3. New top level domains pose phishing pitfalls. Emerging general TLDs, which number more than 800 and may expand another 1,300 in the next few years, will be used in active spam and other malicious campaigns. Leonard says criminals and nation-state attackers will lure, via social media, email and other tools, unsuspecting users toward malware and data theft. For example, criminals could steer unsuspecting consumers towards shop.apple, apple.macintosh or apple.computer to try to steal their information. In a Raytheon Websense sample set of several TLDs, millions of different URLs hosted malicious content. "These TLDs will also make it significantly harder for defenders to protect, as many are unprepared for the new landscape," Leonard says.
4. Presidential elections are prime “hacktivism” time. As the U.S. moves closer to the U.S. Presidential election in November, so-called "hacktivists" will increasingly delight in hijacking the Facebook, Twitter and Instagram accounts of candidates and news outlets and attempt to spread misinformation. Such lures will look like political party or candidate email, advocating an online petition or survey about specific election issues, linking to a supposed news story, or relaying information about voter registration or debates. "They're generally politically motivated hackers that delight in bragging about their achievements afterward," Leonard says. To hedge against such risks, Leonard says he imagines some campaign teams hiring CIOs to protect their media assets.
5. Cyber insurance better aligns with cybersecurity postures. Cyber insurance premiums soared in 2015, as companies race to purchase indemnification coverage. To maintain profitability, insurance carriers will require more threat and protection intelligence and develop baseline requirements for issuing cybersecurity policies. Such policies will take into account a company’s market capitalization, defense and risk profile, attack frequency, as well as the capability to halt attackers and remediate breaches.
Insurers will send auditors to conduct hands-on assessments of cybersecurity systems, reinforcing the need for advanced threat detection, both of the perimeter and at the data level. "That can dictate premiums, or even whether you get a payout to your claims," he says. "We expect to see an increasing sophistication in the way the risks associated with a cyber breach are factored into policy cost, just as a driver’s safety record and driving habits are factored into the cost of an automotive policy."
Cause for some optimism
Given the threats outlined, cybersecurity defense appears to be, yet again, an exercise in Sisyphean boulder pushing. But Leonard strikes an optimistic tone, noting that CIOs can shore up their assets by building a team of trusted advisors, including internal and external partners. These teams will share the labor for monitoring technology developments and introducing new technologies, as well as the practices of cyber criminals, and evolving legislation.
Sign up for CIO Asia eNewsletters.