• United States




These are the threats that keep me awake at night

Feb 02, 20175 mins

Articles about predictions for 2017 can be entertaining, but I am concerned about the cybersecurity problems we face today.

awake at night
Credit: Thinkstock

We have fortunately reached the date on the calendar when the myriad of articles predicting hot information security issues for 2017 have begun to wind down. I say fortunately, because I personally have never found much use for them.

In many cases, they predict things that are readily obvious — for example, ransomware will be a greater issue in 2017. I can all but guarantee that this prediction will come true, as can almost anyone in the industry. Since ransomware built momentum in the fourth quarter, it is unlikely to dissipate in 2017, despite California making it illegal

The other type of predictions usually found in these articles are the ones from left field — the wild conjectures. The writers include them because they sound interesting and attract attention. They may never come to pass, but since nobody tends to audit prediction articles, it will all be forgotten when the 2018 prediction articles start hitting in December. 

Since I find little value in such articles, I don’t write any of them myself. Frankly, I spend too much of my time worrying about the cybersecurity issues I face today. To protect the organizations I have responsibility for, I must focus on what is in the threat landscape today, with enough vigilance to watch for evidence of new threats. After all, the bad actors are at least as good at coming up with new ideas as we writers are. 

To that end, instead of the obligatory prediction article, I will provide a brief list of the threats that are currently keeping me up at night, and why.


In our efforts to contain threats known and unknown, we in the industry are building increasingly complex networks, including numerous security devices. This trend is creating a challenge in itself — the difficulty of managing such complex implementations.

Broad security solutions often involve many moving parts, and someone must understand the big picture in order to maintain and troubleshoot them. I know of one organization this week that had issues because of a minor security program everyone had forgotten about.

Internet of things (IoT)

The increasing introduction of IoT devices continues to trouble me. While the hijacking of such devices to bring down networks — such as the recent DDoS attack by the Mirai botnet — makes the news, this is not what bothers me the most. My concern is the influx of such devices into corporate networks with poor management or planning. Without vigilance, these devices can become a back door, allowing an attacker to gain access to a valuable corporate network.

An article this week in Top Tech News correctly observed that the a growing number of IoT devices are cloud-controlled, and this cloud channel increases the chances for network compromise.

Our users, ourselves

Let’s face the facts: A single user clicking on a phishing link can compromise the security of an entire organization. That thought should certainly lead to some sleepless nights.

Gone are the days of phishing messages that contain obvious misspellings and poor interpretations of the English language. These messages are now sophisticated enough to fool many information professionals. If they can fool us, it is hard to expect our users to spot them.

Over-reliance on threat intelligence

The concept of threat intelligence is sound: Use another organization’s discoveries about potential threats to augment your own security. The problem is that the quality of threat intelligence data is highly variable. Those who rely on it without the proper vetting may make matters worse and not better.

As an example, many organizations applied the indicators of compromise provided by the U.S. government as part of the Grizzly Steppe investigation to their own monitoring systems. Burlington Electric was one such organization, and it quickly identified a PC with activity matching information in the government alert, causing a media storm related to the U.S. electrical grid being “hacked.” Sadly, some of the information in the alert turned out to be inaccurate, and much time was expended investigating an employee who had innocently checked his Yahoo email.

Under-reliance on threat intelligence

On the other hand, the many who ignore the wealth of available threat intelligence information also help my sleep deprivation. A wealth of good information is available, much of it free. While it does require some analysis, organizations can avoid many problems that others have experienced by making use of this information.

Mega data breaches

Many large data breaches have made the news in recent months: Yahoo (twice), LinkedIn, MySpace, etc. These breaches are bad enough on their own, but the aftermath is at least as bad. The bad actors, armed with a wealth of personal data, launch major phishing and spear-phishing attacks. As a result of this, a single large breach is quite likely to facilitate others.

Bottom line: Articles about predictions for 2017 can be entertaining, but I am concerned about the problems in cybersecurity we face today. Until we are handling those well, it is best that we not spend too much of our time trying to anticipate tomorrow.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author