Parting Shots (Q4 2021 Issue)

Deputy editor Benjamin David argues that as we enter 2022, 'transformation without deflation’ should be the rallying call for us all

As we approach the end of 2021, one word continues to fix itself in my mind: ‘transformation.’ The various evolutions taking place within the cybersecurity industry and the changing attack techniques from outside require significant steadfastness. The rampant social problems within the industry are being addressed by those courageous enough to oppose them, with the issue of class, gender and celebrification increasingly center-staged.

Cybersecurity isn't the only thing transforming – our work styles are changing, again, with us returning to the office in droves. Yet, visions of a return to normality after a dismal 2020 have been altered, if not abandoned entirely. There is also a sense of consternation that further lockdowns are imminent as 2021 winds down. Conversely, there is a large group of individuals more lively and mutative than ever – the sponsors, practitioners, affiliates and buyers of cyber-attacks. The year 2021 has been a rewarding one for them, and they look forward to a promising 2022, ready to pounce with newfangled attacks.

If we focus on cyber-attacks, various reports point to a very alarming 2021. Purplesec’s 2021 Cyber Security Trends Report reveals that cybercrime has bloated by 600% due to the COVID-19 pandemic, seeing an uptick in sophisticated phishing email schemes by cyber-criminals and malicious actors posing as the Center for Disease Control and Prevention (CDC) or World Health Organization (WHO) representatives.

"The cybersecurity climate is ripe for cyber-attack success"

According to IBM’s Cost of a Data Breach Report 2021, remote work has increased the average cost of a data breach by $137,000. Of course, employees lack the same level of security at home as they would while working in the office, making them more vulnerable to cyber-attacks. Cybersecurity Ventures illustrates this upward trend further, predicting global cybercrime costs will grow by 15% per annum over the next five years, reaching $10.5tn annually by 2025.

Let’s not forget about ransomware. In its State of Ransomware 2021 report, Sophos found that 37% of 5400 IT decision-makers across 30 countries admitted that their organizations were affected by ransomware in the past year. Equally plaintive is that 30% of ransomware victims admitted that their companies were forced to remove jobs in the wake of a ransomware attack. Staggeringly, 54% of said respondents also claimed that cyber-criminals successfully encrypted their data.

On the theme of transformation, let’s look at cyber-attackers. In 2021, they’ve transformed their attacks by moving upstream. Not content with targeting end-users, cyber-attackers have fixed their crosshairs on entities with a broad network of downstream users, whether that be critical infrastructure or significant software developers. With attacks on water treatment facilities, pipelines and national health services grabbing the headlines across the globe, there is a scent of poise in the dark web, with cyber-attackers executing increasingly audacious attacks.

Whatever reports we plug away at and whatever assessment we perform in understanding cyber-attackers, the fact of the matter is that the cybersecurity climate is ripe for cyber-attack success. After all, there are swathes of unprepared security teams, a dire cyber skills shortage, an overuse of legacy systems, unsecured networks and business leaders loath to provide the necessary investment cybersecurity teams need to succeed.

"The reality of Q4 2021 is that organizations have to return to the drawing board to assess their cybersecurity posture"

Naturally, the million-dollar question will be what will happen next year? The widely-shared reports this year surely adumbrate 2022. Despite the numerous breaches this year, many cybersecurity experts are concerned about complacency. Although somewhat of a triviality, many people draw parallels with COVID-19: everybody can fall victim to it while nobody believes they actually will. It’s this mindset that continues to keep cybersecurity teams under-budgeted and shorn of the resources they require, resulting in overwork and underperformance. There is also a genuine lack of coordinated, international information-sharing, investigation and prosecution of attackers, meaning cyber-attackers are given carte blanche to execute almost whatever attack they desire.

The reality of Q4 2021 is that organizations have to return to the drawing board to assess their cybersecurity posture. Period. The hope that instilling sufficient cyber-knowledge in the workforce will solve the problem has proven to be a flimsy strategy. Luckily, more organizations have accepted how vital zero trust architectures, artificial intelligence, multi-factor authentication and data encryption (and beyond) are in fashioning a robust cybersecurity posture. Still, many organizations are lagging behind. “Yes, we know, but” is an all-too-familiar retort from business leaders when pressed with the need to take cybersecurity seriously. More needs to be done. We cannot continue purely relying on the gallant reformers in the industry to deliver the goods the industry needs.

Suppose business leaders do make the right kinds of investments. In that case, we might see a very different 2022 from the one many of us are predicting. Cybersecurity teams will find themselves with the appropriate technical solutions that allow IT users to do their jobs effectively without seeing cybersecurity posture wane. ‘Transformation without deflation’ should be the rallying call for us all.

What’s Hot on Infosecurity Magazine?