We asked several industry observers to give us their top predictions for 2022, against a background of uncertainty and challenge. Here's what they had to say
Zero Trust has been one of the biggest buzzwords of 2021, points out Ashok Sanker, VP of product and solutions marketing, ReliaQuest. "The surge of recent high-profile cyber-attacks has ushered this concept to the forefront for many security leaders and organisations. In 2022, we will see zero-trust adoption speed up. However, mass confusion will remain, unless we treat it as a mindset shift and a concept versus a product solution."
Almost half (48%) of security leaders say they are prioritising implementing zero-trust principles as part of their security strategy. That number is expected to only increase, but too many leaders still don't understand it to its full extent. "Zero Trust can't be thought of as a single-packaged solution," he cautions. "It's essentially rethinking enterprise security and cutting across silos. It's an evolution of the security paradigm that requires continuous monitoring. The industry must do its part over the course of the upcoming year to educate organisations on the ins and outs of zero-trust, as destructive attacks are not slowing down."
2022 will be a defining moment in how organisations reset the fundamentals of their security programmes, adds Sanker. "This must begin with standardising security metrics. In fact, a majority of security leaders (64%) state that the primary obstacle for implementing an IT security risk management program is a lack of standardised metrics to measure progress. What's more, only a third (37%) believe their teams are tracking the right security metrics. In 2022, it's expected that organisations will prioritise standardising key security metrics and tracking them more effectively."
Meanwhile, the lack of enterprise-wide visibility across security tools, combined with the prevalence of tool sprawl, will lead to greater need for and adoption of Managed Detection & Response (MDR) solutions in 2022, he continues. "A mere 13% of security leaders say they have greater than 75% visibility across all security tools - and on average, organisations maintain a whopping 19 different security tools, with less than a third of those being vital to security objectives. This poor visibility across numerous tools puts organisations at an increased risk for cyber-attacks; this cannot continue into 2022."
LUCRATIVE ATTACKS "The success and rewards of ransomware attacks have become so lucrative that ransomware developers have emerged to sell or lease their ransomware tools and expertise, offering Ransomware-as-a-Service (RaaS) in return for royalties from the payments from victims," points out Joseph Carson, chief security scientist, ThycoticCentrify. "Ransomware could even evolve further into a subscription model in which you pay the criminal gangs to not target you."
Governments have decided they can no longer stand by and watch their citizens and businesses fall victims to cyberattacks. "This means they must and will strike back, and it could result in a full-on cyber war, if the ripple effects spread out of control, and more hackers join forces to collaborate and respond. The result could see a cyber treaty in 2022 that pushes cybercriminals into fewer safe havens to operate, with countries uniting to fight back against cybercrime. Global stability has been on the edge for several years. The increase in cyberattacks and the impact of cyberattacks are having on society means the balance of the force is tipping."
Andy Syrewicze, Hornet Security: the set-up of offsite air-gapped backups can save a business from complete failure.
"For years, gamers and streamers have been a growing trend on social media, with audiences wanting to know their secret techniques on how they get to the next level. Popularity is continuing with top gamers raking in millions in both commissions and sponsorships. Hacking is now following that same path with the world's top hackers streaming their hacking skills online, showing off new techniques and methods on how to bypass security and get the initial foothold, and then elevating privileges."
Hacking gamification platforms are also on the rise, as hacking teams compete for L33T status on being on the top of the leaderboard. "This new trend will continue in 2022 and we will see hacking become an EL3T3 Sport where viewers will pay to watch hacker's hack."
Cryptocurrencies are surely here to stay, Carson adds, and will continue to disrupt the financial industry, but they must evolve to become a stable method for transactions and accelerate adoption. "Some countries have taken a stance that the energy consumption is creating a negative impact and therefore face decisions to either ban or regulate cryptocurrency mining. Meanwhile, several countries have seen cryptocurrencies as a way to differentiate their economies, so they can become more competitive in the tech industry and persuade investment."
Ashok Sankar, ReliaQuest: mass confusion will remain, unless we treat Zero Trust as a mindset shift and a concept versus a product solution.
In 2022, more countries will look at how they can embrace cryptocurrencies while also creating more stabilisation, with increased regulation only a matter of time. "Stabilisation will accelerate adoption, but how the value of cryptocurrencies will be measured is the big question. How many decimals will be the limit?"
A VERY 'INTERESTING' YEAR It's hard to believe that it's now almost been two years since COVID-19 forced IT departments and businesses of all shapes and sizes to adopt a remote first posture, comments Andy Syrewicze, technical evangelist at Hornet Security. "Despite the best of intentions (as usual), many organisations were exposed to security threats as part of this rapid change. Add to that an increase in highly complex supply-chain attacks, ever-more-pervasive ransomware infections and increased targeting of remote users through cloud services, and it all culminates in the last two years of IT security being very… interesting, to say the least."
With an increasingly evolving threat landscape, what are IT teams likely to see in the coming year? he wonders. "What can technology professionals do to prepare themselves for 2022? "Put simply, IT pros need to prepare for more of the same. More ransomware, more remote user targeting and more breaches that may be out of the control of businesses, due to poor security within other organisations." That's all not to say that businesses are powerless, he adds, offering a number of steps that can be taken in this coming year to help prepare for future attacks.
"For starters, did you know that email is STILL a top vector of attack for many attackers? Email will continue to be a massive area of focus for attackers in the coming year, as it lends itself well to low-effort spray style attacks. Attackers can send out 50,000 emails and a few are likely to make it through spam filters and garner some user interaction. IT teams will need to make sure they're using a trusted email security provider to help ward off these types of attacks.
David Bundock, NetUtils: there will be tighter regulatory oversight for the public sector.
"Next, IT pros and business leaders will need to be aware of the cloud services being consumed by end users and take steps to secure them. Don't assume that cloud services such as Microsoft 365 are secure, simply because they're hosted in the cloud!
"Finally, organisations that adopt a posture of breach assumption will be better off than those who do not. Zero-trust security policies will help limit the spread of damage, should the worst happen and, for those situations where data is impacted, the set-up of offsite air-gapped backups can save a business from complete failure."
Taking these steps will help businesses keep their data safe and organisations running smoothly in the coming year, despite the ever-changing security landscape, he concludes.
THE ENDLESS BATTLE Since the pandemic hit, bad actors have preyed on the vulnerability of organisations moving to remote working models and IT departments have worked tirelessly to overcome the challenges, points out Entrust. In turn, technology companies delivered new and improved technologies to support the changes.
David Hood, ANSecurity: 'Zero Trust' is a poor descriptor for the concept and a better way to engage with key stakeholders needs to come to the forefront to propel what is essentially a great idea.
"While attacks on system vulnerabilities continue to be a staple of nefarious activities, there's been a renewed focus on attacks against individual employees via mobile devices. The upturn in BYOD and IoT devices will create further headaches for IT departments in 2022. Authentication will be a huge challenge and passwords will be combined with other authentication methods, like smart cards, three-factor authentication and biometrics, in order to improve security."
NEW INTEGRATED SOLUTIONS FOR SEAMLESS TRAVEL Cybersecurity technology is being developed to address specific issues and problems caused by COVID-19 and this will continue in 2022, Entrust predicts. "New integrated solutions for seamless travel will replace long lines at customs with secure remote identity verification via smartphone. Such solutions will make travel easier and more contactless, and allow border control agents to focus on handling exceptions and possible risks.
The global pandemic has spurred an urgent requirement for remote and touchless services replacing manual and high-touch self-service processes. Next year is forecast to demonstrate the value of digital travel documents, e-Passports and electronic travel authorisations to enable safer and more seamless travel for post-pandemic recovery."
Zero-Trust also figures largely as an approach where you trust nothing, verify everything related to users and devices, assume the network is hostile and only give entities the least privileged access - the minimum permissions they need to fulfil their function. “This framework is predicted to become essential in stopping identity from being exploited through various avenues in 2022, including compromised secrets, compromised data perimeters and lateral threats."
BAD ACTORS GET BADDER! Jenn Markey, Entrust's product marketing director, Identity, is swift to emphasise the fact that bad actors are getting increasingly sophisticated, and it's becoming more and more difficult for users to discern valid communications from credential-stealing attacks - reference the recent MS Sharepoint attack. She singles out nation-state attacks with very real national security implications… "in response, governments are starting to get serious about the cybersecurity defence (think Biden EO)".
Jenn Markey, Entrust's product marketing director, Identity: she sees data privacy concerns going "supernova" in 2022, with increased regulation.
Meanwhile, cloud migration can take 10-plus years for large enterprises, adding cost, complexity and risk, she states. "That's 10-plus years of trying to provide seamless security and a seamless user experience across disparate solutions." Markey sees data privacy concerns going "supernova", with increased regulation. "Always a hot topic, but travel and health credentials will add fuel to the fire - whether for the workforce, consumer or government use cases. As well, this is likely to drive new compliance regulations across jurisdictions to protect individual privacy."
She also forecasts that MSP adoption will skyrocket, driven by IT skills shortages, complex hybrid/MC environments and continued business uncertainty." Finally, she states, it is time to get serious about critical infrastructure protection. "Proliferation of IoT devices and connections in-between continues at an exponential rate. Many/most of these devices were never architected with security in mind. This has huge implications for the electrical grid and other utilities, along with sectors like healthcare where IoT devices have been/are being widely deployed."
Cyber-attacks will, of course, continue to target well-known weaknesses, with Jon Fielding, Apricorn's managing director EMEA, indicating how criminals will exploit 'tried and tested' vulnerabilities, such as unpatched systems, unchanged default passwords and unencrypted data. "They'll also continue taking advantage of inadequate access controls that make data freely available to employees and third-party suppliers who don't truly need it," he says.
"Attackers will specifically target employees who are working remotely, often using social engineering techniques such as phishing emails to take advantage of the fact that security awareness is generally found to be lower in the home environment." Ransomware will become the technique of choice now that organised crime is involved and it can be easily monetised.
At the same time, companies will need to urgently improve security awareness and accountability of their employees, adds Fielding, educating them in the changing risks associated with remote and hybrid working, and how control them. "This means training the workforce in security policies, and the proper use of security tools and technologies. But employees also need to understand the 'why', as well as the 'what' and 'how': the specific threats facing the organisation and the role they need to play in mitigating them."
Apricorn expects to see a continued increase in the use of data encryption, which will keep information secure whatever happens around it, Fielding comments. "Mandating the encryption of all corporate data as standard policy also provides the ability to demonstrate transparency and due diligence, in the event of a breach." Backup strategies will take priority, he predicts. "This year, companies have comprehensively bought in to the need to hold an offsite copy of their data, which is a really positive thing. A solid backup strategy is an essential part of cyber-resilience, which took centre stage in 2021 as organisations recognised that, however well they protect their data, a breach can never be off the cards. Many have chosen to back information up in the cloud - but, in 2022 we'll see more instances of data being compromised, stolen or lost as a consequence of relying on cloud storage alone.
"The cloud offers a convenient and cost-effective way of storing information. It's also 'low maintenance', with providers taking care of tasks such as updates and patching. However, this devolution of responsibility also creates risk: when you sign the contract, you're also signing over the control you have over your data's security. If this is your only backup location, it creates a single point of failure in the event of a cyber-attack, employee error or tech failure," he cautions.
TIGHTER REGULATORY OVERSIGHT Looking at 2022, and it seems clear that there will be tighter regulatory oversight for the public sector," says David Bundock, chief operations officer, NetUtils. "The NHS is already going through Data Security Privacy Toolkit (DSPT) processes and several recent tenders for large public sector organisations have made compliance to Cyber Essentials Plus a mandatory requirement for every supplier. If the NHS is a template, then more public sector organisations will be required to adhere to CE+ through to 2023. And I would expect these requirements to spread to anybody that supplies into the public sector.
"The framework is not onerous, but it is audited, which means that organisations need to do more than just a ‘check box’ exercise, so it's wise to start looking at these optional processes now and before they become mandatory." He also points to the "meteoric rise in the public consciousness" of ransomware - and predicts that the coming year will unfortunately be more of the same. "However, the move by AXA, one of Europe's largest insurers, to stop offering new insurance policies that cover ransom payments to criminals for French policy holders may be the start of a wider trend across the region during 2022. The logic is that ransom payments encourage more ransomware attacks and drive up the cost of cyber security insurance policies.
Although UK companies can still gain insurance policies that will pay ransoms - assuming you can prove no liability - it's likely that AXA's position might spread. The whole market for insuring against all forms of cyber-attack and outage is an interesting area and I suspect that 2022 will be a year where its starts to get a lot more attention from enterprises."
Bundock flags up, moreover, how the 'great return to the office' has just not materialised as expected by most, with more organisations opting to have more staff working remotely as a permanent option. "The first of the studies that have looked at issues such as productivity and mental well-being are starting to emerge and, in many instances, home working seems to be on parity with office working and, in some cases, proving a benefit.
"However, organisations must now look at the often-temporary measures rushed out to support home workers that are now becoming standard. Where masses of laptops were hurriedly deployed, and cloud based filesharing systems were utilised to help teams collaborate, these devices and platforms need to be audited for security and compliance to standards such as GDPR. This will inevitably trigger more use of cyber security as a service - especially as the current shortage of skilled IT and Infosec staff grows."
ATTACKS TO GO WIDER While it's been mainly big oil pipelines and national healthcare services hitting the headlines as ransomware victims in 2021, the attackers are likely to expand the net a bit wider next year, according to David Hood, CEO, ANSecurity.
"Although seemingly a less lucrative option, the four million small businesses in the UK offer a tempting target and often don't have the skills to deal with these type of extortion attempts - choosing to pay, rather than have their businesses crippled. This will be partly driven by the US (and likely soon to follow many major western economies), stating they will treat ransomware attacks on key infrastructure as a terrorist attack, leaving smaller organisations unlikely to provoke any government response and comparatively a 'safe' target."
The wave of supply chain attacks such as SolarWinds and Kaseya are not over yet and 2022 will undoubtedly see more instances, Hood adds. "But these might well shift from broad IT platforms to more specialist supply chains in areas such as logistics, healthcare and even manufacturing.
The endemic supply chain cyber security weaknesses might finally require government scrutiny." This, he points out, could be the equivalent of a PCI/DSS regime, with an ASA and QSA style auditing requirement. "This is very unlikely to conclude in 2022 - although the discussion might well start."
With the NHS currently working through its own cyber security certification scheme, in the shape of Data Security Privacy Toolkit (DSPT), the success of this project "may well see 2022 as the year that other industries start their own programmes, perhaps, starting with the public sector and potentially expanding to their suppliers. This seems very likely and education may well be the next sector to go through the process".
Hood also acknowledges how Zero Trust has been a popular topic for vendors and the media over the last few years. "However, when speaking to clients, it's becoming clear that there is a fundamental problem with the concept… it is an awful name! Hopefully, 2022 will be the year when vendors realise that 'Zero Trust' is a poor descriptor for the concept and that a better way to engage with key stakeholders needs to come to the forefront to propel what is essentially a great idea."
NEW TECHNOLOGIES EMERGING For the past few decades, enterprises have spent considerable time and resources investing in traditional endpoints and infrastructure security solutions. The focus has been on the devices their employees and customers use to connect to their services or workflows. But the modern workflow has evolved and grown, with new devices and enterprise apps introduced every day.
"In the context of the last two years, many organisations, big and small, accepted mobile devices and apps into their systems, in the spirit of remote work and productivity, but dedicated insufficient thought to how these new technologies impacted their broader enterprise attack surface," points out Richard Melick, director, Product Marketing for Endpoint Security at Zimperium. "This is because, historically, malicious actors have focused more attention on traditional endpoints. Thus, when security teams needed to prioritise the most significant risk areas to their employees, data and organisations, it resulted in more focus being paid to traditional endpoints." Fast forward to the end of 2021 and 2022, and mobile endpoints are now critical components of our daily workflows. "The threats targeting both Android and iOS enterprise-connected devices and applications have increased massively worldwide and it should be no surprise. The 2021 headlines have demonstrated these attacks are not just small data leaks and stolen code. Android and iOS had record years, in terms of zero-day critical vulnerabilities in 2021, accounting for 30% of all in-the-wild exploits used in cyberattacks, up from 10% in 2020."
Enterprises have discovered their apps leaking critical user and investor data, and mobile spyware has infected tens of thousands of targeted, high-profile individuals, Melick adds. "Large-scale phishing and premium SMS scams have plagued personal and corporate-owned devices, stealing tens of millions from unsuspecting victims. And this is just the beginning of what is to come. 2022 will be the year of mobile attacks.
Unfortunately, we will see enterprises face an increased number of these attacks, along with more zero-day and zero-click vulnerabilities, designed to target their mobile infrastructure to steal or spy on unsuspecting employees and their data. There will be more Pegasus-like spyware revelations, mobile ransomware and security breaches that originate with the mobile endpoint."
Melick ends with this cautionary note: "Until the mobile endpoints are brought into the same enterprise security fold and held to the same security standards as traditional devices, thereby providing them the tools and monitoring necessary to keep enterprises secure, mobile devices will leave enterprise attack surfaces ripe and open to the increasingly complex and varied mobile threat landscape of 2022."