The fast-paced field of cybersecurity is reaching the end of yet another turbulent year with numerous high-profile incidents. The real-world impact of many of these incidents, such as fuel shortages in the United States and the cancellation of hospital appointments in Ireland following ransomware attacks, has thrust cybersecurity into the general public's consciousness once again.
Organizations are undoubtedly more vulnerable to attacks due to factors like increased digitization, the shift to hybrid working, and a growing reliance on global supply chains. On a positive note, there are clear signs that public and private sector organizations are taking the issue of cybercrime far more seriously than ever before and are laying the framework for resilient security in the future. With this in mind, Infosecurity has set out our top 10 information security predictions for 2022, using insights from industry experts.
What are your thoughts on these? Are there any key trends you think we should have included? Let us know in the comments section below!
1. Evolution of Cyber Insurance
The role of cyber insurance has increasingly been highlighted over the past year, largely as a result of surging ransomware attacks and demands. Much of this coverage has been controversial, with many industry professionals believing insurance payouts to victim organizations are fuelling these attacks. Nevertheless, it is clear that the increasingly dangerous threat landscape has increased the relevance of the cyber insurance industry, and it will be a vital part of organizations’ cyber-resilience going forward.
The question is, how will this market change as more organizations adopt cyber insurance policies amid rising cyber-incidents? Daniel Soo, a principal at Deloitte & Touche LLP, explained: “With cyber-attacks on the rise, leadership discussions on cyber insurance are rising as well. As the attack surface evolves, so do changes in policy coverage terms and costs. Cyber insurance is one piece of the cyber program management and financial optimization puzzle that leaders are constantly working on.”
Smaller businesses are currently far less likely to have cyber insurance coverage than larger counterparts, and the insurance industry needs to prepare to offer much broader coverage. Jamie Akhtar, CEO and co-founder of CyberSmart, said: “The market is maturing, and demand for specialist cyber insurance is no longer purely the preserve of large multinationals. As a result, we’re likely to see more standardization within the industry and insurance become critical to business resilience.”
2. More Cryptocurrency Heists
This year has seen numerous high-profile – and high value – cryptocurrency thefts, fueled by the surging value of digital money. This includes the theft of an astonishing $610m worth of cryptocurrency from Poly Network in August, although most of the funds were subsequently returned. This is a trend that only seems to be going in one direction, partly due to the lure of the high value of cryptocurrencies, but also its lack of regulation, which makes it the ideal currency for cyber-criminals. Jason Schmitt, general manager of the Synopsys Software Integrity Group, explained: “Cryptocurrency volatility and adoption will both increase, making them an even more attractive playground for malicious forces looking to extract ransom from data heists, as well as attempting to profit from manipulating and stealing cryptocurrencies.”
Mikko Hyppönen, chief research officer at F-Secure, added: “Organized cybercrime gangs don’t like to keep their wealth in real-world currencies but prefer to keep it in cryptocurrencies.”
3. Deepfake Technology Used to Commit Fraud
As deepfake technology becomes increasingly sophisticated, it is likely to be utilized on a much wider scale by cyber-criminals and fraudsters. The potential to dupe victims by accurately impersonating individuals by video or audio is extremely worrying. A handful of examples have already highlighted how it can be used for nefarious purposes; for instance, around two years ago, fraudsters mimicked a company’s CEO using AI during a phone call, convincing an executive at the firm to wire $243,000 into a scam account. Alon Arvatz, senior director of product management at IntSights, a Rapid7 Company, explained: “Using artificial intelligence (AI), cyber-criminals or fraudsters use deepfake technology to either impersonate the face or voice, or both, of a person in order to carry out scams, fraud and social engineering attacks.”
Worryingly, “AI & machine learning will make scam ploys more believable to consumers: As deepfake technology gets better and easier to use, it will become a useful tool for criminals, scammers, stalkers, and activists,” according to Steve Wilson, UK & Ireland Director at Norton.
This is a view shared by Arvatz: “Based on the hacker chatter that we track on the dark web, we’ve seen traffic around deepfake attacks increase by 43% since 2019. Based on this, we can definitely expect hacker interest in deepfake technology to rise and will inevitably see deepfake attacks becoming a more utilized method for hackers in 2022,” he highlighted.
4. Growing Role of AI to Combat Cybercrime
While advances in AI provide opportunities for cyber-criminals to strike, they can also be harnessed to detect and remediate cyber threats, which is critical amid rising attacks on organizations. Preethi Srinivasan, director of innovation at Druva, highlighted its vast potential in the context of ransomware attacks: “AI and intelligent automation will play a crucial role in the fight against ransomware. It is not the need for new AI/ML developments but the need for data protection and resiliency solutions to collect, process, and analyze end-to-end metadata at scale using AI/ML at each step. Readiness, remediation, and recovery will empower the fight against ransomware.”
Andi Grabner, director of strategic partnerships at Dynatrace, hopes AI will increasingly be used to free up the time of stretched security teams in 2022. “Supply chain attacks, data mishandlings and not addressed known vulnerabilities over the last year made it clear that DevSecOps is the next stage of DevOps and the driving force that adds value, speed, and security to all stages of the software development lifecycle (SDLC). As we shift to that next stage, the combination of AI and automation to manage laborious security and CI/CD tasks inherent to cloud-native software development will save teams time while empowering them to proactively address any issues in the SDLC – enabling them to become an even more essential piece of business strategies,” he said.
5. Continued Growth of Data Protection Legislation
Since the EU’s General Data Protection Regulation (GDPR) came into force in 2018, there has been an explosion in data protection and privacy rules worldwide. This includes in the US with the California Consumer Privacy Act (CCPA) and in China and Brazil, while similar legislation is pending in India and Japan.
This trend is expected to continue in 2022, especially in the US. Jung McCann, Chief Legal Counsel & Elizabeth Schweyen, senior manager, global privacy and compliance at Druva, commented: “Businesses will be preparing for CPRA, the CCPA amendment, which goes into effect January 1, 2023. While California, Colorado, and Virginia have enacted comprehensive privacy laws, some other states have enacted privacy laws related to specific sectors or individuals (i.e., children, finance, breach reporting requirements, etc.). We anticipate seeing more US states passing comprehensive privacy laws more closely aligned with those in California and the EU.”
Many experts also expect to see a federal privacy law passed at some point, although it is unclear how far into the future that would be.
The rise in data protection legislation is also expected to translate into continued growth in financial penalties for organizations that experience data breaches. Schweyen added: “Because companies continue to have more and more data on individuals at their disposal, the number of individuals and the volume of data impacted by data breaches will continue to grow. An obvious outcome of larger data breaches is increased fines. And, with more data privacy laws being passed, there is a greater likelihood that organizations experiencing a violation will be fined in multiple jurisdictions. For example, a single data breach could result in fines in the EU, UK, California, Brazil, etc.”
6. Increased Adoption of Zero Trust
As hybrid working models become established in organizations, experts predict increased adoption of zero trust security models next year. Zoom CISO Jason Lee said: “To adapt to hybrid working environments, more companies will drive to adopt the Zero Trust security model.
“Conversations around protecting the hybrid workforce from risk will lead security professionals to adopt modern tools and technologies, like multi-factor authentication and the zero trust approach to security. I believe that companies need these tools to make sure their employees can get work done as safely as possible from wherever they are – commuting, traveling, or working from home – and that all of their endpoints are secured with continual checks in place.”
Eric O’Neill, national security strategist, VMware, agreed that this approach will be critical in defending against attacks in the modern world. “In 2021, defenders caught the highest number of Zero Days ever recorded. We saw a massive proliferation of hacking tools, vulnerabilities, and attack capabilities on the Dark Web,” he noted. “As a response, 2022 will be the year of zero trust where organizations 'verify everything' vs. trusting it’s safe. We’ve seen the Biden administration mandate a zero trust approach for federal agencies, and this will influence other industries to adopt a similar mindset with the assumption that they will eventually be breached. A zero trust approach will be a key element to fending off attacks in 2022.”
7. Governments Taking a More Proactive Role in Cybersecurity
In the US, the Biden Administration has taken a particularly active role in improving the nation’s cybersecurity this year. This includes issuing an executive order mandating all federal government software suppliers to introduce zero trust.
The UK government has similarly set out new cybersecurity requirements this year. As cyber-threats facing critical national infrastructure grow, we will likely see governments continue to take an increasingly active role in cybersecurity. CyberSmart’s Akhtar noted: “We’re seeing the UK government taking a more proactive approach to consumer and SME cybersecurity. A great example of this is the Product Security and Telecommunications Infrastructure Bill (PSTI), recently introduced to parliament.”
8. New Approaches to Cyber-Awareness Training
It has been well recognized that the shift to hybrid working has increased individual employees’ exposure to cyber-attackers, leaving businesses more vulnerable to breaches. “Most breaches happen the same way – stolen credentials, social engineering, or common vulnerabilities in unpatched software that are exploited. What has changed is our level of vulnerability due to societal changes – the attack surface is everywhere now,” explained Peter Albert, CISO of InfluxData.
Therefore, responsibility for an organization’s cybersecurity cannot solely lie with IT teams anymore and instead should be shared throughout an entire workforce. Albert added: “IT leaders shouldn’t think of security as a separate entity with a siloed team and resource. Security must be distributed and embedded into the organization and baked into every aspect of the stack, meaning security is incorporated into the day-to-day of every department. That way, the entire company becomes the security team.”
This requires new and innovative approaches to security awareness training for general staff next year. Kevin Breen, director of cyber threat research, Immersive Labs, said: “In 2022, there’s a lot more we can do to educate the entire workforce on how they can best identify and be prepared for cyber risks – and empower them to be defensive assets to their organizations. This now lies beyond security teams; it’s everyone’s responsibility and remit, from legal to sales to technical teams. Organizations need to ensure there is a fundamental understanding of security and cyber crisis preparedness workforce-wide, and I expect we’ll see businesses make more deliberate efforts and investments to address this gap.”
9. Increased Focus on Supply Chain Risks
The issue of supply chain security has well and truly hit the headlines in 2021, with the SolarWinds and Kaseya attacks demonstrating how threat actors can target a huge number of organizations by breaching a single link in a supply chain. With attackers likely to ramp up the targeting of supply chains, it is hoped that 2022 will see organizations introducing new security approaches in response. Cyber secure supply chain leader at Deloitte, Sharon Chand, said: “Security concerns will climb among supply chain risk management efforts. The global supply chain is at the forefront of everyone’s mind today – including cyber-attackers. While organizations focus on supply chain challenges like unloading container ships and managing workforce shortages while containing cost, cyber-attackers are busy leveraging a hyper-connected digital supply network to invent new attack vectors. Now is the time to move beyond just monitoring security risk in supply chains and to start taking action to mitigate it.”
Zoom’s Jason Lee concurred, stating: “In security, you always need to be thinking ahead about what might come down the pipeline. From SolarWinds in December 2020 to Colonial Pipeline and Kaseya in 2021, our industry saw a distinct increase in supply chain attacks. CISOs and CSOs will need to make sure their vendors are also secure. This includes looking at third parties related to the business and assessing how to best manage any risks.”
The need to stringently assess global suppliers and partners will increase the relevance of third-party risk management teams in the view of Kevin Dunne, President, Pathlock. “Third-party risk management teams will likely play a key role in developing programs to track and assess software supply chain security, especially considering they are usually the front line team who also receives inbound security questionnaires from their business partners,” he commented.
10. Organizations Will Strengthen their Cloud Resiliency
There has been a significant growth in cloud adoption to help facilitate hybrid working during the COVID-19 pandemic. Many experts now expect organizations that have made this move to enhance the resiliency of their cloud services next year. David Gildea, VP Products at Druva, believes cloud providers will be increasingly competing on this issue. “Cyber-resiliency has now become the number one item with respect to moving to the cloud; it may even slow down companies moving to the cloud as they stick with tried and tested data center solutions until such time that they feel entirely comfortable with what the cloud is providing them,” he outlined. “Every conversation with customers will now start and end with cyber-resiliency. This will be the biggest differentiator between cloud providers – those that have really increased their cyber-resiliency through acquisition or native tools are the ones that will win the cloud.”
This desire for resiliency may fuel a rise in multi-cloud architectures, according to Keith Neilson, technical evangelist at CloudSphere. “Companies already in the cloud will continue to evolve and rationalize their multi-cloud strategies for any number of reasons that may include pricing, availability, license bundling and other factors. Because of this, we will see more cloud-first enterprises moving resources from one cloud to another,” he explained. “So, while such an enterprise may have a steady percentage of its assets in the cloud over time, those assets will be spread across a more diverse third party landscape of multiple cloud providers. The cyber asset management mandate in this scenario will be to facilitate smooth and secure operations over this range of multiple cloud vendors – so the enterprise can reduce risk exposure from having a single cloud vendor without introducing new risks from misaligned multi-cloud assets.”