As 2016 draws to a close, we can reflect on a year where cybersecurity has played a major role. Even presidential campaigns haven’t been free from hacking scandals and data leaks. The average cost of a data breach for companies grew from $3.8 million last year to $4 million in 2016, according to the Ponemon Institute.

Companies of all sizes have embraced the cloud and open source has become the standard for infrastructure software. Both pose their own blend of benefit and risk. A major datacenter attack or failure could be problematic for many companies, and we can certainly expect an increase in the number of cyber-attacks based on open source vulnerabilities.

What else does 2017 hold in store? Let’s take a look at five trends we’ll be talking about in InfoSec this coming year.

1. DDoS attacks on IoT devices

Cybercriminals will increasingly target all manner of internet-connected endpoints such as surveillance cameras and employ them in DDoS attacks. In the rush to roll out all manner of IoT devices, security has taken a back seat. That means more serious incidents such as the denial of service attack on domain lookup service Dyn, are highly likely. The Mirai botnet was cited as the culprit, exploiting 50 to 100 thousand IoT devices.

Worldwide spending on IoT security reached $348 million this year, Gartner predicts it will climb to $434 million in 2017. But that won’t be enough, because Gartner analysts still think that, by 2020, more than 25% of all identified attacks in the enterprise will involve IoT.

2. Hackers don’t need experience

The tools that hackers and cybercriminals use are readily available and easily within reach of anyone who wants them and has the money to pay. It’s possible to buy dangerous hacking tools and use them with little to no knowledge of how they actually work. This trend will continue to spark the rapid growth of cybercriminals in the wild. Whether someone is politically motivated, disgruntled about something, or a career criminal, off-the-shelf hacking tools make it easier for them to make their mark and will cost companies millions in 2017.

3. Third-party vendors can be a gateway to their connected customers

Businesses can build an excellent security system and put all of the right policies in place, but until they subject all of their third-party partners to the same level of scrutiny, customers will be at risk. Just look at Wendy’s, where over 1,000 franchised locations were compromised by a Point-of-Sale (PoS) malware attack last summer. There will be more incidents like that until companies rise to the challenge of third-party risk management. Policies need to be tightened up with proper oversight to ensure that sub-standard security measures and systems don’t lead to major exposures.

4. Ransomware

The specter of ransomware, which also appeared on last year’s list, continues to rear its ugly head. In fact, with Trend Micro predicting 25% growth in 2017, ransomware looks likely to spread into IoT devices, PoS systems, and ATMs. If you want your files back after a successful ransomware attack you’re probably going to have to pay the ransom, which is what the FBI actually suggests you do. It will be a lot cheaper to take preventative precautions. If you don’t want to end up held to ransom and out of pocket, then you need to act to mitigate the risk. Start by taking a look at our advice on how to guard against ransomware.

5. Shortage of skilled IT security workers

This has been a long-standing problem. When 775 IT decision-makers involved in cyber-security were interviewed for a report entitled Hacking the Skills Shortage, 82% of them reported a shortage of cybersecurity skills, and 71% agreed that the shortage of skills does direct and measurable damage. With more than a million vacant positions worldwide, there have never been more jobs available in cybersecurity. We must work out why college graduates are shunning these openings and find a way to tempt them in.

In the meantime, hiring talent on a temporary basis is often the only route available for understaffed companies. That’s why the CISO-as-a-service or virtual CISO model is taking off and we expect it to grow more popular in the year ahead.

Whatever 2017 has in store for us, we can all boost our chances of success by taking a moment to review our cybersecurity planning and systems to ensure they’re the best that they can be.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.