to get the victim to disclose
personal information. Phishing attacks are only getting more
sophisticated. For example, phishers are now using social media to
gather information to help them lure victims into disclosing
personal information.
Internet of Things
The internet used to be a network of just computers. That
network has rapidly grown to include phones, DVRs, cars,
refrigerators, washing machines, lights, home security systems and
even pet-feeding systems. This new network of nontraditional
computer "things" is called the internet of things.
IoT is becoming an important and integral part of our lives, and
its security is a top concern. Many problems stem from eager device
manufacturers rushing to deploy convenient products to meet rapid
consumer demand without taking the time to make security a
priority. Soon, almost everyone will have dozens of things
connected to the internet. To make matters even more complicated,
these additional things are usually connected to the internet 24
hours a day and therefore are always vulnerable. History has
already shown that cars and even medical devices can be hacked.
