There is no doubt that over the last few years, cybersecurity has become one of the most talked-about issues facing businesses and governments.
With more and more organizations migrating to the cloud and supporting an increasingly large and permanent remote/mobile workforce, network accessibility and security issues have driven decision-makers to re-examine their security vulnerabilities.
The increase in cyberattacks over the last couple of years, many with ransomware that crippled operations and exposed sensitive internal and customer data, has only intensified the focus on cybersecurity and what trends are shaping budget priorities for 2022 and beyond.
Based on our projections, the top trends shaping cybersecurity priorities for this year are as follows:
Scroll through the article or click on the link to read each trend.
With the on-going war launched by Russia on Ukraine, the White House is warning businesses and governments to be ready for a potential onslaught of cyberattacks from Russia.
In 2021, Russian criminal organizations launched attacks on the Colonial Pipeline and meat processor JBS, as well as other critical infrastructure. The pipeline ransomware attack caused significant gas shortages, while the attack on JBS disrupted food supply and increased costs.
But that was not all. An investigation by the U.S. government learned that Russia’s Federal Security Service had engaged in cyberattacks over several years targeting critical infrastructure in approximately 135 countries. In the U.S., nuclear power plants and other facilities in the energy sector were targeted for breach and malware. Over 17,000 unique devices across the world were infected with Russian malware.
Of course, while Russia is very much in the news, attacks also are frequently conducted by other state-sponsored criminal organizations and teams based in China, Iran, North Korea and elsewhere.
In short, experts warn that 2022 could see an increase in cyberattacks from state-sponsored organizations and branches of hostile foreign regimes.
Ransomware cyberattacks increased significantly in 2021. One study put the increase at 105% globally. Governments saw ransomware attacks increase by 1,885%, while the healthcare industry experienced a 755% increase.
The basic reality of ransomware is that so long as criminal organizations and state-sponsored groups can disrupt critical services and steal sensitive data, businesses and governments are going to do whatever they can to restore services and reclaim their data. The cost of ransomware will continue to rise. And worst of all, the attacks will continue.
One potential reprieve for high-value targets of ransomware in 2022 is that tougher sanctions against Russia, as well as tougher restrictions on transactions via cryptocurrency, may reduce the number of attacks in the early part of the year. Many perpetrators of the most disruptive ransomware attacks in 2021 were based out of Russia and limitations on how those groups could be paid may discourage some from launching attacks in 2022.
However, assuming that any lull will persist throughout the year is unwise. The White House recently said that Russia is planning cyberattacks in response to western nation sanctions. Organizations are encouraged to update software patches and increase cybersecurity to focus on preventing breach and lateral network movement from unauthorized users.
In February of 2022, CISA, FBI, and the NSA, in conjunction with the agencies in the United Kingdom and Australia, issued a joint warning of an increased threat of ransomware against critical infrastructure.
2021 saw an increase in the severity of critical infrastructure attacks, illustrated by attacks on the Colonial Pipeline, Oldsmar, and JBS Foods. Energy, water treatment, food, and healthcare are all popular targets in addition to manufacturing.
According to IBM’s Threat Index, manufacturing received a bulk of the cyberattacks in 2021, because attackers wanted to use supply chain disruption as a motivator to ransom payments.
Experts believe that we should expect more critical infrastructure to come under attack in the years ahead. The reason is simple: the more disruptive the attack, the more pressure to pay ransom to restore services and protect customer data as well as sensitive business data.
Government cybersecurity regulations and cloud security certifications have been on the rise. The slow implementation of the Cybersecurity Maturity Model Certification (CMMC) for defense contractors has been overshadowed by President Biden’s executive order on improving cybersecurity and voluntary reporting requests that have emerged following a series of attacks on critical infrastructure.
There also is legislation pending in Congress, as well as reporting regulations from the Securities and Exchange Commission. What’s more, state governments are receiving federal funding and pulling together resources to determine how they can both better protect their infrastructure from cyberattack as well as take action to ensure businesses and their contractors are more secure.
In short, businesses can expect to see increased regulations and legislation around cybersecurity that will require investment to ensure compliance. The smart play for businesses is to be proactive and anticipate what the government is going to start to require of the business community (eg, Zero Trust and better reporting processes). Delays will only make cybersecurity enhancements more expensive.
With more and more data and services moving to the cloud, and vulnerabilities in cloud networks exploited in 2021, it should not come as a surprise that increasing cloud security is a top trend in 2022.
According to Gartner, more than 95% of new digital workloads will be deployed on cloud-native platforms by 2025. This is up from just 30% in 2021. As remote work remains a global constant and the convergence of IT and OT / IoT continues to grow at a rapid pace, the attack surface available to hackers is growing exponentially.
In response, the top cloud providers, Amazon Web Services, Google and Microsoft, are all stepping up cloud security acquisitions. One of the latest was Google acquiring Mandiant, a market leader in cybersecurity threat intelligence, for $5.4 billion.
For everyone else, recognizing the need to ensure their use of the cloud is stable and secure is critical in 2022 and the years ahead.
As systems, devices, and data are converging and both businesses and governments are sharing data with their supply chain (including providing remote access to systems for third parties), supply chain security will be a top cybersecurity issue in 2022 and beyond.
In fact, Gartner estimates that by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
This is not surprising. The U.S. Department of Defense is implementing tougher cybersecurity certification for its supply chain via the Cybersecurity Maturity Model Certification (CMMC) program. The National Institute of Standards and Technology (NIST) is planning to revise the widely adopted NIST Cybersecurity Framework (CSF) to include new resources and recommendations for supply chain security.
Businesses and governments are hyper-aware of the vulnerabilities of their supply chain, especially since the December 2020 SolarWinds supply chain attack, which impacted over at least 9 federal agencies and over 100 private sector organizations (over 18,000 organizations downloaded the update with the malicious code). The concern now is not just a supply chain hack, but a combination supply chain – ransomware attack that could cause massive disruption across critical infrastructure and cost many organizations tens of millions of dollars.
With the U.S. federal government moving towards mandating tougher cybersecurity standards for private businesses that are part of its supply chain, and NIST and others making tougher standards, the businesses community is making similar requirements of its supply chain.
Operational Technology (OT) and Internet of Things (IoT) are now dominating our lives, especially in the workplace and in critical infrastructure organizations.
According to Zingbox, there are approximately 10 million to 15 million medical devices in U.S. hospitals today with an average of 10 to 15 connected medical devices per patient bed (meanwhile, the number of IT devices may be 3 to 4).
Other industries, such as manufacturing, also have a growing number of internet-enabled OT and IoT, including building security systems, video surveillance, elevator controls, HVAC, smart tvs and more.
The truth is – most OT and IoT use different operating systems than what traditional IT security solutions are designed to identify and protect. Many also lack IP addresses. The combination of those two elements make many invisible to network security. And you cannot secure what you cannot find. Hence, the moment that OT converged with IT networks, the attack surface vulnerable to cyberattack and breach expanded.
As if that was not enough, in 2021 it was reported that over 75% of IoT does not use any form of data encryption – making the devices easier to hack. Of the devices that use encryption – many were believed to not be as secure as was needed to prevent breach.
Not surprising then that Irdeto found 8 out of 10 healthcare companies experienced an IoT cyberattack by 2019. This ratio has persisted over the last couple of years.
Of course, it is not just big enterprises or critical infrastructure facing increased IoT attacks and breaches, the average home is hit with 104 IoT threats every month.
The McKinsey Global Institute estimates that 125 to 130 new devices connect to the internet every second. By 2025, there will be over 30 billion IoT connections worldwide and the average person will have 4 IoT devices on their person.
Since there is no foreseeable end to the adding of IoT devices and systems to the network, and a large remote workforce figures to remain constant, the attack surface is growing exponentially. And cybercriminals are exploiting it. One Zscaler study of IoT over a two week period blocked over 300,000 malware-related transactions.
Hence, reducing the total attack surface (or eliminating the OT / IoT / Mobile attack surface) has become a major priority for many organizations.
In February of 2022, Gartner predicted that 95% of new IT investments made by government agencies will be made in XaaS (Everything as a Service) solutions over the next three years. XaaS includes cybersecurity as well as other security services that fit under a broader category of IT infrastructure and software services.
XaaS is a growing concept that impacts all industries, not just government.
Already, companies are offering Network as a Service (NaaS) and Security as a Service (SaaS), as well as other models that bundle services together for a subscription fee. This can lower costs to the customer as well as help address security for increasingly complex environments.
Given the increasing number of security threats and the danger of malware and ransomware, companies are receiving increases in cybersecurity budgets and being forced to reexamine the effectiveness of their cybersecurity solutions. Reviewing the best options (based on assessment and needs) and adopting SaaS can provide organizations with better protection against network breach and reduce the need for more expensive infrastructure that has to be managed and maintained.
Though one of the last items in our list, phishing, pretexting and forms of social engineering remain the most effective and common threats to network breach across all industries in the world.
Phishing is considered one of the most common attack vectors and responsible for over 80% of all cybersecurity incidents.
According to Proofpoint’s “2022 State of the Phish” report, 83% of organizations said they experienced a successful email-based phishing attack in 2021. This is an increase from 57% in 2020 (a 46% increase YOY).
This means that phishing attacks are more successful – despite increased cybersecurity spending and training.
It is easy to see why. Employees in some organizations are still not fully educated on how to spot a phishing email (despite data showing that training does help reduce phishing breaches). What’s more, almost 50% believe that even if they make a mistake and click on a phishing email, their company’s network security is capable of stopping any damage.
Businesses and governments are moving towards Zero Trust, which is a security policy that assumes constant threat and seeks to always verify data, devices and users are to be trusted in real-time.
The federal government is moving aggressively to get agencies and businesses to adopt Zero Trust strategies. In 2020, the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, rolled out its Special Publication on Zero Trust Architecture.
In September of 2020, the U.S. Department of Defense (DoD) launched its Cybersecurity Maturity Model Certification (CMMC) program to improve the security of contractors that are part of the DoD supply chain.
Following the SolarWinds malware that impacted hundreds of organizations and several government agencies, the U.S. government began to push Zero Trust and tougher cybersecurity standards. Those steps included a May 2021 Executive Order on Improving the Nation’s Cybersecurity, and then the January 2022 Federal Zero Trust Strategy.
Given the direction of the federal government, it will be critical to both understand where your organization is in adopting or implementing a complete Zero Trust strategy and to create a comprehensive journey or plan to rapidly enhance your cybersecurity in 2022.
The federal government and large companies are on the move to mandate their organizations adopt Zero Trust as well as require those in their supply chain to do the same. This projects to have a ripple effect across businesses of all sizes in the next few years. Dedicating budget, time and resources to moving towards Zero Trust in 2022 will help ensure you are compliant with current and emerging rules and requirements across all industries.