Hello everyone, I hope 2022 will be a better year for all of us, and like so many others I have some predictions about what is on the horizon for cybersecurity in the coming year.
My predictions are similar to others in the cybersecurity community but I know that folks other than information security professionals read this blog so I want to get this information out to that constituency as well as the info-sec community.
The business of ransomware, i.e., Ransomware-as-a-Service, is just too profitable for it to slow down or stop. The process is too developed, too streamlined, and too easy for criminals and the threat actor community to give it up. For those of us on the Blue team (the defense side in the whole red team/blue team dichotomy), we will continue to defend and protect our data and assets from threat actors on premises (traditional IT) and in the cloud (AWS, Azure, etc.).
Ransomware-as-a-Service is now so mature that there are access brokers, malware developers, hosting platforms, extortion specific websites, and even customer service teams to help victims pay via Bitcoin, plus you can be certain that criminals are making cybersecurity predictions of their own. Stay alert everyone: We are being targeted.
This is an outgrowth of the first item—ransomware increasing—and the number of vectors where criminals can attack is limited only by the number of companies in your supply chain. So think about who is supporting your business. Are they a secure company? Can they prove it?
If you don’t know your vendor partners well or if you don’t know how secure they are, you need to find out. You are as insecure as they are. You need to make sure you are as well protected as feasible from risky suppliers. Third-party risk management will be a critical component of your risk management strategy in 2022 and beyond.
To defend against ransomware attacks, the need for “eyes on glass” 24×7 will increase in 2022 and beyond. Demand for managed detection and response (MDR) and eXtended detection and response (XDR) will increase due to management wanting to defend against attacks. Insurance companies as well are requiring companies and organizations to have MDR/XDR in order to qualify for cybersecurity insurance.
These security controls will grow to help defend against ransomware attacks. Just like MDR/XDR, MFA will be a requirement to qualify for cyber insurance. Companies like DUO and others will see increased sales as companies move to MFA to meet those cybersecurity insurance requirements.
Zero trust Networks will be more than a buzz word in 2022 as more companies look to reduce their risk and attack surface. Some areas will be easier to move from classic trust frameworks, where the device is trusted because the company owns the device, to Zero Trust where the user, the device, and the applications are not implicitly trusted. Boards and senior executives will be asking and expecting CIOs to make the move to less trust, more verification from the edge on down the chain.
The cost of insurance against cybersecurity attacks, data loss, and other security risks will continue to rise and drive the adoption of other threat detection and prevention tools as mentioned above. Companies looking to renew existing policies will face 30%, 40%, and higher percentage premium increases due to the explosion of attacks in 2020 and 2021. In addition to higher rates, the security controls that have to be in place to purchase insurance will increase (see items 3 and 4 above).
With Russia testing out cyberattack tools against Ukraine, and North Korea testing out attacks techniques against South Korea and others, nation-states will continue to attack soft targets around the globe. Collateral damage will occur as nation states test and launch attacks against targets with some attacks impacting suppliers to other companies. Third-party and supply chain risks will be identified as vector for these attacks which is how many other companies will be impacted.
A manufacturing company in Indiana won’t be a target but AWS or Azure will be, and the company’s AWS instance will be impacted as well. When nation-states are involved even the biggest vendors can go down.
The California Consumer Privacy Act (CCPA) and the new California Privacy Rights Act (CPRA) are just the tip of the iceberg in terms of new privacy legislation in the US. More than 30 states in the U.S. have data privacy laws and the number of states starting to give privacy rights to consumers is on the rise. This trend will continue and impact virtually every company that does business in the United States in 2022.
To get a head start on this, find out where your customer data resides, make sure you know everywhere it resides, and then start your data labeling process. You can be the CIO hero if you know where the data resides and how to delete it or correct it so that your customers can be forgotten or updated if they want, and you can prove that you did it.
That is what I see on the horizon for 2022. What are you seeing and what predictions for cybersecurity have you made? E-mail me at email@example.com and let me know your thoughts on the upcoming challenges and opportunities in 2022.
Read more from John Bruggeman: