5 Years of Risk: How Cybersecurity Threats Continue to Evolve

The world of cybersecurity changes constantly with new risks emerging seemingly by the minute. As we celebrated SpyCloud’s fifth anniversary recently, I thought it would be interesting to look back at the threat landscape that experts were predicting over the last five years to see how the industry has changed – and share what could be ahead. 

While the world has certainly taken some unexpected twists and turns during the last half-decade, some of the predictions below ended up being closer to reality than we would have liked.

2016: The Internet of Things

A large number of predictions for 2016 revolved around the security (or lack thereof) of IoT devices including webcams, smart home appliances, and connected cars. This stemmed in part from an incident in 2015 when cybercriminals were able to remotely stall a Jeep. Experts were particularly worried about the possibility that hackers could use IoT devices for government espionage to damage critical infrastructure like electric grids. 

While cybercriminals are certainly employing other tactics to hack government agencies, to date there’s no record of them using the IoT to infiltrate the United States government or other nation states. That said, the government is increasingly worried about the possibility, and in its 2019 Cyber Threat Outlook report Booz Allen Hamilton listed state-enlisted espionage on IoT devices as one of its top eight concerns. There have also been plenty of reports over the past five years of how insecure IoT devices are impacting consumer privacy, including reports that government officials themselves are using smart appliances to spy on citizens. 

Bottom line, while some of the concerns surrounding the IoT haven’t come true, security issues still abound. Cybercriminals have been able to compromise several types of internet-connected devices to gain access to corporate networks, and the U.S. Cybersecurity and Infrastructure Agency recently released an advisory listing 25 different vulnerabilities found in a wide range of consumer and industry IoT systems. With an estimated 25 billion IoT devices now being used in homes and businesses according to Gartner, it’s more important than ever to make sure every device on your network is properly secure.

2017: Phishing and Social Engineering

While phishing was certainly nothing new in 2017 (the first known attempt is thought to have occurred sometime around 1995), attacks were ramping up and experts predicted that the increase would continue, with one noting ‘we see more and more alerts and events indicating attacks against the end-user workstation instead of the corporate infrastructure.’ 

They weren’t wrong. Phishing attacks increased by 59% in 2017, according to a report from Kasperksy Lab. It didn’t stop there. In fact, the 2021 Verizon Data Breach Investigations Report found that the use of malware and trojans is dropping, indicating that cybercriminals are increasingly turning to phishing and social engineering scams. Many times, attackers take these stolen credentials and sell them on the dark web where they’re used days, months, or even years down the road to compromise other accounts. The FBI reports that email scammers are raking in almost $2 billion a year, and they’re getting savvier, sending ‘spear phishing’ emails personalized to specific individuals to get them to click.

2018: Supply Chain Attacks 

By 2018 supply chain attacks were becoming more common, so it’s no surprise that some experts predicted that the term would become mainstream by the end of that year. I would argue that it took a couple more years for the general public to sit up and take notice. In 2021, the term really sunk in with the ubiquity of reporting on the SolarWinds hack and the recent attack on meat supplier JBS. 

However, supply chain attacks did nearly double in 2018, increasing 78% compared to the year prior. It’s safe to say that these attacks will continue and mitigating the threat requires a multi-layer security solution. The days of assuming that a single solution like an antivirus or firewall can safeguard an enterprise are over.

2019: Multi-Factor Authentication

As long as there have been online accounts, there have been security experts lamenting about people’s lazy password habits. One of the top causes of account takeover and credential stuffing attacks is weak passwords or passwords reused across multiple accounts. Yet people keep doing it. It’s no surprise then that in 2019 software developers predicted that we were headed toward the first step in a passwordless future, and that multi-factor authentication would become standard for all online transactions. 

While it’s certainly recommended for any business, MFA has been slower than experts predicted to take hold partly because of lack of consumer buy-in. Businesses can be hesitant to employ the additional authentication steps that sometimes frustrate customers and jeopardize a sale. Still, Google estimates that MFA prevents 96 percent of bulk phishing attempts and we can expect it to become more commonplace. In fact, Google plans to enable MFA by default on its own platforms later this year.

2020: Deepfakes

If there’s any year that would have been impossible to predict, it’s 2020. From a global pandemic to a presidential election that threw the country into chaos, last year was one for the record books. 2020 also introduced a host of new cybersecurity hurdles from securing a remote workforce to combatting the onslaught of ecommerce fraud.

Still there was at least one security problem that experts saw coming: deepfakes. These videos that are digitally altered with deep learning technology first showed up on a Reddit board in 2018 and then exploded. One writer said it best when he wrote “deepfakes will take identity theft to a new level.” The phenomenon became mainstream in 2020 as cybercriminals used more sophisticated algorithms to create more convincing videos. Concern quickly grew with Facebook even announcing a ban on the manipulated images and videos on its platform. 

Deepfakes continue to be an issue with potentially severe consequences for individuals, business leaders and even politicians. Unfortunately, fewer than 30% of businesses currently have a plan to combat them.

2021 Predictions

While I like to avoid predicting the future, there are a few themes that I think we can expect to see in the years to come.

    • Supply chain attacks will continue until the government steps in to require that every industry implement hardened security measures to detect and prevent breaches.
    • The continued mingling of work and personal accounts will continue to lead to a rise in account takeover and credential stuffing attacks.
    • While a passwordless future is enticing, there is still quite a bit of lift before we get there since passwords are still a critical component of most apps and services. 
    • Multi-factor authentication will continue to rise in popularity as a second layer of needed security for employees and consumers, though additional measures are needed to provide true protection.

If the next five years are anything like the last, I think we can all agree that it’s time for all of us to pay a little more attention to cybersecurity – and our online habits. I’m hoping that when I write a similar article on SpyCloud’s 10th anniversary, we’re looking at a threat landscape that’s changed for the better.

Stop exposures from becoming account breaches.