"Cybercrime is moving away from just being targeted at the very large honeypots: intellectual property and big banks," he adds.
Take cryptoware, the most popular category of malware today. In the past, cybercriminals using ransomware depended on a perverse form of trust: They would lock up your computer, the victim would ransom it with money, and the criminal would unlock the computer. But Durbin says that the introduction of aspirant cybercriminals to this area means that “trust” is breaking down. Even victims that pay the ransom might not get the key to unlock their property, or the cybercriminals might come back again and again.
At the same time, Durbin says cybercriminals are becoming more sophisticated in their use of social engineering. While the targets are generally individuals rather than the enterprise, such attacks still pose a threat to organizations.
"For me, there is increasingly this blurring between the enterprise and the individual," he says. "The individual is increasingly the enterprise."
Organizations are increasingly adopting IoT devices, but most IoT devices are not secure by design. Additionally, the ISF warns there will be an increasing lack of transparency in the rapidly evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. On the enterprise side, it will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices like smartphones and smart TVs.
When data breaches do occur, or transparency violations are revealed, organizations are likely to be held liable by regulators and customers. And in a worst-case scenario, security compromises of IoT devices embedded in industrial control systems could lead to physical harm and death.
"From a manufacturer's point of view, knowing what your usage pattern is, getting a better understanding of the individual, clearly is important," Durbin says. "But all of that has opened up more threat vectors than we've ever had before."
"How do we secure them so we're in control as opposed to the device being in control? We're going to see more of a raised level of awareness in this area," Durbin adds.
The ISF has been raising the issue of the vulnerability of the supply chain for years. As the organization notes, a range of valuable and sensitive information is often shared with suppliers. When that information is shared, direct control is lost. That means increased risk of compromise of that information's confidentiality, integrity or availability.
"Last year we started to see big manufacturing organizations losing manufacturing capability because they were locked out and their supply was being affected," Durbin says.
Sign up for CIO Asia eNewsletters.