It’s no secret that cybersecurity attacks and breaches have accelerated in recent years, but the growing impact and volume of such attacks has entered the public eye more aggressively than ever before. From record-breaking ransomware attacks on major infrastructures to the latest Apache Log4j vulnerability, the level of chaos last year led some media to declare that “2021 was the year cybersecurity became everyone’s problem.”
As Afinety’s CISO, I spend countless hours collaborating and comparing notes with other security leaders – our technology partners, software vendors, cybersecurity consultants – as well as with current and prospective clients about what they see in their worlds. Here’s what I’m expecting in cybersecurity in 2022.
Ransomware will reach pandemic levels; even the unaffected will have to pay
While COVID-19 continues to circulate, it’s a different pandemic that’s keeping security professionals worried: Ransomware. In 2021, more than 1100 schools and government agencies were impacted by a ransomware incident, making it a household topic rather than one relegated to just security professionals. Such public familiarity will continue to increase in 2022 as threat actors ramp up both the volume and severity of their attacks.
In November, a survey from email security vendor Mimecast reported an average ransomware payment in the US of more than $6 million, an exorbitant amount for organizations trying to save their businesses even though, on average, only 65% of the encrypted data is restored after a ransom has been paid. Businesses suffered 50% more cyberattack attempts per week last year (925 a week), and over 35% of organizations were hit by ransomware in 2020. While we wait for the 2021 numbers, we expect the 2022 number to be much higher as we see a continued increase in the severity and volume of ransomware attacks.
In 2022, we will see the dramatic rise of attacks using Ransomware-as-a-Service (RaaS), which is already a well-established industry within the ransomware business. Various operators will operate a subscription-based model to lease their malware creations to others for a price. This could be a monthly subscription or a portion of any successful ransom payments.
Due to soaring ransom demands and a growing appetite for cyber insurance, providers will likely reevaluate how much coverage they can offer and how much it will cost clients. Various insurance brokers reported premiums that went up by at least 10 percent, and in some cases by as much as 40 percent towards the end of 2021, and this trend is expected to continue through 2022 as well. The result: Even those not affected by ransomware will be paying the price.
The cybersecurity talent gap won’t be going away anytime soon
The COVID-19 fueled remote workforce has further stretched under-resourced security teams. Combined with the rising rate of ransomware attacks, many cybersecurity professionals suffer from burnout, stressing an already fragile system. According to a Forrester survey, “2021 data shows that 51% of cybersecurity professionals experienced extreme stress or burnout, with 65% saying they had considered leaving their job because of job stress.”
More remote work also means more significant usage of cloud applications, which has led to increased demand for cybersecurity professionals with skills in cloud computing security. Many organizations are struggling to find the people to fill these gaps.
In 2022, issues around the available cybersecurity workforce will continue to be a problem for organizations; however, some tools and technologies can help ease the staff workloads, helping to improve both their wellbeing and the organization’s cyber defenses. Security leaders will need to make all decisions assuming the impact of the cybersecurity skills shortage. This will require a more significant commitment to working with service providers, process automation, and advanced analytics technologies.
The Federal Government will take a more proactive role in cybersecurity
2021 saw the creation of the National Cyber Director’s office, the establishment of CISA’s Joint Cyber Defense Collaborative, and efforts to implement President Joe Biden’s “Executive Order on Improving the Nation’s Cybersecurity,” which was issued on May 12, 2021, in response to the SolarWinds, Microsoft Exchange, and Colonial Pipeline cybersecurity incidents. The Executive Order contained more than 55 deliverables and calls for new data security and incident reporting regulations, the publication of requirements for secure software development practices, and establishing criteria for consumer labeling programs for software and Internet of Things (IoT) devices.
The next set of deliverables are due in February 2022 and will aim to solidify practices for enhancing the security of the software supply chain and providing criteria for the software and IoT consumer labeling programs. Companies in business with the federal government should watch out for new proposed rules. We expect to see increased discussion and sharing of cyber-threat information, removing barriers to threat information sharing between the US government and the private sector.
It is evident that in 2022, states and federal agencies will continue to be more proactive in creating, revising, and enforcing privacy and cybersecurity requirements, which would ultimately increase litigation against organizations that do not maintain and follow appropriate policies for vulnerability and patch management, as well as cyber incident response.
Threat Intelligence will become more accessible
In the past, threat intelligence has been seen as a particular cybersecurity skill available to organizations with access to money and resources to hire a team of analysts and specialists to turn highly complex information into usable data. Over the last couple of years, new products have emerged to provide more actionable threat intelligence through services like vulnerability prioritization, digital risk protection, and dark web monitoring, which can be applied to a range of practical security use cases from vulnerability management, detection, and response to threat hunting for immediate results.
With such products readily available, more organizations, even those with small or non-existent security teams and budgets, will embrace threat intelligence to understand adversarial techniques better and increase security efficiency. The demand for more integration and a single view of technical and vulnerability risk information is also expected to grow. This should include real-time discovery, in-depth assessments across technology layers, and up-to-date threat intelligence data for better risk context to accelerate prioritization through actionable reporting.
Spear Phishing and Smishing is here to stay
Cyber attackers frequently prefer phishing attacks. Over 75% of targeted cyberattacks start with an email. With the workforce moving remote in 2021 and people not in the same office, email communication has increased, and phishing attacks have recently become more personalized and targeted (Spear Phishing). While any business can be targeted for an attack, those with valuable information and weaker security are prime targets. Healthcare and pharmaceuticals are one area that is hit strongly across all business sizes, while small and medium-sized businesses remain the most vulnerable to these attacks.
This trend is expected to continue into 2022, as will Smishing (SMS-based phishing) as text messaging becomes an even more common attack vector. With security awareness training, individuals are more careful when opening emails, clicking links, or opening attachments; however, they typically do not expect to receive phishing via text messages on their mobile phones. With most e-commerce sites and retailers using text messaging for shipping and delivery notifications with embedded links, fake text messages with malware embedded can go undetected.
However, preventing targeted phishing attacks is not as difficult as it seems. Organizations follow advanced Privileged Access Management solutions (PAM) to protect their employees’ credentials while keeping email traffic within the network under control to block malicious attempts. Besides, organizations make a potential attack preventable by using standard phishing attack techniques and simulators to predict possible phishing attacks and ensuring their workforce is constantly trained on new phishing attack vectors.
Where does that leave you?
At Afinety, cybersecurity is a top priority. As a partner to our clients, we are committed to providing a security-first approach that integrates cybersecurity tools and technologies, processes, and controls with well-trained employees knowledgeable about current cybersecurity trends.
With attacks targeting SMBs on the rise, we know our clients are looking for our help to provide similar protection to their staff. That’s why we not only have several security controls integrated into our service offering but also why we’ve developed a suite of Security Services to protect our clients further.