Abraham Lincoln once said, “The best thing about the future is that it comes one day at a time.”
Winston Churchill once said, “If you’re going through hell, keep going.” And, “Never, never, never give up.”
As we look back at top cyber stories and security trends in 2017, these wise words from fearless leaders who have gone before us certainly apply to cybersecurity and the new 21st-century challenges confronting our world in 2018.
What’s HOT and Likely Getting HOTTER in 2018?
Last year we started with, “You ain’t seen nothing yet!”
Hold on! 2018 will be even worse online, if these global security experts are correct.
No doubt, more sophisticated hacker tricks, phishing attempts and data breaches are coming.
What are the most common security predictions for next year? New forms of malware, more expensive ransoms as more ransomware hits more organizations, Internet of Things (IoT) device problems at home, AI and machine learning gone astray (as a cyberweapon), cryptocurrency problems, cloud computing breaches and plenty more of everything we already saw in 2017.
Almost everyone is talking about the huge impact of GDPR in 2018 — some think the fines will wait for later after lawsuits will be filed, but most see a major shake-up coming for companies’ policies and procedures as a result of the new European privacy rules.
Other common cyberpredictions include increased scope and impact from DDOS attacks, the number of cybercriminals (and crimes) increasing, continued shortages of qualified security professionals — with new attempts to deal with the staffing problems, popular (and easy to use) home devices (such as Amazon Echo) getting hacked in new ways and much more nation-state hacking.
In addition, the election hacks, hacktivism and business email compromised (CEO fraud) show up on many lists as likely items that will expand in the coming year.
Why Take the Time to Understand Cybersecurity Industry Predictions?
There’s no doubt that security predictions are exploding and cover a very wide range of technology, physical security and Internet of Things (IoT) topics around the world. The breadth and depth of industry involvement in this cyber forecasting process even exceeds previous years, which is truly remarkable and shows the dramatic growth of the security industry as a whole.
So why take the time to go through these lists? I addressed this topic in detail back in 2016 for CSO Magazine in this piece: Why more security predictions and how can you benefit? I started by saying that Americans love baseball, hot dogs, apple pie and predictions. I also predicted that more security predictions would be coming — and I certainly nailed that cybersecurity trend.
But beyond just a fun end-of-the-year exercise, there is immense value for individuals and companies as they plan their future strategies. Here’s an excerpt of a few of the benefits to understanding what experts think may be coming soon:
No doubt, there are some leftover (very similar) predictions from the past few years. There is also the annual chorus of: “Will this be the year for a Cyber Pearl Harbor or a Cyber 9/11 that brings down critical infrastructure for a section of the country?”
To get a full sense of the breadth and depth of security industry prediction lists and forecasts, I recommend going back in time and reviewing some of the previous security prediction roundups from 2015, 2016 and 2017 to help keep score on prognosticators. Our analysis process has not changed much in the many years since we started, and all decisions are made independent of company or magazine influence.
For more details, I encourage you to go to the prediction details by clicking on the hyperlinked report and/or visit the specific website and download the full white papers to get more details on these security trends and 2018 predictions lists. Many of these predictions have longer explanations as to why this will happen (with more data to share.) Be aware that some vendors may require you to register (often for free) to get their full prediction report.
So now we're ready to move on to the best (most complete) security prediction list for 2018, ranked from 1-18 using my vendor-agnostic rating system, along with honorable mention and late-arriving prediction lists.
Detailed Prediction Reports by Source
1) Trend Micro takes the top prize for again having an impressive, well rounded set of predictions. The Trend Micro theme is “Are You Ready for Paradigm Shifts,” and here are their top predictions:
2) Symantec had another outstanding set of predictions for 2018 on a wide range of topics:
3) Watchguard Technologies — I really like Watchguard’s presentation of predictions again! In fact, I would say that their online videos and infographics may be my favorite this year. However, their actual predictions seemed rather mainstream and offered no huge surprises. Very solid list though:
4) McAfee — McAfee forecasts developments in adversarial machine learning, ransomware, serverless apps, connected home privacy, and privacy of child-generated content. Here are some details:
5) FireEye offers excellent predictions, but requires you sign up for the full report (which is free). Download full FireEye prediction report here.
Nevertheless, this interview with FireEye executive leadership, including their CEO Kevin Mandia, is eye-opening regarding 2018 predictions:
In the Indo-Pacific region, FireEye said, China and neighboring countries are still continuing political disputes, especially with India, South Korea, Japan, the Philippines, Vietnam and other South-east Asian countries.
"Therefore, unorganized 'hacktivism' attacks as a response to these political tensions within and against these countries is expected to continue and possibly rise throughout the new year," the company warned.
According to FireEye, it observed an increase in non-Chinese and non-Russian APT groups in 2017 and expects to discover more in 2018. Ransomware is expected to rise in 2018, especially as administrators are slow to patch and update their systems.
Other popular techniques that will continue to be used in 2018 are strategic web compromises and spear phishing, especially in targeted attacks. We also expect to see many more destructive worms and wipers, the cyber security firm noted.
6) Kaspersky — Offers detailed cyberthreat forecasts in each major sector. For example, their financial predictions include:
7) Palo Alto Networks — Human safety and security will be added to confidentiality, integrity and availability, according to Palo Alto Networks.
8) Forcepoint — Offers eight different areas of concern for the year ahead and five predictions for 2018.
9) Imperva — Offers Their Top 5 Trends That IT Pros Need to Think About:
10) Forrester — As always, Forrester offers some unique and thought-provoking predictions for 2018:
11) Webroot — Excellent, wide assortment of predictions on topics ranging from ransomware to breaches to biometric security to government security to the infosec job market.
12) Gartner — Gartner again offers 10 strategic predictions (via PC Magazine) that cover the next few years (through 2022). Here are a few of the security-related predictions from Gartner:
In early December, 2017, Gartner issued a forecast that worldwide enterprise security spending will rise 8 percent in 2018 to $96.3 billion.
13) Sophos — Offers details on malware likely coming in 2018.
And their PDF offers excellent details and a new malware forecast. They write: "In this report, we review malicious activity Sophos Labs analyzed and protected customers against in 2017 and use the findings to predict what might happen in 2018.
The malware we protect customers from transcends operating systems. Ransomware in particular targets Android, Mac, Windows and Linux users alike. (Android phones run a modified version of Linux.) Four trends stood out in 2017 and will likely dominate in 2018."
14) Zscaler — Ten interesting predictions, including this unique and creative one:
"We will see targeted attacks on digital assistants."
It seems that every major tech company is now convinced that digital assistants (Alexa, Siri, Cortana) embodied as smart speakers (Amazon Echo, Apple HomePod) are the future of human-computer interaction. These devices are now mainstream and have become much more than just a convenient way to learn about today’s weather or get the latest sports scores.
15) IBM — Offers interesting predictions, with the first two items being somewhat different than many other lists:
16) eWeek says that “Cars Steal Innovation Spotlight From Smartphones”
Update: eWeek also released this helpful slide show of 18 cyber security trends that organizations should be aware of heading into 2018. They follow my "18 for 2018" model in this annual cybersecurity prediction blog. (Imitation is the greatest form of flattery, so thanks.)
17) Checkpoint sticks to a few unique items in their forecast:
18) White Hat Security — Last year, Ryan O'Leary said, “Nothing will change. Companies will continue to get breached because of simple vulnerabilities.” Unfortunately, my prediction was correct, but that’s no surprise.” This is still a good prediction for 2018.
New this year: “… More and more companies will start adopting the DevSecOps process and bring the Development, Security and Operations teams together. We’ve seen this work with companies and we know it reduces both the number of vulnerabilities introduced, and also the time to fix those vulnerabilities. By making one team with the mission of fast, secure, and stable code we ensure that these teams no longer have competing priorities which hinder secure releases. …”
BONUS FOR FUN Beyond Trust – Some great cybersecurity predictions at Beyond Trust that are similar to others. Also, these fun five-year predictions at the end of their report:
Honorable Mention: The Best of the Rest of the Cybersecurity Forecasts and New Year Security Trends
Other very good predictions, cybersecurity forecasts, and coming year security trends and write-ups that I’ve seen for 2018 include these articles, reports and blogs worth viewing: InfoSecToday.com, Securelist.com, HealthCareITNews.com (on new extortion attempts), InformationSecurityBuzz.com (on cyberinsurance), IEEE, Security Boulevard predictions (and their top 5 IT security trends), AT&T, Huffington Post, IDC (10 very interesting predictions for 2020 and 2021 including this: "By 2020, deception programs will be deployed by 60% of global 2000 companies to fool automated attacks, increase attacker costs, and improve attribution"), Secplicity.org, Digital Guardian.com (offering 30 experts' predictions, including yours truly), CSO Online, Centrify, Forbes (offering 60 predictions), Digital Journal, CIO Review, Business News Wales, Healthcareinfosecurity.com (Rebecca Herold on health data privacy), Splunk, IT Business Edge (on health care in the security crosshairs), ISACA, vArmour, Teramind (w/nice infographic), IT News Africa and betanews (covering an AI arms race and more).
Late-breaking security predictions for 2018 include: Kim Komando, RFID Journal (on IoT), the Outline.com (in which Kelly Shortridge scrambles the prediction process using an online Markov chain generator), HelpNetSecurity.com, IT World Canada (with a few contrarian items such as AI will NOT improve security), BankInfoSecurity (offering 10 cybersecurity trends) and SC Magazine (ten experts offer their top 2018 cyber challenges.)
Note: I continue to add other prediction reports here as new forecasts/cybertrends are released, so keep coming back into early 2018.
So which 2018 security predictions do I like best? Here are my award-winners for 2018.
Most Creative — eWeek — “Cars Steal Innovation Spotlight from Smartphones”
Newest & Specific — Zscaler — We will see targeted attacks on digital assistants. (Read the commentary above on #14).
Most Scary (yet practical) — Checkpoint — Legitimate Organizations Caught Hacking (I guess it depends on who is hacked and where ...)
Most Common and Likely (many) — Ransomware in more places with bigger ransoms demanded.
Most Dull (yet also insightful for the second year in a row) — Dan Lacey, White Hat Security: "Nothing will change."
I did not see very much missing this year on these prediction and forecast reports, but the Winter Olympics in S. Korea and FIFA World Cup (soccer) in Russia are noticeably absent. Of course, we also have the Super Bowl, World Series, March Madness and other major sporting events that could be disrupted.
There were plenty of people predicting critical infrastructure disruptions, but no one really sticking their necks out to say a major critical system failure (such as a dramatic regionwide or nationwide power outage or the significant loss of life because of hospital systems failure) is likely due to hacking.
Still, I agree with Bruce Schneier that regulation is coming for IoT when someone clearly dies from a cyberattack. Will 2018 be the year? Perhaps.
In conclusion, here’s one more quote from Abraham Lincoln that still applies as we head into 2018:
“The best way to predict your future is to create it.”