Where We Stand
This year kicks off against the backdrop of the security flaw found in Log4j, a system-logging code library widely used in applications and services across the Internet. In the aftermath of this crisis, a new set of cybersecurity problems for technical and security teams have emerged. While it’s still too soon to tell just how much damage it has done (or will continue to do), it’s clear that the Log4j vulnerability has the potential to become the most significant threat seen on the Internet for years.
This is due to three reasons:
- Its pervasiveness—Log4j is widely used by developers and bundled in various vendor products.
- Its ease of exploitation—compromising a vulnerable system is often easy but patching the vulnerability is complex.
- Its severity—once a system is compromised the attacker has total control to run whatever malicious code they choose.
Patching vulnerable systems has always been challenging for IT teams under pressure to maintain uptime. This struggle persists and is becoming more difficult. With Log4j, the challenge is finding what is at risk. This is particularly difficult for small to medium-sized enterprises (SMEs), who may not have dedicated IT resources to keep on top of the patching cycle or the capabilities to respond to zero-day exploits.
It is estimated that 60% of small companies go out of business within six months of a cyber attack.1
This is likely to lead to further outsourcing of cyber services to managed security services providers (MSSPs); when selecting such security partners, businesses will need to exercise caution to ensure that the chosen partner fits their needs and has the experience appropriate to their environment.
To plug security gaps, organizations will continue to increase their spend on information security and risk management technologies and services, as they continue to deal with remote working and cloud security risks. A recent Gartner survey2 reports that 61% of organizations view cybersecurity as their top priority for new spending, with a further Gartner study3 reporting that 88% of boards now view cybersecurity as a business risk, rather than a technology risk. Communicating a return on investment from cyber projects will be key for Information Security departments as they seek to show the value of investments in cybersecurity solutions and demonstrate effectiveness in mitigating threats.
Priorities in Cybersecurity
In 2022, organizations will find their resources dedicated to addressing the following five priorities.
1. Ransomware
According to a Cybercrime Magazine article, it is estimated that the global cost of ransomware in 2021 topped $20 billion as more organizations opted to pay the ransom.4
As long as ransomware remains so lucrative to cyber criminals, it will continue to be the biggest security issue in 2022. Organizations need a multifaceted approach to combating ransomware that includes protecting privileged accounts and improving visibility and detection capabilities. As ransomware continues to evolve, some cyber gangs have even started to offer financial incentives to employees to entice them to either knowingly click malicious links or share their credentials to allow attackers to gain access to systems. With insiders being offered millions, it is important for organizations to reassess the potential risk posed by insider threat incidents. This is a worrying notion as it only takes one malicious insider to inflict damage that could bring an entire company down. Zero-trust5 is a practical approach to tackling both insider and external threats.
Two-thirds of executives surveyed—or their employees—have been approached by hackers to assist in ransomware attacks.6
Alongside further investment in cybersecurity training, businesses should also establish an insider threat prevention program that is adaptive to evolving risks and effective at intervention before an individual commits a hostile act. The overall goal should be to promote a positive security culture throughout the organization.
2. Business email compromise
According to the FBI’s Internet Crime Report for 2020,7 business email compromise (BEC) was the costliest cyber crime against U.S. businesses for the fifth year in a row.
In the United States alone, BEC losses amounted to $1.8 billion in 2020.
BEC attacks can result in a victim being tricked into making a transfer of funds to a fraudster’s account; naturally this makes accounts departments the main target for attack. Often bad actors impersonate or spoof a business email address, so it appears that the email is from a senior executive or supplier. Baseline security protections can help, such as:
- User training and awareness
- Implementing controls that require dual control for payments
- Securing accounts with strong authentication and 2FA
- Configuring the organization’s domain with anti-spam protection
It is important when designing staff information security training to ensure that the training is specific to job roles. For example, teams dealing with payments should be made aware of the risks of BEC and learn how to identify fraudulent emails, while executives should be aware of the risk attached to their position in the organization.
3. Remote working is here to stay
Covid forced a change in behavior as whole organizations left the office and began to work from home. This caused technical challenges for organizations at the start of the pandemic and introduced new security challenges as the perimeter of the corporate network ceased to be the boundary of protection. Cybersecurity teams continue to work on technologies and processes to strengthen defenses. 2022 will see further adoption of zero-trust security strategies and artificial intelligence (AI).
- With the traditional concept of ‘castle and moat’ protection no longer adequate, zero-trust adoption will be accelerated as remote working becomes more common. The foundational principle of zero-trust is that trust is not implicit; rather, all resource authentication is dynamic and strictly enforced. When deployed effectively, risks from data breaches, ransomware, and insider threats are reduced.
- As cyber gangs leverage AI techniques for malicious use, AI can be used defensively to identify and prioritize risk, instantly spot malware on a network, and guide incident response before attacks can take hold.
4. Awareness and training
In 2022 we will see organizations place greater emphasis on employee training. Remote working means employees will need to be able to identify social engineering attacks through phishing, vishing, etc. Remote working also requires new behaviors. For example, new processes may need to be implemented around request verifications, especially when dealing with financial requests.
The World Economic Forum finds that 95% of all cybersecurity incidents are linked to some form of human error.
Providing continuous cybersecurity training, relevant to an employee’s role, is a main priority for all organizations. Organizations will continue to invest in phishing simulations but will also need to provide training focused on the transition to a home working environment. Understanding the risks posed is paramount and staff will need to become familiar with the use of 2FA and VPNs when connecting to online systems and accounts.
5. Supply chain security
Expect to see new attacks in 2022 targeting the supply chain as attackers continue to exploit the weak links in enterprise security. As organizations become more reliant on outside providers the problem intensifies.
Sonatype’s 2021 State of the Software Supply Chain Report shows attacks on the software supply chain have surged 650% in a year.8
Organizations will need to determine if a supplier’s security posture is aligned with their own. Given the complexity and embedded nature of systems across multiple devices, it is difficult for an organization to understand exactly what exposure it has. Exploitations of open-source software are difficult to detect and mitigate. Assessing the risks posed from the supply chain will be an important focus for organizations in 2022 and beyond.
Conclusion
2021 was a challenging year for cybersecurity professionals; the indications are that 2022 will be equally if not more testing with further large-scale, damaging cyber attacks. However, there is cause for some optimism.
- Public and private organizations continue to pour more money into hardening their security posture to gain greater visibility into their attack surfaces.
- Further adoption of zero-trust architectures and greater awareness among employees will also improve security.
- In the aftermath of the transformation to a remote working environment, CEOs and boards now recognize cybersecurity as a business risk rather than a technology risk, and CISOs are finally getting a seat at the boardroom table.
An organization’s cybersecurity posture needs to remain under constant review. When assessing how their cybersecurity program stacks up, senior leaders need to ask:
- What is the organization’s most valuable data and where it is stored?
- Are staff suitably trained to identify cyber threats and protect the organization from a cyber attack?
- Does the organization have a cybersecurity function with the right people in charge, driving a positive security culture?
- Will the organization be able to detect a cyber attack when it first occurs?
- Has the organization integrated threat intelligence into its detection capabilities?
- Is there confidence that the organization will be able to contain and remediate issues before they take hold?
[1] https://staysafeonline.org/press-release/national-cyber-security-alliance-statement-regarding-incorrect-small-business-statistic/
[2] https://www.gartner.com/en/newsroom/press-releases/2021-05-17-gartner-forecasts-worldwide-security-and-risk-managem
[3] https://www.gartner.com/en/newsroom/press-releases/2021-11-18-gartner-survey-finds-88-percent-of-boards-of-directors-view-cybersecurity-as-a-business-risk