First, the good news: 2021 is behind us. It will go down as one of the worst, with major criminal hacks to gas pipelines, meat packers, utilities, government agencies, healthcare facilities, and other critical infrastructure.
The bad news: 2022 could be a doozy. Just as the SolarWinds attack accelerated in early 2021, early 2022 is ringing in the new year with one of the riskiest software flaws in history—the Log4j vulnerability.
The Federal Trade Commission has amped up the pressure, warning this week that it would pursue companies that don’t patch the flaw. It cited its own $700 million settlement with Equifax in 2019 for failing to patch a vulnerability that exposed the personal information of
147 million consumers, as an example of what could happen to
No one in a leadership position feels safe. According to a recent Tanium survey of 345 cybersecurity professionals, the majority (64%) believe it is moderately to extremely likely they will be the victim of a successful cyberattack in the next 12 months. Malware poses the biggest security threat to organizations (35%), followed by human error (24%), insider threats (20%), and zero-day exploits (11%).
To anticipate their specific concerns, Endpoint spoke to dozens of security experts to learn their security priorities for the year ahead.
Bracing for an onslaught of ransomware
Because ransomware attacks are so profitable and entail such low risk for their perpetrators, they will keep coming and attackers will continue to innovate.
Last year (a.k.a. 2021) saw a significant increase in so-called ransomware-as-a-service (RaaS) and double extortion attacks. With ransomware-as-a-service, cybercriminals offer malware to others on a pay-for-use basis. Experts say that in 2022, enterprises and other organizations will see an increase in an affiliate model of cyberthreats as cybercriminals hire more people, subcontract work, or lease tools to affiliates.
With double extortion ransomware, attackers first steal victim data before encrypting it for ransom. Then, if the victim refuses to pay to recover access to their data, the attackers may offer it to the highest bidder or upload it on the internet.
The first steps taken after such an attack allow CISOs and incident response teams to execute quickly, focusing particularly on backups and resilience. Security leadership is doubling down on network segmentation (into smaller physical or logical components), asset management, vulnerability management, business continuity planning, and quarterly incident response exercises. Many leaders will need to deploy tabletop exercises to mitigate ransomware quickly and effectively.
Moving zero trust from whiteboard to implementation
If 2021 was the year the security industry talked about zero trust, 2022 will be the year security teams will put it into practice.
“If you haven’t already, 2022 is the time to go all-in on zero trust,” says Amanda Fennell, CSO and CIO at Relativity, a provider of end-to-end legal and compliance software.
In today’s hybrid working model, she says, organizations must provide users with the bare minimum access they need to accomplish their mission. Controlling access enables easy containment of a compromised device, especially as the remote workforce adds more endpoints outside the traditional perimeter.
To stay competitive, security experts say organizations are demanding best-of-breed and quickly changing IT resources. Security personnel, like all workers today in various departments, expect to be able to work from anywhere. That expectation allows security leaders to shift from traditional network-centric security models and create granular access controls focused on user identity and endpoint trustworthiness.
If you haven’t already, 2022 is the time to go all-in on zero trust.
Spending on zero trust is expected to reach about $39 billion in 2024, up from $16 billion in 2019, according to the B2B research firm MarketsandMarkets.
Integrating cybersecurity with business objectives
For years, security leaders have worked to better align their security investment with the business value of the devices and data they’re protecting. But today’s onslaught of costly attacks and the increased pace of digital business transformation mean that will be more critical than ever in 2022.
“It has always been critical, but now we are all exposed to state-level actors, and this means amateur hour is over,” says David Elfering, senior director of information security at ReSource Pro, which provides a productivity platform for insurance operations.
We are all exposed to state-level actors, and this means amateur hour is over.
While security leaders may feel outmatched by the capabilities of the most sophisticated hackers, it’s never too late to increase organizational preparedness. “We can still move the bar higher,” says Elfering. “The security team must understand the business so that it can protect it and truly manage risk.”
Securing the supply chain
It’s been a little over a year since the SolarWinds attack, and CISOs still have little visibility into their own third-party software risks. But cyber-risks to supply chain software erupted into view in 2021, most recently with the Log4j vulnerability.
Several initiatives are underway to help patch systems, including the recent White House executive order that hopes to fortify software security standards, mandate and expedite certain breach notifications, and increase the sharing of cybersecurity information among organizations. The call for a “software bill of materials” (SBOM) aims to improve third-party software supply chain risks by detailing all the components of a piece of software.
CISOs need to get serious. They must check service-level agreements (SLAs) to hold third parties accountable.
Automating what can be automated
When most security professionals think of automation, they think of capabilities around “security orchestration, automation, and response” (SOAR). And this is undoubtedly the bulk of the security automation investment. Still, it’s also essential to automate everyday workflows, including asset management, identity management, vulnerability management, and, of course, patch management.
Automation must be a people thing. Each CISO has dozens of systems and tools that are critical to the business, but never enough eyes to develop the right understanding of threat, risk, performance, and consistency. Companies can have the most amazing processes and dashboards, but if they aren’t making workflows effective and saving analysts time, it’s just another pane of glass. Automation should be prioritized in areas that reduce alert fatigue and human error and speed recovery time.
CISOs have to focus the best they can on making themselves more efficient and more effective.
Focusing on fundamentals
Security professionals still have a lot of work to do to secure their enterprise systems. They also must establish basic protocols, like proper cyber hygiene.
“There’s going to be a focus on a lot of the fundamentals organizations need to protect themselves from ransomware to mitigating third-party risk,” says Scott Crawford, head of information security research at 451 Research. “These are the basic things security teams have needed to be doing and have been working on to some degree. But none of that means these tasks are easy.”
Indeed, many CISOs will realize in 2022 that they must go back to cybersecurity basics, including detection and incident response, says Martin Fisher, director of information security and CISO at Northside Hospital in Atlanta. “The pace of zero-day threats combined with the speed at which the business is adding new tech to the network means that being able to find and respond to threats quickly and effectively will be critical,” Fisher says.
All of the above problems are tough, year-over-year challenges. “It’s not for lack of attention or willingness to solve these challenges,” says Crawford. “It’s just that they are very hard problems. CISOs have to focus the best they can on making themselves more efficient and more effective.”