5 Cybersecurity Predictions for 2022
It’s difficult to think of a time when companies faced a wider profusion of threats than they do right now. Today’s businesses are facing a perfect storm of cybercrime provocation: digital innovations that have opened up new attack vectors, increasingly sophisticated and ambitious cybercriminals, changes in how and where we work, more interconnected digital networks and systems, and so on.
2022 is the year for companies to take a close look at their cybersecurity platforms and determine whether they’re staying ahead of these trends. Considering the recent string of high-profile cyberattacks on targets ranging from the U.S. government to critical infrastructure systems, it’s clear that a wide range of organizations are vulnerable, and many cybersecurity protocols need to be reassessed.
Companies will only be able to understand their risk profiles and what measures they can take to protect themselves if they know which tactics cybercriminals are deploying and the attack vectors they’re exploiting. Observing these shifting plates in the technology space, NINJIO CEO Zack Schuler shared his top five predictions for cybersecurity in 2022 and what businesses need to know to stay secure:
Prediction #1 — Social Engineering Attacks Will Continue To Increase
Despite the expanding array of digital tools cybercriminals and other threat actors have at their disposal, their primary targets will continue to be the human beings who work at the organizations they want to infiltrate. Regardless of how sophisticated the lockpicks become, it will always be easier to walk through an open door, which is what happens when employees click on malware and give cybercriminals a foothold. This is why it’s no surprise that, according to Verizon’s 2021 Data Breach Investigations Report, social engineering is the top cause of breaches, 85% of which involved a human element.
The only way to address social engineering attacks is by increasing cybersecurity awareness among your employees. When employees know what warning signs to look out for and how to respond if they suspect a cyberattack is underway, they’ll be able to prevent breaches and minimize the amount of damage when attacks take place. This is particularly important at a time when the average cost of a data breach (according to data from IBM) has risen to $4.24 million and the average time necessary to contain a breach is 287 days – both numbers that have increased significantly over the past several years. The threat of social engineering has also been exacerbated by the transition to remote work. A 2021 study conducted by Forrester reports that “67% of business-impacting cyberattacks targeted remote employees.”
Cybersecurity training works. To take just one example, McKinsey reports that a large bank saw a 95% improvement in click rates on phishing tests after running “more frequent awareness campaigns (with tailored pandemic-themed content).” As social engineering attacks continue to comprise a major share of overall cyberattacks, awareness training will only become more important.
Prediction #2 — Threats to Critical Infrastructure Will Keep Rising
It’s not a mystery why threat actors often set their sights on increasingly digitized and interconnected critical infrastructure systems. As the Colonial Pipeline hack in May 2021 demonstrated, these systems aren’t just vulnerable; they’re particularly lucrative targets for cybercriminals due to their role in the provision of basic services.
Infrastructure cybersecurity has become a core focus for the government and the private sector. When the Biden administration declared that November is Critical Infrastructure Security and Resilience Month, it made the mitigation of cyberthreats a top priority. Other parts of the federal government have done the same. Lawmakers recently introduced a bill that would require utility providers to report potential cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours, while the recent $1.2 trillion Congressional infrastructure package allocated $1 billion to state and local governments for cybersecurity.
There’s a reason the U.S. government is emphasizing stronger cooperation with the private sector to improve infrastructure cybersecurity: companies are often the first line of defense for critical infrastructure, and they’re under threat like never before. A recent Check Point study found that American utilities providers are being attacked 300 times per week. In an October 2021 article, researchers from Check Point and the National Institute of Standards and Technology (NIST) explained that over 60% of ransomware attacks target “industries with critical infrastructure, led by healthcare, utilities, and manufacturing.” The focus on infrastructure cybersecurity isn’t just unprecedented – it’s essential.
Prediction #3 — Device Security Will Become More Important
Take a moment to consider how many connected devices you use on a daily basis. If you’re anything like the typical American, that number has spiked in recent years. According to research from Deloitte, the average U.S. household now has 25 connected devices, a total that has been steadily rising. Gartner reports that the global Internet of Things (IoT) market will reach $21.3 billion in 2022, a 22% increase from 2021. And Nielsen has found that American adults spend an average of 10 hours per day on their devices.
As the use of connected devices surges, there has been a commensurate rise in the number of attack vectors for cybercriminals to target, a problem that’s especially pronounced in the remote work era. According to a 2021 HP survey, 44% of companies reported that device infiltration had been used to infect the entire organization, while 45% “saw an increase in compromised printers being used as an attack point.” Meanwhile, 70% of employees say they used work devices for personal tasks, 69% used personal devices for work, and 30% allowed someone else to use their work devices (85% of IT decision-makers believe this behavior increases the risk of a security breach).
As remote work remains the norm, device security will be all the more important, especially as employees migrate from their home offices to coffee shops, airports, and other public spaces. The use of VPNs will be mandatory, as will basic rules around physical device security (always lock your device when it isn’t in use, don’t leave it sitting alone, use a password manager to make breaking in more difficult, and so on). It’s crucial to keep all IoT devices updated and refrain from saturating your home network with potentially insecure devices. Employees have to remember that they’re often carrying sensitive company data with them wherever they go, which means they always have the weighty responsibility of keeping that information safe.
Prediction #4 — Cybersecurity Budgets Will Grow
As the total number and cost of attacks continue to climb, companies have powerful incentives to prioritize investments in cybersecurity. According to the 2021 ISACA (Information Systems Audit and Control Association) State of Cybersecurity Report, just 37% of professionals in the field say their organizations’ cybersecurity platforms are appropriately funded, while 57% say these platforms are underfunded.
A Gartner survey of almost 2,000 CIOs found that 61% are planning to increase investments in cybersecurity, making it their top spending category. Global spending on information security and risk management technology is projected to surpass $150 billion this year, a 12.4% increase over 2020. And it isn’t just the private sector making investments in cybersecurity – U.S. government spending on cybersecurity was already increasing before the $1 billion included in the infrastructure bill.
When companies dedicate resources to cybersecurity, they’re reducing the risk that they’ll incur higher costs in the future, as it’s much cheaper to prevent a cyberattack than to contain one. While some companies opt to purchase cyber insurance, the number of claims has exploded recently, which will likely lead to higher premiums (companies report that they’re concerned about coverage limits and cost). Rachel Wilson, the managing director and head of cybersecurity for Morgan Stanley, points out that companies found to be in breach of their insurance contracts (by not having the right cybersecurity protocols in place, for instance) often won’t receive any insurance payouts.
The best form of cyber insurance is a robust cybersecurity platform that emphasizes employee education and engagement. As a McKinsey report puts it: “Given that more than 80% of enterprise cybersecurity incidents begin with a human clicking on malware, regular training tailored to key roles is essential to reduce the risks…” No matter how you allocate your cybersecurity budget, it’s vital to adopt an evidence-based approach. This could mean tracking cyber incidents, using phishing tests to determine whether your employees are retaining what they learn, and assessing how cybersecurity initiatives perform at other companies. The most effective cybersecurity platforms catalyze cultural change at companies – when security awareness becomes a core part of your mission, your employees will make it a priority.
Prediction #5— Companies Will Increasingly Focus on Remote Cybersecurity
The transition to remote work has been surprisingly smooth for most companies. A PwC survey found that 83% of employers say remote work has been successful for them, while 71% of employees say the same. COVID-19 has driven a dramatic shift in expectations among employees: three-quarters of hybrid or remote knowledge workers say they want more flexibility. These are the reasons why remote work is here to stay.
Despite all the advantages of remote work, it presents significant cybersecurity challenges. Recall what we learned from the HP report: remote employees have been engaging in risky behaviors, and companies have seen attacks increase: 54% say there have been more phishing attacks, while 56 have observed an increase in “web browser-related infections.” Three-quarters of employees say remote work has blended their personal and professional lives. As noted above, they’re often using unsanctioned devices, allowing non-employees to use their work devices, and so on. At the same time, 71% of employees report that they’re accessing a larger amount of company data more frequently than they did before the pandemic.
These problems would be serious enough if employees were just working from home, but many are now working from anywhere. Beyond device theft and infiltration, compromised public WiFi, and many other risks that come with working in public, it’s also difficult to maintain a culture of cybersecurity when employees are distributed. Now that remote work is a permanent feature of the modern workplace, companies have to be more proactive than ever about making security awareness a central part of their culture, educating employees on cybersecurity best practices, and ensuring that they have the digital tools they need to work safely from anywhere.
Read Zack’s original report on Toolbox for Security here.
