Remain paranoid, err vigilant, with online security in 2017

Remember those Nigerian prince scams? They almost seem quaint now, but 2017 might put a new spin on them that could set security awareness training back years.

Stu Sjouwerman, CEO of KnowBe4, calls the scam CEO fraud, saying it will be an epidemic equaling the ransomware plague we are suffering now. This time around these cyber gangs are really in Nigeria, but they have climbed up the criminal food chain and CEO fraud is their new focus.

"Train your high-risk users within an inch of their lives," he warns.

Oh great.

Like the Nigerian prince scams of yesteryear, one click will ruin an IT team's day. Just one unsuspecting employee who is working on half a dozen things and mindlessly clicks their cursor will send the CSO into a tizzy wondering why his company's security awareness training is not more effective.

Will 2017 bring the same old approach to awareness training? You know what I’m talking about: training sessions held once a year to those begrudged workers or maybe quarterly emails to assess if users were paying attention.

Security execs believe employees must still be on high alert for every email that crosses their desktops, so there is no letting off the gas when it comes to awareness training.

[ MORE PREDICTIONS: What 2017 has in store for cybersecurity ]

Lucas Moody, CISO, Palo Alto Networks, says the time to implement prevention capabilities has arrived.

"The security industry and supporting technology has evolved considerably since the prehistoric age of stateful inspection firewalls and endpoint antivirus solutions. New platforms have emerged and threat prevention capabilities are now being rapidly adopted. 2017 will be the year with a new rigor on the people side of the equation," Moody says. 

Major breaches still rely heavily on the human element -- the compromise of individuals, mistakes made by people, or process breakdowns. Security education and awareness will see a renaissance in 2017, and to truly secure users, organizations will need to address this demand by scaling their security capabilities to every contributor.

Joe Duffey, CISO at Natixis Global Asset Management, says CSOs must instill and maintain a security conscious culture. As security systems and controls have become more reliable and mature, the cyber criminals have focused even more attention on the individual. 

"In the last year we have noticed a lot more phishing attacks, along with Business Email Compromise attacks, both of which have become more sophisticated. In the face of this onslaught, associate awareness has become even more critical. If we can reduce the number of compromises, or potential compromises, that start with the end user, it will go a long way to improving our overall security posture," he says.

Part of the success in fending off the bad guys is training and retaining technical employees, Duffey adds. Gone are the days when a security engineer was mainly focused on the firewall. There are a lot more tools necessary and available to combat the cyber threat, at the edge, at the endpoint and in between. "It is important to identify, develop and train associates who are motivated cyber warriors, and it is an ongoing process, due to the velocity of change. And once you have them, how do we retain because the demand is huge and increasing."

Passwords

Corey Nachreiner, CTO at WatchGuard Technologies, believes that there will be an increased biometrics usage in 2017 that will hide continued credential insecurity. With this, however, passwords will continue to be used.

Over the past two or three years, we've been buried in a deluge of password database leaks. This year, Yahoo lost 500 million user credentials, Dropbox lost 68 million credentials, and Mail.ru lost 25 million credentials.

"During all these password database leaks, users still have weak passwords. Worse yet, they seem to use the same password at every site they visit. Every time a big service loses a password database, it puts all companies at risk since that credential could be used at their site as well," Nachreiner says.

This flood of password breaches has had two results. First, users have become desensitized to the problem, developing security fatigue and potentially giving up and adopting worse security practices. Second, the industry has started to question whether passwords should be part of the authentication solution at all.

The security industry has put a huge focus on biometrics, using something "we are" as a key part of the authentication solution. Users now see mobile devices and laptops shipping with fingerprint readers, and Windows 10 using "Hello" to support many biometric authentication options.

The good news is there are a lot of benefits to biometrics. They solve one of the key problems to using strong authentication credentials -- convenience. Creating and remembering many different long passwords is a pain, but looking at a camera to authenticate with your face is the easiest thing in the world, Nachreiner says.

"In 2017, we expect the entire industry to place a huge focus on biometrics. You will see every device start to offer biometric log-in options, and passwords will start to take a backseat to everyday computing," Nachreiner predicts.

Unfortunately, biometrics are not perfect enough that we can solely rely on them and passwords are still a core part of the operating system. "Even though we may log in with our face, Windows will still require we setup a password as a backup authentication mechanism,” Nachreiner says. The fact that we use biometrics to authenticate might make us forget this password exists, and might even encourage us to use weaker ones... but it will still be there. In 2017, even though we'll start adopting biometric for authentication, our passwords will still haunt us in the background.”