The past year has shown organizations that uncertainty and a transformed reality are the new normal in business. While remote work was intended as a temporary response to the global pandemic, it is now considered a regular part of the business environment—fundamentally altering the way companies operate. This means organizations have had to respond in real-time to shift their cybersecurity strategies and keep up with an expanding IT infrastructure, the explosion of IoT devices, and a new wave of threats from more sophisticated attackers. Let’s take a look back at the top cybersecurity trends from 2021 and look into the future to see where the cybersecurity landscape is going in 2022 and beyond.
The top three cybersecurity trends of 2021
#1: Shifting organizational behavior
While 2020 seemed like an anomaly at the time, the events of 2021 have shown us that drastic changes are still at work globally—from the continuing dominance of COVID-19 to the social justice movement sweeping through communities to the great resignation of the workforce to a large portion of workers still remote. During the last year, organizations have experienced ongoing shifts, including:
- Increased due diligence of partnerships and M&A activity
- More adoption of a Secure-by-Design approach from product development
- Increased adoption of cybersecurity mesh strategies
- Heightened demand for interoperability
- Continuance of the remote workforce model
- Movement toward greater sustainability based on pressure from customers and shareholders
These large forces make it clear that organizations, and particularly the cybersecurity community, must adopt a more proactive approach into making their business more secure and more flexible. Organizations have been required to adapt to this new normal to accommodate the constant drumbeat of accelerated changes. From a security standpoint, vulnerability management has become more important than ever. Organizations pivoted overnight from operating on premise into a fully remote scenario. In addition, businesses faced a potential slew of new attack vectors. And from a connectivity perspective, security professionals now were facing corporate systems working from unmonitored networks, with the perimeter now expanding into workers’ homes.
The continued importance of people, process, and technology
Interestingly, the new remote work model has provided both pros and cons to security. For example, home systems and computers may not have the same paths to lateral movement and attacking as in an office, so threat actors have had to adapt to this change. Conversely, from a social engineering perspective, organizations that previously relied exclusively on stopping attacks from a technology perspective have had to recognize the valuable contributions people and processes play in building a strong foundation for overall security. The last year has shown companies the importance of embracing and adopting a defensive posture that includes the combination of people, processes, and technology working together to protect the organization.
#2: Cyberthreat evolution
2021 also saw a transformation in the approach and type of cyberthreats. At the beginning of the pandemic, bad actors started targeting the healthcare industry, with medical facilities and hospitals falling victim to attacks. But during the last year, this expanded into critical infrastructure—like oil and gas—and moved into multi-stage, multi-pronged attacks that are more sophisticated than ever before across multiple verticals.
Companies are having to shift resources to cover potential attack vectors and, in terms of IoT, there is no way to know how secure those devices are that are accessing the network. This makes it incredibly important to ensure network traffic analysis tools are in place and protections are sufficient to minimize attacks.
From a ransomware perspective, the security industry as a whole has shown that it is not keeping pace with bad actors. Organizations—especially small-to-medium-sized businesses (SMBs)—are vulnerable because they often do not have the means to do detection and response. And once an incident happens, ransomware becomes more effective. Once an entity has been identified as willing to pay the ransom, the organization opens itself up to more targeted, multi-pronged attacks. It is clear that organizations cannot patch their way out of problems anymore—instead, they must take a multi-layered security approach to defend against ransomware.
#3: Adapting defensive strategies
While cyberthreats have evolved over the last year, cybersecurity has also seen a number of shifts in defensive strategies. One strategy organizations have employed more frequently is combining penetration testing with vulnerability management. Whether attempting to take on internal pen testing or engaging with pen testing services from a third-party engagement, this defensive strategy taps into the strengths of both vulnerability management and pen testing to reveal and prioritize security weaknesses before a threat actor might.
However, this is only one aspect of threat-based testing. The rise of other combat strategy trends during 2021 included:
- Broader Deployment of Multi-Factor or Two-Factor Authentication
- Strengthening Identity Governance and Access Management Policies
- Enhancing Overall Application and Data Security
Organizations that adopted these multi-layer strategies were more effective in reducing their attack surfaces, and in the identification and discovery of potential threats. In other words, security teams that successfully leveraged adaptive security tools to monitor events, and then employed specific processes to determine if those activities were anomalous in their environment, were more successful in minimizing loss and preventing further damage across the business.
The top three cybersecurity predictions for 2022 and beyond
#1: New laws and regulations
In the future, it’s likely that new laws and regulations will be enacted as the U.S. government increases its focus on cybersecurity activities, including increased data privacy legislation, increased executive liability, regulations around ransomware payments and rules of engagement for bad actors, and more focused controls over cyber liability insurance. Let’s take a look at each of these items more fully.
We have already seen the Executive Order from President Biden aimed at improving the security of Federal Government networks. With threat actors showing a focus on taking down critical infrastructure, the government will likely step up its efforts to address attacks and data privacy breach requirements. Specifically, for 2022 and beyond, there will most likely be increased emphasis on financial reporting aspects when it comes to privacy, including the cost of a breach to the organization.
Another forecast for the future is the increase of liability. Looking across all the information companies have and what the U.S. government possesses, it is critical to determine the steps organizations can take to help one another—and how will that impact liability. For example, when it comes to sharing information, how can security professionals and organizational leaders protect their own company when sharing information? Can shareholders and individuals’ right of action use this information against the company? Addressing liability related to data sharing will be a significant emphasis going forward, so the security community can pull pieces of information together and actually get ahead of the curve without facing significant barriers of liability.
In the future, we will also likely see more executives scrutinized for not identifying what those data points and red flags mean to the organization in a compromised situation. The public will judge companies more harshly for not taking the right actions or being aware of security concerns within their organization. As organizations grow, executives must take an active role in cybersecurity—and in the event that something happens, they have specific multi-layer strategies that prove despite their best efforts, an incident occurred.
Finally, with cyber insurance rates skyrocketing, it is essential for organizations to demonstrate good cyber hygiene to retain their policies at an affordable rate. If companies have poor cyber practices, they will likely not get coverage for the future or will encounter cost-prohibitive policies they cannot afford. As we have seen, cyber insurance carriers have exited the market at an alarming rate, so we may see the shift of companies moving toward a self-insurance model, rather than relying on a third-party provider.
#2: Heightened cyberthreat landscape
Now and into the coming year, organizations must buckle down on cybersecurity basics to protect against bad actors. And prevention really is the key to this. Once an attack has taken place, organizations scramble to respond and are reactive to the situation. Companies must take a proactive approach to focus their efforts on security fundamentals. Looking to 2022 and beyond, we will likely see:
- Increased supply chain attacks
- Increased OT/IoT attacks
- Increased ransomware-as-a-Service
- Increased use of unique and custom cybersecurity toolsets
Let’s highlight more in-depth two of these points. In the future, ransomware-as-a-service will likely increase tremendously. Why? Because breaching a network and gaining a foothold is still a viable option for bad actors. With so many flaws that exist in an organization’s security posture, breaches are common. Ransomware is really just automating a series of steps post exploit. So, until the security fundamentals are shored up, these quick smash and grabs are still possible, particularly for SMBs.
Finally, in 2022 and beyond, we will likely see an increase in more skilled bad actors customizing their toolkits for specific targets. They are more difficult to detect, but it also gives them a custom signature. We will also likely witness more bad actors creating a business out of this. Because they have customized their toolkits and have gained a foothold—where the compromise may be undetected for days, months, weeks, or years—bad actors are creating a viable offering, providing illicit access as a means to insert additional malware, ransomware, trojans, backdoors, and to extort more ransom from the organization.
#3: Changes in market and organizational behavior
With all the changes and forces at work, organizations are becoming overwhelmed. They have too many security solutions to monitor and cannot keep up with the demand for alerting and mitigation. In the future, by necessity, companies will look to consolidate their cybersecurity vendors and seek to get security tools and services from fewer sources. A recent IBM study found that, on average, companies use 45 cybersecurity tools in their networks. With the cybersecurity tech stack spiraling out of control, organizations will look to simplify their approach and work with security providers that can consolidate the greatest number of services under one umbrella.
Finally, and perhaps most overdue, cybersecurity will finally gain a seat at the board table. Organizations cannot unsee what has occurred over the last few years. Now there is greater recognition—and funding—for cybersecurity strategies and solutions. This means we will likely experience a marked shift around organizational playbooks. Specifically, from a risk management activity perspective, companies will move from a focus on asset protection to a focus on loss prevention. They will invest in loss prevention capability, bringing in data security and protection officers and bulking up their security teams. Executives and board members will also likely become more involved in cybersecurity as the need will only intensify in the coming years.
Learning from the past, moving toward greater protection in the future
If the continued events of 2021 have reinforced anything, it is that organizations should not be surprised by disruptions or caught off guard in protecting their networks and infrastructure from attack. The best safeguard within this turbulent environment is to put in place a multi-layered security approach that is both proactive to prevent potential attacks and responsive when attacks can—and likely will—occur.
Agile risk management will continue to play an even greater role as organizations adapt to changing conditions and global events. And while there is no guarantee the predictions for 2022 and beyond will come true, there is one thing that is for certain—cybersecurity is more essential than ever.