A cybersecurity year in review: Five things we learned from 2022
In a lot of ways, 2022 has been very much like many of the past five or so years. CVEs published to the National Vulnerability Database are on track for another record year in terms of volume. Ransomware actors have been as audacious as ever, with the extra frisson of geopolitical conflict in the mix. And organizations continued to struggle as threat actors took advantage of new working patterns normalized during the pandemic.
There are many ways to slice and dice 2022. But here are my top five standout trends – and most importantly, the takeaways that organizations can use to enhance corporate security for 2023.
1. Ransomware is going nowhere, even if governments ban payments
Ransomware attempts may have dipped slightly from a record-breaking 2021, but that still equates to hundreds of millions of attacks in the year through October. Moreover, year-on-year volumes increased in the UK (20%) and EMEA (38%) during that period. As long as the ransomware-as-a-service (RaaS) model continues to generate profits, and affiliates and developers remain sheltered by hostile states, it’s difficult to see an end in sight. Some Australian politicians have suggested banning payments to the criminal groups behind attacks. But in reality, that would simply send reporting underground – and may even incentivize attacks on critical service providers.
2. Insider threats need tackling as Gen Z-ers flood the workplace
Many of us still don’t take the threat from inside our organization seriously enough. Usually, it’s down to negligence rather than intended malice. But that doesn't mean it’s without impact. One estimate claims it costs over $15 million to remediate insider incidents annually. More concerning still is the fact that younger workers look more likely to take risks with company data – such as failing to apply updates on time, reusing passwords across professional and personal accounts, and taking personal device security more seriously than corporate device protection.
Hybrid working will accentuate these trends as workers have more latitude to follow their own rules on security at home. Policies will need to be rewritten to align with this new reality, underpinned with the right technologies and user education. From multifactor authentication (MFA) to Zero Trust and secure access service edge (SASE) deployments, security controls must be both powerful and virtually friction-free.
3. Web apps and APIs are a persistent but under-reported threat
Ransomware and state-sponsored attacks undoubtedly garnered the most column inches this year. But that’s not to say these were the only threats facing corporations. Less sexy but just as important are application and cloud security. Exploitation of web app vulnerabilities like SQL injection attacks are a favorite of hackers, potentially providing a direct route to lucrative customer and employee data. And as APIs become an increasingly important part of digital transformation, they’ll gain favor with threat actors looking to hijack accounts, steal data, and more.
A report out this year revealed that 95% of organizations experienced an API security incident over the previous 12 months, with 12% suffering over 500 attacks per month on average. It’s time to get serious about securing this part of the digital environment.
4. Breaches can be an existential challenge for SMEs
Just how damaging can security breaches be to organizations? It’s not always an easy question to answer, especially as many firms don’t like to disclose too much about incidents for fear of alienating customers, investors, and partners. But global insurer Hiscox said this year that as many as a fifth of firms from the U.S. and European countries have come close to bankruptcy due to historic attacks. Most ranked cyber as their number one business threat, and admitted that remote work had made their organization more vulnerable.
Although the research didn’t evaluate these firms by size, it stands to reason that those with fewer resources may be more exposed to existential risk stemming from ransomware and other attacks. Once again, there’s no silver bullet answer to this – it’s all about building up layers of protection and user awareness according to industry best practices.
5. Deepfakes are going to supercharge business email compromise (BEC)
Innovation is happening all the time on the cybercrime underground. We see it frequently in the continuous cat-and-mouse game between the anti-phishing industry and the threat actor community. Another place it has begun to push through is in BEC attacks. The FBI warned this year of attempts to combine BEC techniques with deepfake technology and video conferencing software.
Deepfake audio has already been used to devastating effect to trick victims into wiring large fund transfers to fraudsters. If the technology becomes cheap and convincing enough, video fakes distributed via Zoom calls could arguably cause even more chaos. Tackling it will require a blend of better trained people, improved processes for signing off on wire transfers, and AI-powered tools to spot and block deepfakes.
As economic headwinds gather this coming year, it will become absolutely vital for IT leaders in smaller firms to protect their security budgets – and use them wisely.