Phishing has been the number one attack vector for over five years and 2016 will be no different.

Rohyt Belani, CEO of PhishMe explains his thinking, “We, as an industry, have lagged in engaging employees to be a part of the organisation’s security posture. For decades, enterprises have focussed on traditional security awareness techniques like computer-based training (CBT) that simply don’t work; they have no sustained impact on behavioural change. At PhishMe, we have succeeded in helping our customers engage their employee base by turning them into informants of suspicious emails, providing such employees with the necessary tools to report the same in a frictionless manner, and then most importantly in providing the incident response teams at these organisations a solution to rapidly triage these reports and operationalise the attack intelligence obtained. The human is no longer the weakest link for our customers; they are the strongest asset.”

Focus will move back to prevention of breaches, rather than detection after the fact
While prevention of individual infections is almost impossible, preventing the breach of confidential and proprietary data as a result is paramount.“The industry gave up. They surrendered and turned to post-breach detection and mitigation because the hackers were winning,” explains Scott Greaux, VP Product Management at PhishMe, “With average time to detection still over 200 days this approach hasn’t worked either and I think in 2016 we will see the focus shift again. System infections will occur, and at the moment there’s no silver bullet to change this, but we need to prevent these infections from translating to large data breaches. That means conditioned email users will play a key role, providing the timely and actionable threat intelligence thus minimising attacker dwell times, that will help prevent breaches in 2016.”

All Forms of Trust will be Abused:
It seems that criminals listen to the advice given to people about cybercrime and turn it around in a bid to thwart defences.  The traditional wisdom was ‘don’t click links or open attachments from un-trusted sources.’  In 2015, the increase in attacks targeting email is primarily about abusing those trust relationships.   In 2016, other forms of trust are going to be under attack.  Passwords stored in browsers, especially on mobile devices and ‘Bring Your Own Device’ phones and tablets will be a big target. 

The advice from Gary Warner, Chief Threat Scientist at PhishMe is that,“This year we need to be encouraging the adoption of two factor authentication and ‘unknown device’ alerting as never before – including on internal systems.  In another area of trust, a malware compromised workstation logs in to the corporate systems with the same power as an authorised user.  Big data breaches are largely enabled by the concept that certain users should be allowed to ‘See Everything’ and this must be reeled back to ‘see only some things’, or ‘see anything, but only at reasonable volumes.” With increased reporting of suspicious activity, advances in threat analysis to enable better campaign identification, and raising the shield by challenging all of the ‘trust’ assumptions made, organisations can make 2016 a safer year.