By Ajay Singh, Author of CyberStrong: A Primer on Cyber Risk Management for Business Managers
As we come to terms with the record-breaking statistics and deal with the devastating impact of cyber-attacks and data breaches in the year gone by, we now need to identify, assess, and prioritize the cybersecurity challenges that are ahead of us in 2022. While the focus of the past year (or two) has been on fighting the pandemic, cybersecurity has been another serious threat that individuals, businesses, and governments have had to deal with. The year 2021 was bookended with two of potentially the most devastating cyber threats- SolarWinds and the Log4J vulnerabilities that shook the very foundations of cybersecurity plans and programs. Even though the two incidents from a technological standpoint are somewhat different, both provided warnings of the scale and widespread implications of future cyber-attacks.
The past year has seen unprecedented cyber-attacks in terms of nature and scope- ransomware (CAN Financial, Acer, critical infrastructure (The Oldsmar Florida Water Supply attack, The Colonial Pipeline Attack), data breaches (Bombardier, Domino’s India), and the aforesaid supply chain attacks are just a few. Closer analysis of cyber-attacks in 2021 reveals that hackers have upped their game in terms of tools that they use and their capability to launch targeted attacks and play the waiting game.
Trend Micro partnered with the Ponemon Institute to investigate the level of cyber risk across organizations and create a Cyber Risk Index (CRI). The index, which is refreshed regularly, measures the gap between an organization’s current security posture and its likelihood of being attacked. Their index currently shows ‘elevated risk’ at the global level. As we step into 2022, this means that governments, organizational leadership, and individuals need to brace themselves for more significant challenges in terms of cybersecurity.
Cybersecurity is full of challenges, some new, some old but continuing, and some emerging. To be safe and secure, we need to deal with them all but prioritize and mitigate the significant risks in terms of severity of consequences and likelihood of the risks materializing. Across organizations and geographies, here are my Top 10 Cybersecurity challenges for 2022.
1. Supply Chain, the weak link
Supply chain attacks have been a potential cyber threat for some time now, but 2021 saw massive growth in these attacks. Hackers demonstrated the kind of severe damage they could cause by leveraging vulnerabilities in the software supply chain, impacting thousands of organizations. The SolarWinds and Kaseya attacks indicated that hackers could launch different types of cyber-attacks on downstream businesses using their software and services by successfully targeting software vendors. While third-party software is fraught with certain risks, a certain level of trust existed based on the vendor’s pedigree and commitment to cybersecurity. Organizations can no longer blindly trust third-party applications, open-source software, and application interfaces that they use to ensure their security. They must proactively examine their Software Bill of Materials (SBOMs) and take steps to mitigate associated risks.
2. Ransomware attacks remain a potent threat in 2022
According to the X-Force Threat Intelligence Report, ransomware was the number one threat in 2021, comprising 23% of all cyber-attacks. High-profile ransomware attacks in 2021 included targets like the Colonial Pipeline, JBS Foods, which not only disrupted the operations of the respective companies but impacted the lives of everyday people who had to put up with gas and meat shortages. No industry or firm, regardless of size, is safe from ransomware attacks. Kia Motors, the Korean automobile giant, and Acer, the Taiwanese computer company, faced ransomware attacks in 2021. Even the Washington DC Police department was not spared as hackers locked up data on informants, gangs, and employee data and demanded a ransom of US$ 4 million to prevent data leaks. Keeping ransomware out by implementing measures such as ready-to-use back-ups, encrypting important data, data exfiltration monitoring, early detection, and response through software, timely updating of software, implementing zero trust strategies, and training employees are key in preventing and mitigating risks from these attacks. For organizations facing ransomware attacks, ransom payments may also come under the regulatory ambit, and hence robust prevention measures must be put in place. If your organization doesn’t have a plan to deal with a ransomware attack, this is the time to implement one and enhance your security posture.
3. The rise of edge computing throws up new security challenges.
The concept of edge computing is fast gaining ground. According to Ericsson, by 2023, 5G will make up around one-fifth of all mobile data traffic, where 25% of the use-cases will depend on edge computing capabilities. Edge computing is about gathering, processing, and analyzing data generated by IoT devices at the network rather than transporting it to centralized computing resources. While this provides excellent opportunities for innovation, it also opens IT infrastructure to new security issues. The problem primarily stems from the non-standardization of IoT hardware protocols combined with the diversity of use cases which can throw up several security challenges, including ensuring proper configuration of devices and administering timely updates. The integration and security management related to legacy IoT devices pose another challenge. The challenge from a security perspective is further exacerbated by the fact that not all the edge computing platforms being deployed are readily accessible as they are distributed across enterprise networks making remote management even more difficult. Hence, edge computing shares the same security challenges as the IoT devices, which are usually small, often not built with security in mind, and may not even be capable of receiving updates. All these issues, if not addressed, can provide hackers with easy entry points and ways to gain access to core systems to which the edge devices connect to launch deadly cyber-attacks. Regardless of the type of edge computing platform, organizations are deploying zero-trust IT architectures to secure the entire distributed computing environment better and meet the security challenges of edge computing. As organizations increasingly turn to remote working, employees become the edge. To prevent endpoint attacks and address the need for better-automated threat prevention, detection, and remediation, concepts such as Endpoint Detection & Response (EDR), which were initially deployed, have evolved further in the form of Extended Detection & Response (XDR) and secure access service edge (SASE) solutions.
4. Crisis of trust-privacy and identity management challenges
Every data breach, exploitation/misuse, or illegitimate use of personal data results in an erosion of trust. In recent times, issues of digital trust such as identity theft by cybercriminals through large-scale data breaches, the alleged exploitation of data entrusted to Big Tech companies for-profit, and the misuse of citizen data by Government authorities have been a matter of public debate. Even as the debate rages on finding the right balance between privacy, exploitation, and misuse, all parties to the debate have their concerns. Despite efforts made, a fair, transparent, and equitable regime that encompasses privacy, data protection, and accountability remains unresolved. What has this got to do with cybersecurity, you may well ask? Privacy protection and cybersecurity have been historically considered and handled in different organizational silos. Still, as more and more personal information is processed or stored online, organizations practice effective cybersecurity that can secure data and safeguard personal information. Managing identities across an organization and in the current context across economic, social, and political contexts have become central to online safety and security. Beyond the use of simple strategies like multi-factor authorization, the use of biometrics which represents some basic security approaches, there are bigger challenges like unification (or non-duplication) of identity information (within and beyond organizational boundaries), preventing the misuse of personal information through Artificial Intelligence, Deep Fakes, perpetrating financial frauds, etc. The launch of the metaverse and its related security challenges will need to be addressed early. The metaverse promises a new in-depth virtual experience that is expected to transform the way we work, live, play, and interact with each other. Several technologies which are still evolving, such as virtual and augmented reality, smarter digital devices, and next-generation social platforms, will bring forth several security concerns from device management to personal data privacy issues. The time for convergence of Privacy and Cybersecurity is now to make our digital lives more secure and safe. We cannot afford any further erosion of digital trust to embrace the benefits of newer technology. There will be a huge price to pay. While regulatory frameworks to address security challenges evolve, in 2022, it will require technology companies and organizations to follow ethical considerations taking responsibility and accountability for privacy, data protection, and cybersecurity. Indeed, this is a huge ask.
5. Never seen before 5G Vulnerabilities and mobile malware.
The year 2022 will see 5G rollouts on a large scale in every region of the world, enabling connectivity for appliances, machines, objects, and devices at speeds reaching 10 gigabits per second – up to 100 times faster than 4G networks. For users, such high-speed access will provide great digital experiences. For applications, services, and content providers, this allows the opportunity to develop a whole new generation of feature-rich functionality that users are waiting to lap up. While the opportunities and possibilities offered by 5G technologies are tremendous, they come with a new set of vulnerabilities that hacker groups are waiting to exploit. 5G networks have one big difference compared to previous generations of networks- moving away from centralized, hardware-based switching to distributed, software-defined digital routing. With software controlling the network, cyber vulnerabilities are inherently more complicated and require a rethink of cybersecurity strategies.
A research study by Strategy Analytics says that half the world’s entire population now owns a smartphone as of June 2021. This means that around 4 billion people use a smartphone today. Other reports suggest that by 2021, there will be 35 billion IoT devices connected to the Internet. IoT is about to experience another boost by the 5G technology due to its inherent higher speed capabilities, which enables faster communication and sharing of information. Initiatives in smart cities, smart buildings, smart cars, and similar such efforts to reduce carbon emissions will lead to a proliferation of smart devices being connected to the Internet. Overall, this will result in a quantum leap in the attack surface and could become a hacker’s paradise, warn cybersecurity experts.
Adding to security concerns could be ‘never-seen-before, malware’ and cyber-attacks using botnets of a size and scale that we have never experienced.
6. Watch out for a sharp increase in attacks on Critical Infrastructure.
A recent research study by Skybox Security found that 83% of organizations suffered an operational technology (OT) cybersecurity breach in the prior 36 months. Critical infrastructure is largely dependent on Operational Technology (OT) to deliver essential services for the public’s health, safety, security, or economic well-being and the effective functioning of government. In 2021, hackers actively perpetrated disruptive attacks on energy grids, water supply systems, and gas pipelines. They are not only aware of lacunae in OT systems which are mostly legacy systems, but that ransomware attacks on critical infrastructure can be lucrative propositions. Reports suggest that Colonial Pipeline company paid the $5 million ransom one day after cybercriminals hacked its IT network, which crippled fuel deliveries up and down the East Coast.
Even as regulators enhance security compliance standards around critical infrastructure, weaknesses like legacy hardware, lack of unified control across IT and OT platforms, software supply chain vulnerabilities, and investments required for upgrading OT platforms are issues that will continue to bother us during 2022. Smaller companies in power generation and other utilities are more likely to be targeted and will feel the pressure to raise their security standards and processes beyond basic compliances.
7. Misconfiguration and updating- a challenge that continues to haunt us
On the face of it, this appears to be a simple problem that must be addressed by security and IT teams. A study by Productiv, a provider of SaaS management solutions, indicates that the average company has 254 applications. Updates are critical for all technology, but especially IoT devices because they’re often located in the field, on the factory floor, or in hospitals. Employees working from home make this task more complicated. When you consider these facts, what emerges is that this challenge is a far cry from managing updates on a few servers and desktops located within four walls of an organization. It is not an issue that is going away soon if not addressed but will only grow in size, scale and complexity. This security challenge is not new and has persisted over the years, as can be seen from the following statistics:
The Voke Media survey of 2016 observed that 80% of companies who had a data breach or a failed audit could have prevented it by patching on time or doing configuration updates. It further found that even after a breach, or failed audit, nearly half of companies (46%) took longer than ten days to remedy the situation and apply patches because deploying updates in the entire organization can be complex. The situation showed no improvement as an Edgescan study in 2018 found that the average time for organizations to close a discovered vulnerability (caused by unpatched software and apps) was 67 days. As it stands today, the challenge related to properly configuring systems (including cloud configurations) and timely updates is still more daunting, with most organizations having little or no visibility of the applications and devices that connect to their enterprise network. The only way to meet this security challenge is to maintain an up-to-date inventory of applications and devices, implement patch management processes, and use automated patch management tools.
8. Beware-The weaponization of deep fakes
Human beings are hardwired into trusting their five senses and acting on them. However, Seeing is believing’ is passe as far as the Internet is concerned, and also, hearing on which we rely so much can no longer be blindly trusted. Deep Fake technology advancements today enable the creation of such realistic images and sounds that anyone, no matter how tech-savvy, can be fooled. Hackers are becoming adept at using deep fake technologies to launch phishing and cyber-attacks to meet specific objectives or target particular persons. In 2022, organizations need to be highly vigilant and aware of deepfake-based frauds of various kinds.
Last year, The Federal Bureau of Investigation had issued a warning regarding the rising threat from deep fakes describing it as “the broad spectrum of generated or manipulated digital content, which includes images, video, audio, and text.” In 2022, this threat is likely to get more potent, and the only counter to it seems to be to ‘verify’ then ‘trust.’ Any critical piece of information that involves or is leading towards a financial transaction or some other critical action must be verified multiple times or offline before it is acted upon. More than technology, the challenge is for human beings to be aware and vigilant to thwart such cyber-attack attempts.
9. The Human Factor- Phishing and Social Engineering Remain Major Challenges
According to the Human Hacking Report published by SlashNext, there was a 270% increase in social engineering threats found in 2021. Phishing attacks rose by 51% over the previous year’s record-breaking. This indicates that social engineering continues to be the preferred method for hackers. It enables them to steal the necessary credentials to cause more significant harm to individuals and organizations. The use of automation by cybercriminals to perpetuate their human hacking and their various social engineering schemes have given their threats an added dimension making them more potent. Besides specific cybersecurity measures to ward off automated attacks, higher awareness and vigilance are required to meet this challenge. Regular awareness, threat simulation exercises, training regarding various forms of threats and scams is key to engaging all employees in cybersecurity and effectively responding to this No.1 cyber threat.
10. Remote/Hybrid working here to stay
The Next Great Disruption Is Hybrid Work—Are We Ready? asks Microsoft in a recent article. At the same time, a Unisys report suggests that while 61% of hybrid and remote workers feel primarily responsible for maintaining their digital security, only 21% are aware of sophisticated online threats. Remote working started as an employee-friendly initiative in the pre-covid era and became necessary as the pandemic spread worldwide. We have since moved to work from anywhere at anytime environment. This has created many security-related challenges for organizations. These challenges include a flexible corporate network perimeter, security issues in managing endpoints and cloud applications, lack of security practices and discipline that existed in office environments, insecure home networks, and other factors that undermine defenses. These are sources of risk to corporate systems and security and have been known for some time now. However, organizations must recognize that the immediate and ad hoc measures they have taken to ensure security from remote working risks will be inadequate in the long run and require a change in strategy and approach. Adoption of strategies like zero trust, implementing EDR & XDR, enhancing cybersecurity awareness among employees, and setting up a baseline for online conduct when connecting to enterprise systems are still measures that are a long way off for many organizations.
Organizations face numerous security challenges, but addressing key challenges can significantly reduce risks and mitigate any damage in the face of a cyber-attack or data breach. Security is a moving target, but the time to make incremental changes and investments in cybersecurity is over. We have reached a stage where a rethink of enterprise security considerations, controls, and architectures is required, and 2022 seems to be the year when we must recognize the new challenges in terms of cybersecurity and initiate short-term and long-term actions to secure our systems and ourselves from the devastating consequences of a cyber-attack or data breach.