The insider threat. These come in two flavors: duplicitous and duped. Either way, they're sleeping with the enemy. Compromising or turning an insider is a big win for criminals, providing a precious pipeline to account info, network passwords, or a company's deepest secrets. Infecting an outside (or inside) device used at work -- mobile phone, tablet, laptop -- by means of something as simple as an email can get keyloggers and other malware inside the firewall to infect other computers. The FBI warns of criminals targeting bank credit union employees -- and why wouldn't they? They've gone after folks at the most secure companies in the world already with spectacular results -- just ask RSA and Lockheed.
Medical identity theft. Our push to digitize medical records and associated data -- including identity, insurance and financial information -- has spawned system design flaws, sloppy data handling and everything in between. The logistics of conversion has exposed risks and led to countless breaches -- including data theft and/or loss by third-party contractors. No wonder electronic health records are a magnet for identity thieves -- with potentially deadly consequences for victims, since medical identity theft can mean co-mingled medical records, magically changed blood types, disappearing allergies and looted insurance policies.
Malware, Malware, Everywhere. These days any would-be cyber-mercenary can play "infect your way to riches." Be prepared for more sophisticated, undetectable, and untraceable malware available for low-cost purchase, rental, or lease from the underground purveyors of havoc. Now that botnets (like jet skis) can be rented by the hour, we'll also see more customer-facing networks crippled by denial-of-service attacks in 2013, as hackers distract and exhaust security teams to cover their own tracks.
Nonprofits and foundations. What's more delicious than an unencrypted database overflowing with wealthy donor data? Doubtless, several foundation or charities will face big breaches in 2013. Just don't expect them to be so forthcoming with the details.
Debt collectors. After breaches of several debt collector databases exposed records for hundreds of thousands of debtors (many who shouldn't be in those files in the first place), public pressure will build for controls on collection agencies' handling of clients' data -- including a requirement that breach response programs be in place before they can be bonded or licensed.
Infrastructure threat. Some facet of our critical infrastructure -- perhaps the electrical grid, public transportation, air traffic control, banking, medical facilities, or some large bridge or tunnel -- will suffer one or a series of cyber attacks, highlighting the ever evolving, highly dangerous cyber-war threat and the shared goals of enemy agents, cybercriminals and identity thieves.
Mega breaches of government data. South Carolina's "encryption is hard" data debacle showed how myopic and negligent a government can be. But don't assume politicians learned anything from it -- though it brought the number of improperly accessed files in government custody to nearly 100 million. If anyone learned a lesson, it was the criminals, who will be emboldened in 2013 to revisit that poorly guarded well again and again.