If 2021 showed us anything in the cybersecurity space, it's that no
industry is exempt from the effects of cyberattacks. Ransomware-as-a-service
(RaaS) gangs were able to penetrate critical supply chains, healthcare
organizations and many other industries proving that no one can be cavalier
when it comes to their protective measures. Below, several cybersecurity experts
have provided predictions on what companies will need to be aware of in 2022:
Tyler Farrar, CISO, Exabeam
"What do
ransomware, phishing, advanced persistent threats and the like all have in
common? Access. In the New Year, organizations should expect all of these
attack methods to grow, but an all-too-important area to watch out for that
often gets missed is initial access brokers.
Initial
access brokers are individuals or groups that resell credentials in the
criminal marketplace. In turn, other adversaries can use the information to
cause further damage for a company, often going undetected. According to a
recent SANS Institute survey, 14% of organizations on average have indicated that the time
between compromise of a network and detection of an adversary is between one to
six months.
Nation-state
groups in particular will continue to take advantage of this information to
conduct continued and persistent access attacks. Similar to trench digging in
actual warfare, they will keep manufacturing exploits to launch a full-on
cyberwar in the future.
The key to
stopping the most popular attack methods used by adversaries today is to
control access points and reduce overall dwell time. One of the simplest ways
for organizations to achieve this is by preventing compromised credentials
incidents - which is the reason for 61% of breaches today -and monitoring user behavior. Doing so provides the necessary
context needed to restore trust and react in real time to protect user accounts
-- halting malicious access in its tracks."
Steve Cochran, CTO, ConnectWise
Infosec will dominate our lives in the tech space for the
foreseeable future. Companies may think they're protected, however, many of
them are using slingshots to protect themselves while the bad guys have tanks,
bombs, and machine guns. We have a long way to go as a technology-driven
society in terms of cybersecurity. Getting ourselves to the point where we
aren't at risk of a serious attack will be our focus for the next two to three
years. On the less serious side, tools that allow us to better engage in the
new hybrid working model will become more prevalent. Solutions will be
developed that will allow us to work in a more meaningful way during this new
era. Tools that let us set up conferences, arrange food deliveries, and show
who is in and out of the office will take center-stage now that the majority of
companies have introduced hybrid working models.
Neil Jones, cybersecurity
evangelist, Egnyte
"Ransomware-as-a-service (RaaS) will continue to grow and become
more sophisticated over the next year. By September of 2021, the number of
publicly reported data breaches had already surpassed the total of the previous
year by
17%. This is
not a new problem and with its increasing frequency it's important for our
leaders to understand how profitable an industry RaaS has become, and the risks
they may be facing.
While it's easy to imagine these cybercriminals as an underground
operation in someone's basement, they don't always appear that way. In fact the
group linked to the Colonial Pipeline attacks were anything but ‘hackers in
hoodies.' They fronted themselves as an agency selling cybersecurity services,
including a predictable schedule, benefits and lunch breaks as part of their
job posting.
If we can take any lessons from this, it's that we cannot
underestimate the intelligence of these RaaS gangs. They are constantly
overcoming systems and evolving with new technological advancements. Don't let
your company be fooled by false notions or assumptions about cybercriminals,
especially that paying ransom will magically restore access to your company's
files. Instead, stay proactive and vigilant as you create and manage your
cybersecurity systems."
Jeff Sizemore, chief governance
officer, Egnyte
"We can expect to see a steep rise in US state-by-state data
privacy requirements and movement toward a potential federal privacy law in
2022. In fact, by 2023, it's expected that 65% of the world's population will be
covered by privacy laws.
This becomes even more critical with many companies' employees
working from home or adapting to hybrid work models. Increasingly, these
organizations are aiming to be more data-driven by measuring employee
productivity. To achieve desired productivity, organizations will need to ask
employees intrusive questions, and those questions will create their own
privacy impacts.
Increasingly, personal privacy is being viewed as a human right,
and the way vendors handle consumer and employee data will determine how much
the public trusts them and wants to conduct business with them.
Protecting unstructured data will likely be one of the biggest
challenges in the new year. If you can't see it, you can't govern it. If you
can't govern it, you definitely can't manage privacy. However, organizations
need to have visibility into structured and unstructured data to build out an
effective data governance program, and there are data security and governance
tools available to protect that information across the board. We also expect to
see ongoing privacy assessments becoming more common. Organizations need to put
privacy at the forefront and make sure they are solving the problem
holistically in the new year and well beyond."
Neil Jones, cybersecurity
evangelist, Egnyte
"In 2022, I hope to see executives finally view cybersecurity as a
wise investment rather than an optional budget line-item. Significant
investment is required to stay one step ahead of cyber-attackers, and ongoing,
company-wide cybersecurity training is required for employees in our ‘work from
home' world. Modern businesses can't have effective data governance and
security programs that consist of a single person, and historically, far too
many companies have relied on the CISO's or CPO's efforts alone. Cybersecurity needs to be an all-hands company effort.
In the new year, we will be seeing further distribution of risk
management within companies and hope to see increased engagement from end-users
and customers, so they can better understand what is happening at a security
level. Any opportunity to educate individuals about security and privacy will
be a step in the right direction as people are more drawn to being educated
than being sold to. And, Just like travelers at a bus or a train station, ‘If
end-users see something, they should say something.'
It is time for companies to make humans part of the solution,
rather than the cause of the problem. Transparency of risk with the Board and
internal staff will help stakeholders understand the importance of the security
teams' requests and will maximize organizational buy-in."
Jeff Sizemore, chief governance
officer, Egnyte
"The ransomware attacks that impacted Colonial Pipeline,
SolarWinds, and Twitch in 2021 have put cybersecurity at the forefront of
global business operations - both for consumers and businesses. The immediate
impact of a data breach is devastating but it's only the tip of the iceberg.
According to an IBM study, the average cost of a data breach is
more than $4 million per incident. Unfortunately, recovery from an
attack is a perpetually uphill battle that will continue as we move into 2022.
With the onslaught of breaches expected to continue, so will the
spike in cybersecurity insurance premiums. Insurance carriers will perform
their due diligence on hacked companies delving into their CSOs' preparedness
activities, data suppliers and supply chains, leaving no stone unturned.
Currently, insurance policies are increasing at a rate of
200 - 300% at the time of renewal and that trend is anticipated for the
foreseeable future. It's a Catch-22; the higher the risk, the harder it can be
for a company to find insurance coverage, which can impact new business and
government contracts.
The long-term damage a data breach does to a company, no matter the
size, only exemplifies the importance of data protection. As we roll into 2022,
companies must keep cybersecurity a number-one, top-of-mind issue in all of their business operations."
Neil Jones, cybersecurity
evangelist, Egnyte
"In 2021,
attackers noticed that major data breaches or ransomware attacks could influence a company's stock and brand reputation,
and public announcements could disrupt customers, partners and business
markets. In 2022, we expect attackers to begin leveraging attacks to not only
collect ransom, but to make additional profits trading on the information by
announcing ransomware attacks publicly. Ransomware attacks may even be timed to
coincide with quarterly earnings announcements or other events."
John Noltensmeyer, chief
technology officer at TokenEx
"My advice to organizations in 2022, as we continue to see the
proliferation of privacy laws both at the state level, and potentially the
federal level, is that globally, organizations need to ensure that they have a
lawful basis for collecting data. That has been part of European data
protection law for decades. In the United States, we have treated personal data
as a free-for-all: if you can collect it, then you can do anything you want
with it. That is obviously changing, so if organizations are not considering
that, and not using something like the GDPR or CCP as a guide - even if an
organization feels those laws don't apply to them - they should absolutely
begin considering the effect of similar legislation on their organization. It
is likely that there will be some type of comparable regulation that does apply
to their business within 2022."
Matthew Meehan, chief operating
officer at TokenEx
"For data security and protection, if an organization has to
extensively re-architect its internal environments to be secure, it will be
difficult to ever reach project completion. And environments will change again
before they're done. Instead, organizations need to find data protection
approaches that provide the flexibility to work with and conform to the
specific environment."
Matthew Meehan, chief operating
officer at TokenEx
"Indeed, the continued rise in cyberattacks we witnessed in 2021
will cause C-level execs to take cybersecurity more seriously. There are two
risk buckets to consider in this regard: business interruption risk (where the
business goes down as the result of an attack); and liability for loss of
sensitive customer and other data. The technologies to manage these risks are
different, but both sets of risks are concrete, quantifiable, and have a
direct, immediate economic impact as well as reputation and brand-value
implications. Boards and executives that appreciate the quantifiable aspects of
these risks will invest wisely to protect and build company value over the
coming years."
Steve Moore, chief security
strategist, Exabeam
"Quality
leadership is essential in running a successful company, but did you know that
poor leadership methods result in poor performance and a heightened risk of cyberattacks?
We've seen
a steep rise in cybercrime in 2021 that we can expect to continue into the new
year, and an effective defense begins with influential leaders. However, it
would be a shame if leadership adapted to new work dynamics as they've
historically adapted to adversaries - which is slowly.
This cyber
security climate applies more significant pressure to leaders; will strain the
mediocre ones well beyond their value. In this example case, defenders'
networks, already rife with gaps and missing capabilities for digital
adversaries to exploit, will fail to meet the basics of relevance. Leaders must
focus on outcomes for their staff - focus on 'why' instead of the 'how,' and
reflect on their abilities to lead, retain, and recruit will come out on top.
An
unproductive and stressed security operations center (SOC) only places a target
on a company's back, leading to the loss of talented workers in an already
competitive sector -- and potential loss of business due to data breach-driven
reputational damage. Instead, SOC leadership should carefully track the
happiness and career fulfillment of their staff.
Now, the
question from a technical and human perspective is this: how quickly can the
defending organization adjust to such rapid and frequent attacks -- and improve
internal culture during change? In addition, cybercriminals are increasingly
targeting companies going through significant financial events, such as acquisitions and mergers, knowing security teams are likely unstable, stressed,
and managing integrations during the process.
This tidal
wave of cybercrime will not die down any time soon. Still, if SOCs dedicate
themselves to understanding the adversary and hire leaders who focus on a
healthy culture that boosts morale, a better outcome of defense will be
fostered."
Gorka Sadowski, chief strategy
officer, Exabeam
"If we've learned anything in 2021, it's that cybercrime is a
collaborative effort in which crime syndicates share and learn from each other
to make their attacks increasingly sophisticated and damaging. With global
ransomware payments on track to hit
$265 billion by 2031, cybercriminals have the resources they
need to work together in developing new and improved ways to breach organizational
frameworks around the world.
As the year draws to a close, I'm excited to see organizations take
cybersecurity much more seriously and realize that we're in this together. 2022
will be a test of how well we can work together, putting collaboration above
competition in order to fight against the growing threat that cybercriminals
pose to industries of all scopes and kinds. Cybercriminals have shown to be
highly coordinated, so the only hope we have in defeating them is to be just as
united in our efforts.
Another encouraging sign to take into the new year is that
governments are finally beginning to mobilize and take action against
cyberthreats. In the past, it has been largely down to each organization to
fend for itself, which inevitably exacerbates asymmetry between well-funded
attackers and individual defenders, leading to costly breaches. Initiatives
such as California's
Cal-Secure plan show governments are taking a stand and promoting
comprehensive, collaborative efforts in the fight against cybercrime.
Cyberattacks can have devastating consequences on both the public and private
sectors alike, making government support crucial.
Cyber adversaries, unfortunately, won't be going away anytime soon,
so the key moving forward is for businesses and governments to consolidate
their efforts and support each other as the threats grow both in complexity and
ambition. We're poised to achieve great things if we remember who the enemies
are and focus on how we can help each other defend against the next threat that
comes our way."
Samantha Humphries, head of security strategy EMEA at Exabeam:
"Ransomware has been at the
forefront of cybersecurity concerns this year and I think, unfortunately, we'll
continue to see the hold of ransomware leading to extortionware, and also as a
distraction. Ransomware is an ‘end problem' for companies. It's not a case of
getting struck by a cyberattack and asking ‘what do we do now?' - by that point
it's far too late. Instead, it needs to be a question of ‘how do we make
ourselves less of a target to begin with?'.
The crux of the problem is that there's an overwhelming amount of
false confidence by companies thinking ‘it won't happen to us' because they've
added a new compliance tool, or moved to the cloud. It's not that simple.
Cybersecurity is not a ‘tick box exercise' and then you're safe. Too many organisations still have this
mindset that sees them scrimp on the fundamentals of cyber hygiene.
Everything starts with having visibility across your systems. Put
simply, if you don't know what you've got, you're not going to be able to
protect it. This insight will help to provide teams with a clear understanding
of user accounts' and devices' normal behaviours, enabling them to spot
anomalies more easily when they happen - and they will. Not to mention,
distributed workforces and a work-from-anywhere culture has meant less
visibility, less control, and less understanding of what covid-world and beyond
‘normal' user behaviour is.
I don't think we've seen the whole brunt of the shift to remote
work yet. The combination of dispersed workforces and more employees using
personal devices for work will continue to open up the potential for an influx
of Bring Your Own Device (BYOD) security risks, meaning growing attack surfaces
and increased vulnerability to security threats.
Though it may feel like we are against all odds, it's important to
not be discouraged, downtool, or divest our security teams. Companies must
continue to tackle modern threats head on, replacing outdated security tools to
ensure security teams are prepared and have the ability to understand exactly
what's going on inside their changing IT environment."
Samantha Andrews, director of
account based marketing at Exabeam:
"It's apparent that many company boards are still not prepared for
cybersecurity, and are not making the connection between the pervasiveness of
cyber threats and their vulnerabilities. All too often, cyber is taking a
backseat behind regulatory and reputational risks.
The last 18 months have been eye-opening for everyone - we've seen
the biggest shift in working patterns since the Industrial Revolution, it's
been a catalyst for change across numerous industries, and called for people to
reflect and rethink their priorities. We also saw exponential growth in
cyberattacks where threat actors took advantage of the disruption. As a number
of prolific data breaches have hit headlines this year, you'd hope it serves as
a reminder to boards and C-level executives to take cybersecurity more
seriously. Cybersecurity needs to begin in the C-suite.
C-suite executives are among the top targets for attackers and
because of their growing exposure to cyber attacks, they need to ensure that
they are not the weak link in the cybersecurity chain. I hope that this coming
year will be the one where cybersecurity becomes a fixed board agenda item.
It's time to adjust thinking to discuss risks, review contingency plans, and
shake off the false sense of ‘it won't happen to us' confidence - because
cyberattacks are inevitable. It's not a question of ‘if' and more a question of
‘when' you'll be a target, if you haven't been already.
2021 proved what we already knew... that nothing is off-limits. We've
experienced monumental change and the C-suite must now make fundamental changes
too, bolstering cyber-crisis preparedness in the fight against ever-changing,
ever-evolving cyber threats. Next year will be a huge opportunity for
everyone."
Danny Schaarmann, CEO, xSuite North America
"E-invoicing is a disruptive technology that gives organizations
the ability to easily digitize their processes. E-invoicing will become more
common going forward as organizations transition into going paperless. From the
customer's perspective, many organizations are already relying on digital
documentation, but suppliers need to catch up. Companies that have a stable
Electronic Data Interchange (EDI) process can expect it to be replaced by
e-invoicing in the near future. While some countries, like Aruba for example,
have already implemented paperless invoicing, the US could follow suit in the
future. In 2022, expect to see states begin to make moves, starting with
California."
Danny Lopez, CEO, Glasswall
"Before we take a look at what organisations will be facing in
2022, it is important for security professionals to reflect on what has worked
for adversaries in the past year. During 2021, a cyberattack occurred
every 39 seconds. The world experienced a ransomware
explosion, which will likely continue its upward trajectory in 2022. Strict
sanctions on countries like Russia and China also increased tensions and led to
several large-scale cyberattacks being attributed to the two nation states.
Due to their successes, adversaries are going to get craftier in
their practices in 2022. The attackers will use a more personalised approach
and aim to blend into the network to look like an insider. Cybercriminals will
target more customer success centers to increase the chances of a big cash
payout. Ransomware crime organisations may ask for less and allow for payment
flexibility, so they can receive steady income over say 12 to 18 months.
Tension in the South China Sea is also going to have a lot of
influence in the threat landscape. A large number of warships on both the
Chinese and American side are currently residing in a very small geopolitical
zone. History shows when those things happen there tends to be an event that
triggers an avalanche. Cyber is the newest warfare tactic, and a small spark
could launch flames that engulf a large number of countries into a full-on
cyber conflict threatening the global supply chain.
We need to learn from our mistakes, and stay vigilant, in order to
bolster cybersecurity defenses. It's impossible to look into a crystal ball and
predict the future, but we have the past to learn from in order to move forward
to a more secure future."
Danny Lopez, CEO, Glasswall
"With each new year, it's important for executives and board
members to view their cybersecurity measures with fresh eyes. Hackers will
never rest when it comes to finding new angles to break into organisations'
critical systems. Once one problem is patched, they will just continue to poke
and find new openings that will enable them to steal data or move laterally
across the network. One way, this is expected to escalate over the next year is
through the insurgence of bad actors and insider threats. According to IBM, 60%
of organisations have more than 20 incidents of insider attacks a year and the
cost related to these incidents was over
$2.7 million. This means not only do companies need to be aware of exterior
threats, but aware of internal vulnerabilities by implementing a zero trust
approach.
With all these things to consider in a board environment, the
conversations need to be constructive and centered around a proactive approach.
Not only do leaders need to be aware of the massive risk that isn't going away,
but ensure that a zero trust approach is in place. No organisation, large or
small, is exempt from the risk of cyberattacks. Remaining vigilant will empower
companies as they move forward."
Danny Lopez, CEO, Glasswall
"If there is any topic the cybersecurity industry will continue to
discuss in 2022, it's the talent shortage. In the U.S., there are almost
500,000 jobs to be filled in this industry alone. What's more troubling is
that it's not just organisations competing to secure talent anymore since
ransomware-as-a-service (RaaS) has entered the market. Cybercriminal groups are
heavily recruiting in tandem. In an attempt to respond to the skills shortage
exacerbated by the ‘great resignation,' commercial enterprises will find
themselves also looking at the talent pool of former (and now reformed) hackers
in an effort to improve their own cybersecurity systems and pad their teams.
The most easily achieved response to addressing the labour shortage
today, beyond getting creative with hiring, is to ensure that organisations
have the correct products to protect their systems and data and automate more
menial tasks for their security analysts and leadership -- so they can spend
their time focusing on stopping digital adversaries. Overall, companies must be
proactive in both their recruitment and building out their cybersecurity
infrastructure."
Steve Roberts, chief financial
officer at Glasswall
"Many organisations are currently still figuring out what a hybrid
working model means for them. Permanent office space and long term leases are
likely to be a thing of the past and this will inevitably lead to a shift in
budget allocation. My advice for businesses in 2022 is to ensure any budget
that is no longer attributed to office leases is reallocated to effective
collaboration tools, increasing security and employee wellbeing. Unused budget
is not a net saving, so it should be applied elsewhere to ensure that the new
hybrid working model is secure and healthy.
Companies implementing a hybrid working model should ensure both
their office infrastructure and remote working environments are secure. Remote
working can result in security vulnerabilities, particularly if employees are
using their own devices to connect to corporate systems. Budget should be
reallocated to invest in security solutions that will close these gaps and keep
systems and data secure.
With the uncertainties around long-term working models, most
organisations don't want to be tied into long-term contracts. Technology
providers will need to rethink and evolve how they are selling their products.
Offering short-term contracts for SaaS solutions that can be deployed solely in
the cloud or as a hybrid solution will enable businesses to better support
their customers. Organisations aren't going to transition to the cloud
overnight, so technology solutions need to be able to protect them in every
environment."
Paul Farrington, chief product
officer at Glasswall
"We're constantly seeing cybercriminals changing their methods, and
this will continue in 2022. Not only do we anticipate the use of automation to
create scale - for example in DDoS attacks and the communication of malware -
but we're seeing machine learning (ML) being used to make attacks more
effective. It's one thing for a human attacker to analyse email characteristics
to work out what entices a reader to click on a malicious link - applying ML to
this adds a completely new dimension. In doing so, attackers have an almost
infinite ability to tweak variables and ultimately secure a better payoff for
their efforts.
This kind of analysis - where ML is used to make small changes to
malware properties, for example in a PDF or a Word document - needs to be
stopped in its tracks. Organisations need to seriously consider whether this
type of malware will evade detection from their anti-virus tools. If the
answer's yes, the problem needs to be looked at in a new way.
Polymorphic malware has been around for a decade - metamorphic
malware, on the other hand, is a more recent phenomenon. It's taking time for
organisations to build up strategies to combat it. I predict that this form of
malware will take off over the next few years, as cybercriminals increasingly
leverage ML to make malware more personalised, and thereby easier to evade
detection.
At the extreme end, this will see every piece of malware become
novel or unique. This makes it far more likely it will be able to slip through
an unknown gap in the defenses. Delivered at scale, this has the potential to
become a significant problem for organisations that are not taking a proactive
approach to file sanitisation."
Paul Farrington, chief product
officer at Glasswall
"Cyber is now the weapon of choice for nation-state attacks and we
can expect to see even more evidence of this in 2022. This means new
cyber-focused legislation is, and will continue to be, a priority amongst
governments, as reflected in Biden's
Executive Order.
The positive side to this is that cybersecurity will continue to be
spoken about more widely and openly among private sector organisations. At a
high-level, businesses will need to take notice of the changing legislative
landscape and adopt a compliance-first mindset, irrespective of whether
cybersecurity is currently a priority focus for them. For those selling into
the government, security will continue to be a competitive advantage, but this
will increasingly become a buying criteria more broadly. The value of security
will continue to grow, and will no longer be just about functionality.
In 2022, countries that are yet to adopt or improve cyber
legislation to protect government and critical infrastructure will likely do
so. We'll also see countries becoming more granular with this by legislating
around software development and data protection. Governments will start by
focusing on critical national infrastructure, for example utilities, before
moving on to any entity playing a pivotal role in keeping the country moving
and the economy growing, such as financial services. By setting out legislation
on how companies handle data and interact with the outside world, common
standards around security can be developed that will help keep both
organisations and customer data safe."
Danny Lopez, CEO, Glasswall
"With a 62%
year-over-year increase of ransomware complaints, the demand for cybersecurity
will continue to escalate. We expect to see more investors turn their attention
to the market -- and invest in
cybersecurity organisations addressing today's most prevalent threats like
file-based malware, critical infrastructure vulnerabilities and
ransomware-as-a-service (RaaS)-- rather than those from 10-15 years ago that
today's public cyber companies were founded to protect. Since there is ample
capital available for private companies, M&A deal flow is likely to
increase in 2022."
Amit Shaked, CEO &
co-founder, Laminar
"When the pandemic first started, many organizations went into
emergency infrastructure planning mode and shifted immediately to the cloud in
order to continue business operations. As the dust continues to settle and
enterprises have adjusted to our new normal, it has become very clear that
organizations now have another enemy to face: data protection in the public
cloud.
Cloud transformation has overall been great for business, but has
not come without its downsides - one of the top ones being that data protection
has not kept pace with data democratization. A 2021 IDC survey reported that
98% of companies experienced at least one cloud data breach in the last year
and a half. The solutions data protection individuals are using haven't
adjusted to this new public cloud environment, which makes work much more
challenging than ever before. On top of that, most data protection teams are
blind to what sensitive data they have in the public cloud.
In 2022, it is going to become crucial that organizations use solutions
that provide visibility, context, accountability and alert data protection
teams to data leaks in order to halt adversaries in their tracks. The solution
should be able to continuously and automatically discover and classify data for
complete visibility, secure and control said data to improve data risk posture,
and detect data leaks and remediate them without interrupting data flow. These
simple approaches can go a long way in preventing devastating breaches in 2022
and beyond."
Oran
Avraham, co-founder & CTO, Laminar
"In 2022, data is going to be the most valuable currency
around the world. As a result, the data breach culture we have seen emerge over
the past few years is going to continue to permeate if we do not take a moment
to reflect on the causes of attacks in the last year.
It is imperative to understand where these attacks are
originating from in order to discontinue the cycle of data abuse. If one were
to examine some of today's biggest data breaches, a pattern will immediately
emerge - the majority by far originated from public cloud infrastructure.
So what should organizations be looking for to protect
public cloud environments? First, the solutions must be cloud-native. Second,
data protection teams are almost blind when it comes to data residing in the
cloud. Therefore, the solution must start by integrating with the public cloud
itself in a modern, agentless way. It must be able to identify where and which
types of data reside there. This way organizations can focus on protecting what
matters most. Finally, the solution must not impact performance.
It is my hope that organizations will take a moment to
reflect on the importance of public cloud data protection in order to change
the data breach narrative in 2022 and beyond."
##