2021 was a record-breaking year for cyber-attacks, with more hacks and breaches recorded last year than in any year past. This record was set despite the federal government putting in place new cybersecurity standards to address the issue and was exacerbated by the continued proliferation of remote work. In 2021, more US workers than ever worked outside of an office, with a survey of US businesses finding nearly 70% have permanently closed some or all of their office space. As a result, there has been a corresponding increase in threat vectors opening.
This year, we anticipate that there will be a continued rise in attacks and expect to see more organizations employing zero trust architecture and principles to combat the following threats.
Despite Government Intervention, Supply Chain Exploits Are Here to Stay
From a hardware and software perspective, 2022 will likely see significant supply chain exploits. As the pandemic stretches on, more personal hardware used for remote work, like laptops and wireless routers, might be running out of date firmware or use weak passwords, providing hackers with easy access to networks.
Meanwhile, Log4j reminded the world about the security risks of open-source software.
The “Software Bill of Materials” (SBOM) mandate in May’s executive order was a good start to increase visibility and prevent these types of attacks. Vulnerabilities, however, remain. Contractors working with federal agencies are subject to complicated guidelines, and they may struggle to accurately and consistently submit certifications that show their software components are safe and defect-free. Additionally, while generating an SBOM for new software is straightforward, this process is more difficult for software that has already been installed. Vulnerabilities for existing software may pose unseen supply chain problems.
Mercenaries Will Increasingly Carry Out Thinly-Veiled Nation-State Attacks
While supply chain issues will lurk in the minds of many IT professionals this year, homeland security/defense organizations worry that nation-states jockeying for cyber-supremacy will carry out bolder strikes. Over the last few years, attacks serving political and espionage purposes have gone from clandestine to semi-publicized to borderline-brazen.
This year, countries will continue to up their game and carry out more attacks while increasingly leveraging cyber mercenaries to do their bidding, providing some degree of thinly-veiled deniability. This increase could come sooner than later, with experts predicting the Ukraine-Russia conflict will serve as a flashpoint.
The US government seems to agree, with Homeland Security warning that Russia may lash out at the US in cyberspace.
Mergers & Acquisitions Will Pose Greater Risks
In 2021, mergers & acquisitions shattered records, with the value of transactions globally topping $5trn for the first time. During that period, countless hours were spent performing financial due diligence to help organizations understand every potential risk.
With another potential record year for mergers and acquisitions (M&A) activity ahead, organizations face increased risk of breaches and hacks. As enterprises combine networks and data, they risk inheriting hidden security issues. One of the most notable recent examples of the implications of not conducting a thorough cybersecurity analysis during a merger was in 2017 when Verizon’s acquisition of Yahoo plunged $350m due to a data breach that affected the latter and compromised over 1 billion customer accounts.
M&A deals can be viewed as another vector for a supply chain attack, and as activity increases, security incidents will as well. In 2022, organizations must give equal consideration to due diligence around cybersecurity or expose themselves to risk.
Zero Trust Will Play a Greater Role but May Lead To Missteps
The Biden Administration’s executive order required federal organizations to quickly adopt zero trust architecture to prevent major breaches like those seen in recent years. While these mandates applied to government agencies, NIST 800-207 requirements are now trickling down to federal contractors, who are seeing cybersecurity standards built into contract terms.
This is a positive development but also presents a risk. If these contractors do not put in the time and effort required to properly implement zero trust architecture and principles, they may end up with incomplete models that can be ineffective and vulnerable. Some organizations are under the impression that zero trust just means multi-factor authentication, but they also need to secure communications and key resources.
This is not a simple task, and companies must be prepared to take the time to build a substantive solution. If implemented correctly, zero trust will ensure resources, including applications, data and services, will be protected by granting only approved users access to those resources.
While 2022 will see a continuation of the trends and threats that emerged last year, the government’s guidance on zero trust and supply chain reporting are encouraging. With a renewed commitment, hopefully we will see public and private organizations turn a corner and reduce the number of incidents ahead.