What did we miss in 2016? Well, that's certainly an easy question to answer in hindsight. Most things are. Perhaps, though, it might be more fruitful to think not in terms of threats that were missed, but what we can learn from the worst threats of last year.

Certainly there were several threats that came up in 2016 that organizations across the board weren’t prepared for. What's advantageous about the perspective of hindsight is that we have full visibility from which we might be able to better prepare for the threats yet to come.

Kevin Haley, director, Symantec Security Response, said, "It’s not that we missed the threats themselves but that we didn’t understand the extent and didn’t anticipate the extent that they would affect us."

First let's look at what, precisely, impacted enterprises in ways no one was really prepared for. The obvious front runner to the list is ransomware. "We’ve been talking about it for a couple years. It’s not a shock. People thought of it as an end user threat," said Haley.

Many adopted a blasé "it won’t happen to me" attitude because they didn’t think their businesses would be targeted. "People don’t understand that threats evolve. This is what ransomware is doing now, and what it will still be doing in a year, but it will do it differently," Haley said.

A second threat whose impact threw many for a loop was business compromised email. A lot of people thought that a scheme in which the bad guys sending an email pretending to be the CEO, asking please wire money, would never work.

"It wasn't until the FBI came out and said we’ve lost $3 billion that people started to realize this does work," Haley said.

The hard policies and procedures that should have been in place were not, which allowed for a lot of lucrative bamboozling. "Even if it were the CEO," said Haley, "I’m not a finance guy, but at the end of the day, wiring money has to be something more than you get an email."

What both of these threats boil down to is that few in the security industry really anticipated the success bad actors would have by preying on human emotions. "When you look from a distance it seems absurd, but down in the trenches, everyone wants to make the CEO happy. Reasoning deserts them in trying to get a thumbs up from the big boss."

Ranking in third place on Haley's list is technical support scams. "The evolution of that, from cold calling to now pop up web pages or ads and getting the victim to call them. You’ve fooled them into thinking there is a problem," Haley said.

Ouch, this one really hit home for me. He ripped off the band aid of my nearly healed (I'm sure you all remember when I fell victim to a technical support scam--it continues to haunt me. I am the poster child that validates Haley's claim that, "This is an end user not a business issue."

It's the employees who are seeing those pop ups, and while it's not a huge targeted attack, there are several folks out there that are paying for the technical support and then trying to expense that fee to the company. "It's costing the companies, and also results in lost productivity," Haley said.

These scams are all types of volume business, and Haley said, "That was the thing that spam brought. We can target hundreds and thousands of people, and charging a little bit of money over time builds up."

So what does all of this mean for 2017? "Prepare for ransomware that will be targeting business and backups. To date, the theory has been if you have a backup, then you don't need to pay ransom. New ransomware will destroy back ups so that it’s not an alternative," Haley said.

One of the best ways to avoid this threat is not allowing the clients to write to back ups. "You can jump from the client to the back up and use Read Only access," said Haley.

The other potential with ransomware is that new things will become ransom-able. "We will see them doing other things, like attackers threatening to release embarrassing emails if they don’t get paid. The ransoms will go beyond files," Haley said.

As security practitioners and risk officers review policies and procedures for the new year, a healthy dose of common sense end user training might prevent an avoidable nightmare.

