This is part 3 of Trustwave’s 2022 Cybersecurity Predictions blog series brought to you by our APAC team.
In 2021, the cybersecurity industry was truly tested. Most notably, we uncovered the deeper fallout from the SolarWinds attacks, combatted the proliferation of advanced ransomware gangs and a surge in vulnerability exploitation, and saw fragile supply chain and critical infrastructure more targeted by attackers than ever.
As global cyber defenders, predicting where the broad industry could be heading is a daunting task. But by analyzing data patterns, the latest threat intelligence, the path of legislation, and the evolving needs of organizations as they continue their digital transformation and a rapid move to the cloud, we can make informed recommendations about where we need to focus our efforts as a cyber community in the coming year.
To this end, the security experts at Trustwave, Trustwave Government Solutions and the elite Trustwave SpiderLabs team from around the world will share their thoughts in a series of blogs on what 2022 might have in store for the cybersecurity industry and how we can best prepare for the next evolution of the fight against cybercriminals.
Jason Whyte, General Manager for the Pacific Region at Trustwave
Many Problems Will Remain
I see many of the more common security problems that have faced us in the past remaining as we head in to 2022. These include cloud providers not offering enough protection to their clients, poor coding that leads to vulnerabilities, along with the usual user error, patching and email compromise problems that have been around in prior years.
To counter the problems that arise from these ongoing issues companies must take care of the basics and fundamentals of cybersecurity.
Compounding the issue and breaking this cycle will be difficult as the security industry still lacks a strong supply of workers to draw upon.
Craig Searle, Director, Consulting & Professional Services in Pacific at Trustwave
Recovering from COVID
In 2022 the cybersecurity industry will still be recovering from the initial phase of the COVID-19 pandemic and while life may go back to normal, we’ll be still catching up from its long tail effects.
I believe organizations will awake from their slumber and realize that they’ve done nothing for two years from a security standpoint and while some organizations may still be attracted to “shiny things” it’s sticking to the fundamentals will make a difference in the coming months.
Eric Pinkerton, Director, Consulting & Professional Services (Pacific)
Ransomware – A Temporary Lull
Since about June, we have seen a shift in ransomware, possibly due to President Biden's subsequent dialogue with Putin that month following the attacks on Colonial Pipeline Co. and space and weapon-launch technology contractor HX5. It's possible that this series of events has influenced the dynamic between the Russian state and cybercriminals operating in their jurisdiction, which has resulted in many of the ransomware crews and affiliates revaluating their threat model. We have read about a number of arrests in Russia and Ukraine and seen many announcements of the retirement of several prolific ransomware crews.
Therefore, I predict that we are seeing a momentary lull in ransomware attacks. Once the perpetrators have enjoyed a short sabbatical and drained their ill-gotten Monero, we will see new organizations fill the vacuum. These crews will be less likely to be centered around Russia and Ukraine. As a result, they will be less likely to completely avoid targeting victims in CIS countries, who may well have become increasingly vulnerable due to a level of complacency resulting from this historic geopolitical quirk.
In 2022 organizations will continue to struggle with many of the same issues they have been struggling with for years. Primarily, as an industry, we have been unable to convince people that simply getting cybersecurity basics right is far more effective than all of the sexy, shiny, military-grade, AI-enabled blockchain distractions that compete for your budget. If you have not deployed MFA in 2022, or your desktops are still running Windows XP, then no amount of threat intelligence-led purple team engagements are going to save you from the inevitable.
Elle Biyu Wu, Cyber Security Consultant at Trustwave
Lin Jiang, Security Advisor at Trustwave
Remote Work Challenges
COVID-19 has dramatically changed how people work. According to a survey done by Gartner, the percentage of employees now working remotely has increased from 30% to 48% after the pandemic, and another Gartner report indicates that 74% of the companies consider allowing (at least part of) their workforce to remain remote permanently. Remote workers will continue to be the focal point for cyber hackers in 2022. We’ve seen an increase in security awareness training requests due to a surge in cyberattacks, including phishing, scams, and malicious activity.
- Creating and enforcing a remote work security policy is a start. The most effective way to avoid mishandling of sensitive data is to clearly outline and communicate remote working security protocols to all employees. As a result, organizations will need to thoroughly explain the consequence of non-compliance and hold employees to the signed policy document. Together with a Data Loss Prevention (DLP) solution, organizations will have more controls and visibility over sensitive data.
- Remote working through Virtual Private Network (VPN) can create new home safety “back doors” that hackers could potentially expose. As a result, organizations will look for ways to secure their VPN. Organizations can enhance VPN security by using the most robust possible authentication method.
- Organizations will spend more effort training employees in remote work security practices and supplying them with robust IT support.
- “Bring Your Own Devices” approach is becoming increasingly common and shadow IT has grown significantly, particularly with the future remote and or hybrid work arrangements. More organizations will institute a “Zero Trust” approach – never trust, always verify.
Ignacio Arancibia, Security Advisor - Governance, Risk & Compliance at Trustwave
Healthcare Related Attacks Will Continue
The pandemic has brought a renewed focus on the importance and value of the data maintained by the healthcare industry, with a particular emphasis on personal health information. Due to the pandemic, many entities now prompt individuals to share their personal health information, including vaccination status, health tests results and other associated pieces of health-related data. These data collectors include traditional health organizations and employers, retailers, and even the classic humble corner shop.
- In 2022, we expect this increased attack surface to materialize into increased numbers of data breaches pertaining to COVID-related personal health information across the board.
- Organizations across the board that previously have not had the need or the risk appetite to manage privacy and personal data protection will now scramble to do so.
- It is also likely that governments will react quickly, introducing additional privacy and data protection regulations mandating additional sets of controls or even actively enforcing audits/compliance in certain industries.
- These actions will be welcome by the cybersecurity industry but will represent a challenge for organizations trying to catch up on their privacy compliance posture
- At the same time, regulators will struggle with enforcing compliance and audit methods, as well as standardizing health-related privacy and data protection regulations outside the traditional scope of the health industry organizations, expanding it to all the organizations collecting vaccination status, test results and contact tracing information.
- Ultimately, we expect to see a heightened need for awareness and risk management of the extended privacy threat landscape.
Combatting the Cyber Talent Shortage
Amelia Gowa, Managing Consultant at Trustwave
In 2021 we saw organizations shift their hiring and training strategies, with prospective employees now sporting more diverse and varied educational backgrounds and experiences than before. This change is to help offset the cybersecurity workforce gap that a study conducted by (ISC)2 in 2017 estimated would hit 1.8 million globally by 2022.
2022 will see an even more concerted effort to shift the dial on talent acquisition, chipping away at biases long held within the industry that usually disqualify a candidate even before their resume hits the hiring manager's desk, e.g., age, number of security certifications held, degrees in purely technical fields like IT systems management, computer science, and engineering.
Organizations will actively engage prospective employees with more diverse backgrounds, experience, thought leadership and skillsets in finance, psychology, health sector, program management, literature, marketing and legal (to mention but a few). To quote Nick Ellsmore, Global Head of Strategy, Consulting & Professional Services at Trustwave, "cybersecurity is broad, and we need our approach to cybersecurity talent to be broad too."
Talent retaining strategies: organizations will make a more significant effort to ensure cybersecurity professionals are allocated resources to improve their skills, learn new things and stay current with relevant and timely training in technical fields and supporting skills (communication, leadership, strategy, etc.). Creating this flexibility and actively investing in employees will pay off.
Dealing with Deepfakes
Georgia Turnham, Cybersecurity Advisor at Trustwave
Deepfake technologies have emerged on the cyber landscape at a significant scale and continue to develop with Artificial Intelligence (AI) advances. In 2019, Trustwave observed instances of Business Email Compromise (BEC) that leveraged AI to create deepfake audio and found that technological-based controls are only one part of the equation.
With the continued development of these technologies, we see legislation emerge in the United States and many research endeavors pursued.
The U.S. has created a National Deepfake and Digital Provenance Task Force to draw on observations and expertise across public and private contexts, with the objective of countering deceptive digital content.
Nations are also taking steps to address deepfakes and deceptive technologies using different legislative tools. In 2022, lawmakers will likely draft deepfake and artificial intelligence legislation and agreements to regulate the landscape. Technology leaders will support these measures and bills as they are the primary drivers of researching and developing anti-deepfake technologies. Research from these agencies will add fuel and ultimately support the legislative arms looking to enact and pass related bills. However, without their input and consultation, these bills will be 'toothless tigers' as they won't be able to keep up with the evolution of the landscape.