As we look ahead to 2022 many organisations are finding themselves in a very different place than was envisaged in their three, four or even five year strategies, says Dave Henderson, CEO – Sales & Marketing, at the cyber consultancy BlueFort Security.
He says: “As we look ahead to 2022 many organisations are finding themselves in a very different place than was envisaged in their three, four or even five year strategies. These differences are being felt right across companies from new (and abandoned) product offerings, routes to markets, employees and physical office space. The element that knits all this together is the underpinning IT infrastructure – and for IT and security teams this could cause the biggest New Year headache of all.
“IT strategies that were written even three years ago will become – in large part – a thing of the past. It was probably written when the company had physical offices, and most employees worked there. As we wave goodbye to 2021, offices are still largely empty. The concept of networking is increasingly difficult to define. Security teams are having to deal with user sprawl and device sprawl. Instead of securing a main location of 1,000 employees, they’re now having to secure 1,000 branch offices each with one employee in it. The concept of all endpoints being in a secure network location is the thing of Christmas pasts. From a cybersecurity standpoint, the assumption should be that every endpoint is in a hostile situation.
“All of this means that in 2022, many IT and security teams will spend a large chunk of time reviewing what they’ve done in the previous 12 months, and in many cases, undoing some of those things. A recent study found that 30 per cent of CISOs admitted that since March 2020 they’ve lost track of movers, joiners and leavers, and 29pc stated they are missing corporate devices. For these guys, IT discovery will become the number one priority in 2022. Why? It’s simple. You can’t protect what you don’t know is there. . These differences are being felt right across companies from new (and abandoned) product offerings, routes to markets, employees and physical office space. The element that knits all this together is the underpinning IT infrastructure – and for IT and security teams this could cause the biggest New Year headache of all.”
Log4j, a free piece of software often used on applications and servers to record or log activity by developers and IT professionals, has reported a vulnerability – dubbed log4shell – which could allow hackers and cyber criminals to send malicious code to Log4j potentially resulting in irreparable harm to devices.
Jude McCorry, CEO of the Scottish Business Resilience Centre (SBRC), said: “While the impact of log4shell is yet undetermined, organisations could still be in the dark if they even use Log4j in their systems. All organisations must consider themselves at risk of this global vulnerability until it has been confirmed that they are not. There is no time to waste here; the SBRC is calling on all businesses to take action now to avoid potentially catastrophic results.”
“It is not just work devices that are on the line – personal devices are also at risk and so must be part of the updating process. Acting now and looking into other services that are used – including third-party software – will help to provide peace of mind. Given the meteoric rise in cyber incidents this year, individuals and organisations must turn to trusted sources to keep up to date on credible threats to operations like this. The SBRC app provides push notifications within minutes of the insight being received covering cyber threats with accurate guidance.”
See also: https://www.sbrcentre.co.uk/log4shell-explained-in-simple-terms.
Ransomware is going to continue to evolve, said Heather Gantt-Evans, CISO at the password and identity management product firm SailPoint. “We are now seeing ransomware converging with hacktivism, where companies are being hit with ransomware just due to the hacker’s perceptions of a businesses’ values, industry, or actions. In these situations, the hackers are not even requesting a ransom or offering to decrypt the data. We also see that ransomware gangs now have the funds to purchase zero-day vulnerabilities that previously were only accessible to nation states.
“In 2022, Ransomware-as-a-Service will continue to make ransomware more accessible to a wider range of attackers, while also paying company insiders to deploy ransomware at their place of employment. Nation states are going to continue to invest heavily in compromising identities and using “live off the land” attacks that are very difficult to detect because they do not use malware but instead use native operating system features to carry out their attacks.”
Recent history has only shown the pace of change in security to be accelerating, both in terms of attack surface and threat landscape, says Ben King, the CSO for EMEA & APAC at Okta, the identity management company. “The affiliates who operate ransomware-as-a-service don’t care who they’re attacking. Some target organisations for multi-million dollar payouts, but others want a few thousand. Anyone can be targeted, and smaller fintechs and SMEs more generally need to be aware that attackers are not just going for the big banks, and large campaigns can have significant collateral damage beyond initial targets.
“Advantages from a zero-trust transformation are as difficult to quantify as any security transformation, so it can be hard to reflect in a traditional cost-benefit analysis. The benefit is best quantified as reduced risk, as good security will offer fewer major incidents as hard data points, as well as better visibility of the ‘near misses’. This can be proven effective via external audits, red and purple team exercises, as well as driving compliance and regulatory-driven requirements for an organisation. In 2022, the world will still be grappling with vendor compromises and an expected long tail of log4j vulnerability as organisations seek visibility and assurance of supply chain exposure and remediation. Being able to demonstrate a completeness of vision to manage unforeseen risk in a remote-first world will be extremely valuable to investors and customers alike to ensure business continuity and resilience.”
Prioritisation is the only way for organisations to manage the risk of cyberattacks in this new era of advanced technologies that can be used for both good and evil, says Ilia Sotnikov, VP of User Experience & Security Strategist at the data security company Netwrix. “Simply put, organisations need to focus on securing their most important and valuable assets from the most likely incidents, and update their policies regularly. It is increasingly obvious that cyber insurance is not a lifebuoy. Risk assessment is first and foremost our own responsibility.”
And Chris Berry, CTO and GM of Security Solutions, PDI Software predicts that in 2022, we’ll continue to see the proliferation of ransomware hitting all sizes of businesses. “But we’ll also see an escalation of the ransomware attack model with extortionware. With more businesses maintaining secure backups to avoid paying a ransom to unlock encrypted data, cybercriminals are now threatening to publicly expose sensitive data.
“Doing so can cause significant business risk, especially when the blast radius extends to customer, partner, or vendor data. That’s why it’s so important to make sure you’re preventing threats by securing your perimeter. But you also need the capabilities to detect potential threats and respond in real time if you suspect you’ve been breached.
“Unfortunately, a large number of businesses still aren’t adequately protected against today’s sophisticated threat landscape. If you don’t have the internal cybersecurity staff or expertise to maintain 24/7/365 coverage, you might want to seek out a managed security services provider to supplement your own team’s efforts.”
