The past two years have seen unprecedented pandemic-related disruption for organizations. Many were forced to make hasty digital investments to support mass remote working and new ways of doing business. While essential, these plans also unwittingly expanded the corporate attack surface in many cases. Threat actors were quick to take advantage. Now we’re heading into the third year of living with COVID-19, organizations are looking to build security into digital transformation from the start, to better manage risk.
There’s just one challenge: the bad guys are also adapting to the new reality. Here are some potential trends to watch out for in the threat landscape in 2022.
Business email compromise (BEC) gets a leg-up with AI
BEC is the highest-grossing cybercrime type, according to the FBI. In 2020, it netted attackers nearly $1.9 billion. Yet many organizations are getting better at spotting and mitigating the threat, by evolving their business processes to double or triple check any large wire transfer request, for example. That’s the right way to go, especially as threat actors will get better at impersonating suppliers, CEOs and others to trick staff into making those payments.
They’ll do this by hijacking the email accounts of those making the requests, of course. But AI-powered deepfake technology will also become more popular. This enables attackers to mimic the voice of those requesting the transfer over the phone. It’s already been used in several big-name cases, including a $35 million heist last year targeting a UAE bank.
Skills shortages drive public cloud misconfiguration
We all know the scale of the security skills crisis gripping the globe. The latest estimates are that a further 2.7 million infosecurity professionals are needed to plug the workforce gap, including 199,000 in Europe and 33,000 in the UK. This will have long-term implications well beyond 2022. But it’s particularly important as organizations continue to build out their public cloud infrastructure to drive innovation, process efficiency and cost savings.
Total public cloud spending in 2022 is expected to soar 20% year-over-year to top $397 billion. But without enough in-house talent to manage this infrastructure, organizations will be exposed to misconfigurations. According to one report, configuration errors across apps, databases, and security policy were the cause of two-thirds of breached cloud environments between Q2 2020 and Q2 2021. Expect much more of the same in 2022, unless organizations put in place continuous, automated policy compliance tools.
Industrial networks at risk as COVID-19 drives connectivity
Manufacturers were hit hard by the pandemic as supply chains buckled under unprecedented pressure. Utilities have also come under increasing scrutiny as energy prices soared over the past year. Both these sectors, and others, are prodigious users of operational technology (OT). Owners of industrial facilities are increasingly looking to add connectivity to such systems in order to improve manageability, reduce costs, and enhance productivity in the face of pandemic and other pressures.
There’s just one problem: When that happens, they also open up legacy systems to remote attack. The past year saw multiple examples of what happens when OT and IT converge without proper care paid to security. In August, 14 vulnerabilities were discovered in a TCP/IP stack, which could lead to remote code execution, denial of service, information theft, and more. CISOs in these sectors must find more intelligent ways of patching bugs, without impacting performance and uptime, while putting additional controls like firewalls and micro-segmentation in place.
Ransomware actors try different things to get results
Double extortion and data theft are now part and parcel of the majority of ransomware attacks. But as insurers increasingly require policyholders to improve baseline security, threat actors will seek new ways to compromise their systems and data in 2022. Supply chain attacks of the sort we saw against Kaseya will become more popular — so if your organization supplies multiple customers with digital services, take note.
As organizations improve email security and fix holes in their RDP and VPN infrastructure, threat actors will look for unusual ways to gain entry. These could include SharePoint, OneDrive, Google Drive, and Docs. We’ve seen novel phishing campaigns already targeting these SaaS platforms. Expect more. Organizations need visibility and control to find and protect sensitive data and detect advanced malware.
Zero Trust comes of age thanks to U.S. government
Much has been made of President Biden’s executive order on cybersecurity, issued back in May 2021. Broadly welcomed by security experts, one of the more eye-catching of its proposals was to mandate Zero Trust across federal government. In 2022, we’ll see a beneficial trickle-down effect, from federal government and suppliers to the wider private sector. Boardrooms will increasingly realize that, when done right, it can create significant competitive advantage.
However, the devil is in the detail. To stand the best chance of success, CISOs must understand that no single product can provide a silver bullet solution for Zero Trust. They should view it as a journey, rather than a destination. But it’s a journey they may be able to start right now with existing security solutions like host-based firewalls, micro-segmentation, data loss prevention, roles-based access controls, and more.
This is far from an exhaustive list. The key to optimizing cybersecurity efforts over the coming 12 months will be adaptability and resilience.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.