Cybercrime has been on the rise. As a result, the state of cybersecurity has had to shift dramatically, writes Michael Aminzade, pictured, VP of Consulting Advisory Services at Viking Cloud, part of Dublin-based Sysnet.
This has made it a difficult subject to follow for many organisations. As businesses focus on the changing approaches to work and new expectations from customers, risks created by cybercrime are being treated as a low priority.
Part of the problem is a lack of basic understanding around the state of cybersecurity at large. This isn’t because of negligence, rather the landscape is shifting so much that it’s hard to keep track of. So, in this article, I will highlight three of the most significant changes to the state of cybersecurity in 2022. This way, it will be easier for an organisation’s cybersecurity team to know where to focus first on the ongoing battle against cybercrime.
Working from home
The last two years have been tarnished by the COVID-19 pandemic. To survive these turbulent times, organisations had to adapt – and not just to changes in cyberattacks. The pivot to working from home for many businesses came with concerns, but the proof has been in the pudding for many businesses who have prevailed in spite of COVID, highlighting it is possible for employees to work from home and still deliver. Whether a company allows working from home to continue long term will influence the digital security of the network.
The obvious issue with working from home is it introduces several more entryways into a network. Even if employees have company mandated laptops and phones updated to have the best digital security programmes covering them, the home network an employee would use would naturally have their own devices connected. Smart TVs, personal smart devices and even home computers won’t be protected by a business’s vulnerability management solution, making it a potential route for hackers to get onto a network.
While this might mean the better option would be to force employees to work back at the office to reduce security risks, this can have different consequences and produces other forms of security risk. An employee might prefer working from home, and being forced to come back into the office could lead to several social engineering issues. A lack of motivation to work leads to a lack of tact and care, which hackers can exploit. In the most extreme cases, it may even lead to an employee becoming an insider threat.
There are still a lot of challenges in this space that need tackling, and we will see that throughout 2022. Training employees about the risks working from home brings to both the business and their own personal data is a good start. Another tactic is to limit the number of third parties that come into contact with your data who lack any contractual obligation to keep it safe. There are multiple ways to achieve this; encryption, controlled access, virtual desktops data are just a few examples.
A less immediate action that can be taken by an organisation (but one that will surely help) is a shift in focus to how data is handled. Rather than focusing on what is trying to enter the network (especially with networks you don’t control and manage directly), a company should focus on limiting what can leave these networks. This can be done by introducing different network tiers and controls with a mapping of what data can move between tiers. This will form the beginning of a third-party trust model. Limiting employee access to key data within the business from a “need to know” access model will also be a key part of the trust model. The shift won’t be an easy one, but in my opinion, it is a concept that needs to be adopted as part of a larger security programme.
Regulation changes
As cybersecurity evolves, both on the side of those protecting and attacking businesses, the standard expected for acceptable security rises. Regulators around the world are constantly re-evaluating compliance laws and standards for security, and 2022 will be no different. We already know of several new standards being introduced this year that will change the state of cybersecurity.
This year’s big new standard for payments is PCI 4.0. Due to be released in the first quarter of 2022, the adoption timeframe for companies to become compliant will extend into 2024. However, businesses will find they should become compliant sooner rather than later. This is because other compliance standards are being retired following the introduction of 4.0, such as PCI DSS 3.2.1 in January 2024.
While receiving new standards is always beneficial, as in theory it will ensure the best digital security is in force, one thing I’ve heard a lot from my customers is that businesses want to see a big push in consolidating cyber and compliance programmes. One of the biggest hurdles for ensuring compliance is not the fines but audit fatigue, where an organisation has to spend a lot of time and resources on assessments and audits from multiple companies. These audits programs consume a lot of organisations’ resources throughout the annual cycles, with a single company handling it all or combining multiple audits within the same cycle. This can provide organisations with a more efficient compliance cycle and more time for their staff to assist with business goals instead of being 100% focussed on external regulation requirements.
Over the last two years, regulators have been somewhat lax about enforcing fines for data breach and lack of compliance due to the pandemic. This was done with some consideration for the situation many companies found themselves in, but now the world is returning to the normal standard. So, in 2022 organisations can expect regulators to return to a pre-pandemic approach to enforcement, especially regarding fines. It will be key for organisations to work more closely with regulators as the world returns to a post-pandemic “new normal”.
New targets for attack
Last year we saw a ransomware attack on the Colonial Pipeline in the US which left the public on the west coast struggling to get petrol and fuel. This attack showed that the targets/victims of ransomware are not just corporations with a lot of money to pay out, but the public as well. These types of attacks will only increase because our global info-structure is more reliant on technology than ever before, which introduced new vulnerabilities. Taking a step back and looking at the wider picture shows that the Internet of Things (IoT) is being utilised to connect cities and landscapes, driving society to become dependent on this technology. This has created more high-profile targets for hackers and blurred the line between corporate and government-focused disruptions.
That said, attacks against corporations will continue to be the norm. Depending on the organisation, the effects of an attack may cross over into the government space (like attacks against healthcare) but the focus for the vast majority of hackers is to earn money, not cause worldwide panic. Cybercriminals are very mindful about direct attacks on a country’s government, and if they do decide to attack, it will almost certainly be at the local level, as its easier to manage and makes less of a scene.
The important takeaway here, however, is that the threat against governments exists because hackers have the capabilities to do so, and these same state-level attacks can also be applied to a corporation. There has been a mindset in the corporate world where they don’t expect these types of state-level attacks on their organisation. This needs to change as it can leave your business unprepared and ultimately lead to a situation where the risk and cost of managing a cyber-attack, ransomware attack, and data compromise is higher than protecting your organisation from them in the first place.
Solution
The state of the cybersecurity world in 2022 will no doubt shift several times. In order to stay on top of the changes to the state of cybersecurity in 2022, the industry will need to work together, partnering with external cybersecurity experts to handle compliance regulation vulnerability management and train employees in the best cybersecurity practices.
The state of the cybersecurity world is tough to navigate, but understanding what changes are coming and how cyber criminals are now attacking will make your business better prepared to defend itself from that next inevitable attack.
