The 2022 new year is here! That means it’s time to bid farewell to the winter of 2021. At the same time, looking at security trends can give us insight into the future.
Last year was a record-breaking year for data breaches. According to the Identity Theft Resource Center (ITRC), the number of publicly reported 2021 breaches in the first three quarters of this year exceeded the total number of incidents in the entirety of 2020.
Many of the most high-profile security incidents this year were caused by attackers. These include the Colonial Pipeline ransomware attack that caused gas shortages in the U.S., the ransomware attacks on Acer and meat processor JBS, and the attacker that compromised Florida’s water supply. Other incidents were caused by internal mistakes and vulnerabilities, such as the Facebook shutdown in October that took down Facebook, Instagram, and WhatsApp.
What’s ahead for security in 2022? As organizations begin thinking about their primary 2022 cybersecurity activities, they need to proactively strategize. With that in mind, here are SecurityScorecard’s top cybersecurity predictions for this year.
1. The supply chain must be protected.
2021 has shown us what happens — on several levels — when supply chains are disrupted. Not only have we seen fuel, beef, and other shortages result from cyberattacks on suppliers, but the digital supply chain has also been attacked. ITRC found that 31 attacks on third parties and suppliers affected 60 entities in the first three quarters of 2021 alone. In 2022, organizations are likely to shift from reactive approaches to supply chain security to proactive ones in order to protect their supply chain. Such approaches are likely to involve diagnostic measures and monitoring of previously-vetted third parties.
2. Data privacy regulations will increase
When the European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, it was the first of its kind. In the years since, other governments have started introducing their own privacy regulations: the California Consumer Privacy Act (CCPA), for example, and Brazil’s General Personal Data Protection Law (LGPD). Other legislative bodies are likely to follow suit over the next year; Gartner predicts that by the end of 2023, privacy laws will cover the personal information of 75% of the world’s population.
3. Hybrid workforce is here to stay — so it must be secured
If 2020 brought us the remote workforce, 2021 brought us the hybrid workforce. And, in turn, the hybrid workforce has brought vulnerabilities that cybercriminals are eager to exploit. According to the Ponemon Institute, remote workers were targets for bad actors in 2021 and it cost companies — the cost of a data breach was, on average, $1.07 million higher when remote work was involved in the breach. In addition, organizations with more than 50% of their workforce working remotely took 58 days longer to find and contain breaches than those with 50% or less working remotely. In 2022, companies will need to ensure the security of those who work remotely.
4. It’s getting very cloudy
Cloud adoption was already on the rise pre-pandemic, but COVID and remote work has accelerated cloud adoption even further. Flexera’s 2021 State of the Cloud Report found that 92% of enterprises had a multi-cloud strategy in 2021 while 80% had a hybrid cloud strategy. Companies used, on average, 2.6 public clouds and 2.7 private clouds. With so many clouds in play, however, cloud security has become a top concern. Ponemon found that organizations with increased cloud security decreased their data breach costs. In 2022, increased reliance on the cloud will mean increased spend on cloud security. Organizations may want to invest in hybrid clouds, which experienced the lowest data breach costs.
5. More attention will be paid to human cyber risk
Most cyberattacks, from ransomware to phishing to the exploitation of unpatched vulnerabilities, come down to the same common denominator: human error. There’s a reason why phishing remains an evergreen form of attack, after all — people can be tricked. With that in mind, organizational leaders must ensure that everyone is involved in security. That means more than training everyone in good cyber hygiene or drilling all employees on how to spot a phishing email. According to a recent report from SANS, leaders will have to start with security leaders themselves. Most security leaders just don’t have the time for outreach, SANS finds that more than 75% of security awareness professionals spend less than half their time on security awareness. They also don’t necessarily have the skills to engage their co-workers; security awareness responsibilities are often assigned to staff with highly technical backgrounds. These individuals might have the hard skills to spot a security issue, but not the soft skills to explain security to non-technical coworkers. In 2022, leaders will need to align security awareness with organizational goals and find professionals with appropriate soft skills to help educate staff when it comes to cybersecurity risk.
6. Ransomware is unlikely to go away
Ransomware attacks have risen considerably in recent years, and since this sort of crime pays, criminals are likely to continue attacking organizations with demands for bigger and bigger ransoms. A recent report found that there has been an increase in vulnerabilities tied to ransomware attacks since the start of the pandemic – ransomware families are exploiting both new and old vulnerabilities in software, and the number of ransomware families has grown exponentially in the past year. The report also found that ransomware has largely targeted vendors — specifically software as a service (SaaS) – so in 2022, organizations will aggressively vet and monitor third parties and will also need to be vigilant about patching.
7. Expect ransomware regulations
Should you pay the ransom if you’re attacked? Most experts say no, but soon your organization may get an additional nudge toward not paying — Gartner predicts that by 2025, 30% of counties will pass legislation regulating ransomware payments, fines, and negotiations. Since just less than 1% of nation states currently have ransomware payment regulations, most of that work will happen in the next year.
8. The Zero Trust security model will become widespread
The cybersecurity field is fast-moving from “trust, but verify” to “never trust, always verify.” Forrester reports that five governments will adopt Zero Trust in 2022. This includes the U.S. In early 2021, President Joe Biden released the world’s first national-level Zero Trust mandate for government departments. Zero Trust has proven effective in reducing data breaches and their costs; according to Ponemon, companies that had taken a Zero Trust approach to security reduced breach costs by $1.76 million.
SecurityScorecard can help you secure your assets in 2022
A robust cybersecurity program increasingly protects your organization from financial, compliance, and reputation risks. SecurityScorecard’s platform applies AI/ML to help you continuously monitor for new cybersecurity risks that threaten your organization and your supply stream.
Our security ratings use an easy-to-read A-F scale that provides at-a-glance insight into risks impacting your IT ecosystem. SecurityScorecard’s platform collects publicly available data from across the internet and aligns that information to ten groups of factors, including IP reputation, DNS health, web application security, endpoint security, network security, patching cadence, leaked credentials, social engineering, and hacker chatter. SecurityScorecard’s continuous monitoring capabilities provide meaningful alerts that enable you to mitigate threats and strengthen your cybersecurity posture.