With the COVID-19 pandemic continuing to put businesses and society at risk, Andy Robertson, Head of Enterprise & Cyber Security, at Fujitsu UK&I, has laid out his top five predictions for 2022…
In these unprecedented times, organisations have needed to vastly adapt their security processes to the new ways of working and living. But just because the current security defences are able to withstand attackers now, that doesn’t mean cyber criminals won’t strike again in the future. Cyber criminals are always developing unique tactics to find and exploit new weaknesses.
As the UK still faces the COVID-19 pandemic, businesses are facing a hacking epidemic. For example, The National Cyber Security Centre’s (NCSC) 2021 annual review found that there were three times as many ransomware attacks in the first quarter of 2021 than in the whole of 2019. Current remote working practices have significantly changed the securitylandscape, but the need to keep everything connected and secure hasn’t changed. Businesses need to focus on embedding revised security measures right from the start so that their employees can keep operating securely, wherever they are in the world.
As we enter the third year, where the pandemic continues to impact organisations, here are my top five predictions cyber security in the coming 12 months…
- Trust will be maintained by Zero Trust Architecture in the hybrid working world
2020 and the early part of 2021 were all about remote working. Moving into 2022, I expect to see more organisations embrace and establish hybrid working as the norm. New data from Glint reveals that 87% of employees would prefer to stay remote at least half of the time, even after it was safe to return to their workplace.
As organisations adapt to different working patterns and locations, this fairly new hybrid working approach introduces new security risks. A login from a remote location late at night – once considered suspicious – is now a much more common occurrence as hybrid workers balance work and life priorities.
To help reduce the risks and the burden of monitoring those risks, organisations should consider implementing a Zero Trust approach. It’s a remarkably simple concept. Businesses must assume that there will be a breach, that anything can be compromised, and that no-one is really who they say they are or is acting responsibly. This does not mean you don’t trust your employees, partners, suppliers, or customers – as people. It’s actually about knowing who they are, what they are doing, what technology they are using, and what level of authorisation they have for each thing they do, every time they do it, wherever they are doing it.
This means that data, systems, and equipment are treated equally and securely. It doesn’t matter where they are located, in your network or outside it. Nothing is trusted until you know it can be trusted.
- IT and OT cyber security will both be the CISOs concern
In 2022, Operational Technology (OT) cyber security will be recognised as being as important as IT security for assuring business continuity. The number of large-scale attacks on OTs has grown in volume in 2021 – with 83% of critical infrastructure companies experiencing breaches in the last three years. I expect to see this continue in 2022 as cyber criminals seek to further exploit these potentially vulnerable systems that control critical processes – making them lucrative targets.
IT and OT cyber security will become a greater concern for the CISO as they seek to reduce overall risks for their organisation. The good news is that satisfying the new end-to-end cyber security paradigm brings benefits beyond pure risk mitigation. The cyber security measures an organisation deploys will become a key quality characteristic, which organisations will be required to demonstrate in order to be admitted to digitised supply chains.
CISOs will need to give the same attention to their OT security as they do IT to gain all of these benefits.
- True Business Continuity will require greater levels of collaboration and real-time insights
The COVID-19 pandemic reached an unprecedented scale and longevity that rippled through the way organisations operate, communicate, and safeguard against future disruptions. And these weren’t the only factors testing organisations’ continuity plans in the last 2 years. Society also simultaneously experienced civil unrest, wildfires, and hurricanes. This exposed weaknesses in organisations and demonstrated how historically siloed approaches to resiliency put organisations in grave danger. For instance, ransomware hackers targeted three US water facilities in 2021, which is concerning against the backdrop of droughts.
No one had a plan robust enough for 2020. It also prompted volatile and unpredictable market conditions. The pandemic not only demonstrated the interdependence of multiple areas of risk but showed organisations they must be vigilant about all disciplines simultaneously and holistically.
As we move into 2022, I expect to see more uncertainty and volatility that will stretch continuity plans. Organisations that want to build resilience and stability should bring together multiple disciplines such as business continuity, IT continuity/Disaster Recovery, risk management and procurement (supply chain) to collaborate on wider-reaching plans that facilitate real-time decision-making based on data instead of historic trends.
I also expect to see industries collaborating and regulators taking a greater interest in resilience across critical industries. A primary example of this is the operational resilience directive, released by the UK’s financial regulatory bodies, the Financial Conduct Authority (FCA), in partnership with Prudential Regulation Authority (PRA) and the Bank of England (BoE). This directive comes into effect in March 2022 for implementation, with full compliance being required in March 2025.
- The strongest form of defence… will come from being attacked
To build organisational resilience against a rising tide of cyber threats in 2022, organisations will have to learn to think like cyber criminals. Cyber criminals are on the offensive and will always look for ways to exploit any weakness they find, without any regard for law and ethics. They rely on exploiting complacency and organisations focusing on agility at the expense of security.
One of the most critical vulnerabilities to watch out for in the years to come is the open source software Log4j. This vulnerability is currently leading to the compromise of systems and data and will continue to do so in 2022. Attackers will iterate on and develop exploits to target this vulnerability and deploy ransomware and bitcoin miners to successfully compromise systems. Log4j will likely be a target of further scrutiny by attackers and vulnerability researchers looking to identify other weaknesses within the logging utility.
To build the right defences, organisations must learn how to think like a cyber-hacker so that they can close down any gaps that could be exploited. Organisations should embrace attack simulations and wargaming, with a trusted security partner. That way, it will help them set up realistic scenarios, run them, and then learn from the results. A wargame is the simplest and best way to find gaps in your defences. What you learn in action strengthens your ability to avoid needing to take serious action in the future.
Working with security service providers that can deliver Breach & Attack Simulation services helps test the vulnerabilities and see how effective an organisation’s security posture is and where it needs to be strengthened, or even changed completely.
- Turning the tide on security alert fatigue
Covid has added to the urgency of many businesses’ migration to the cloud and boosted consumer adoption of cloud services, and that’s set to continue for a long time. One estimate predicts that the cloud computing market size will reach $1.2 trillion by 2028. Increased cloud consumption has been accompanied by an equally rapid increase in the number of threats and alerts from across those platforms.
Inevitably, in 2022 we will see more security alerts which will exacerbate the problem of ‘alert fatigue’ where IT security teams can become overwhelmed and miss the signs of a significant attack. The continuing skills shortage in the cyber industry combined with this fatigue means the organisations will need to think differently and provide greater incentive to explore the use of security automation solutions that can prioritise alerts and even enact pre-defined responses to reduce the burden for security professionals.