No one could have predicted the sheer chaos the cybersecurity industry would experience over the course of 2021. Record-annihilating numbers of ransomware attacks, SolarWinds’ supply-chain havoc and most recently, the discovery of Log4j by…Minecraft gamers. All of it would have sounded too wild for real life a short year ago.
Yet here we are.
Predictions about the year ahead seem audacious considering the last 12 months, so instead, Threatpost talked to industry experts and developed this list of the five top trends to watch in 2022.
There Will Be Growing Government Interest, Influence in Cybersecurity
SolarWinds, the Colonial Pipeline attack, spyware and privacy concerns have grabbed the attention of global governments, and experts widely agree the year ahead will be chock full of new regulations and investments.
In the months leading up to the 2020 elections, governments were focused on the spread of disinformation to influence election outcomes, but other urgent national security demands emerged in the wake of massive cyberattacks on critical infrastructure. These immediate cyberthreats will continue to dominate government focus throughout 2022, researchers predicted.
Jonathan Reiber, former chief strategy officer for cyber-policy for the office of the Secretary of Defense during the Obama administration, and now current senior director of cybersecurity strategy and policy at AttackIQ, explained that the federal government is currently working to identify where it can most effectively deploy resources to shore up defenses against cyberattacks.
“A year after the SolarWinds intrusion and approaching the one-year anniversary of the Colonial Pipeline ransomware attack, the country is focused on improving cybersecurity for high-priority critical infrastructure,” Reiber said. “At the national level, this includes identifying which organizations require the most federal cybersecurity support.”
Congress will likely focus on national security risk analysis, Reiber added.
“Trends indicate that the national prioritization discussion in Congress will take on the form of macro-level catastrophic risk analysis for managing top-tier risks to the country,” he added. “Building on earlier analysis of companies across the United States that could present a strategic risk to the country if disrupted (known as the “Section 9″ list), Congress will deliberate about how the federal government can help manage systemic cybersecurity risks to the U.S. economy and society, to include mission-critical functions in key sectors like healthcare, elections and energy.”
He added that discussions about the appropriate role and authority that the Cybersecurity and Infrastructure Security Agency (CISA) should maintain will likewise be taken up by Congress in 2022.
In response to the May 2021 Biden Administration Executive Order, Reiber anticipates recommendations for zero-trust architectures to be deployed and operational across high-value government asserts during the first half of 2022.
“As the federal government adopts the practice, more private organizations will follow suit, building higher walls around high-value assets,” Reider said.
Both state and national laws protecting consumer privacy are expected in 2022 by Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP).
“The trendlines for privacy that formed in 2021 will accelerate and will bring new risks and complexity for organizations,” Hughes explained. “More national laws will be passed. More state laws will be passed. More (and heftier) enforcement will occur.”
The trade-off for business is that privacy protections will be something that end users are more concerned about.
“Companies will continue to leverage privacy to build trust and engage customers, but will also weaponize their differentiation against laggard competitors in privacy,” Hughes added.
Social-Engineering Endures
People are still gonna people in 2022 and they’re still, largely, going to do the easiest thing, regardless of its impact to the organization’s security posture. And that’s something cybercriminals will continue to count on to make their social-engineering scams work.
“Social engineering will continue to work pretty dang well,” Stairwell’s Mike Wiacek said about 2022. “Social engineering is one of the most difficult security issues to address because no compliance, governance or risk-management action can address the fact that people are imperfect and susceptible to being duped.”
Over the course of their workday, otherwise serious people can be incredibly careless and that’s not likely to change anytime soon.
“Did John really pick up a USB flash drive in the parking lot and plug it into his corporate workstation? Did Sally just click on a link in an email for a free Rolex?” Wiacek mused. “Cybersecurity is a problem for which everyone is responsible, but few comprehend how much harm their individual actions may cause.”
In addition to widely recommended user training, Wiacek suggested cybersecurity professionals change their internal communications approach in 2022.
“Security teams need to engage with their coworkers directly and be easily accessible,” Wiacek said. “Most security teams have a reputation for saying ‘no.’ They need to have a reputation for saying ‘yes’ instead. Building a strong security culture requires relationships, trust and strong passion for customer experience — even if that customer is John in accounting.”
Jason Hoenich, vice president of service delivery and security awareness at Arctic Wolf, agreed that security teams can do more to help sway employees to their cause.
“Instead, try meeting users where they are,” Heonich recommended. “Understand that an average workday for most involves tons of emails, meetings, presentations, soccer practices, commutes and that we’re all just doing our best, and sometimes, amidst all of that multitasking, we’ll make some mistakes.”
He added rather than the old, tired “gamification” approach to awareness training, a message that can be digested in small bites, more like social media, is a more effective approach.
“Getting folks the tips and guidance they need in a familiar medium, like humorous videos, is a great first step to building trust with your coworkers,” Heonich said. “Anything you put in front of them should look and feel just like the content they’re choosing to consume on apps like Facebook, TikTok, Instagram, YouTube, etc. Great production, humor and storytelling go a long way to engage users and build credibility for the security team.”
Supply Chain is the New Ransomware
This year, the industry will start to shift the way it looks at ransomware, realizing it’s not the ransomware itself that’s the problem, it’s the entry point, Ian McShane, field CTO at Arctic Wolf explained to Threatpost.
“We will shift from a greater focus on what to do after the attack and focus on how to predict and protect the first line of attack, using data science to model scenarios that can highlight the potential weaknesses in the supply chain,” McShane said. “This will only come in tandem with greater transparency and disclosure.”
And the number of supply-chain ransomware attacks isn’t likely to abate over the next 12 months either, according to Deepen Desai, CISO and vice president of security research and operations at Zscaler.
“Supply-chain ransomware is a particular concern due to the ability for a single breach to impact hundreds or thousands of end companies,” Desai told Threatpost. “Tech companies experienced a 2,300 percent increase in attacks in 2021, and we don’t foresee any relief in 2022.”
McShane also recommended that the industry do a better job at embracing disclosures.
“We will also need to decriminalize and destigmatize the ‘scarlet letter’ that comes with disclosure,” McShane said. “Rewarding users for proper security behavior and giving them more visibility into how incidents are handled will encourage them to be more security-conscious.”
It’s those everyday users who most regularly interact with common supply-chain attack vectors.
“The fact is simply using email is a supply-chain concern,” he added. “As we look toward a more secure future, things like email security, Microsoft’s operating system and cloud collaboration tools – the modern supply chain – must be a focus for security teams and awareness training.”
Email will be increasingly targeted in 2022 with targeted, high-quality spear-phishing attempts, and will require a change in defense tactics, according to Troy Gill, senior manager of threat intelligence with Zix | App River.
“Spear-phishing attacks, which involve cybercriminals personalizing emails to fit a smaller group of individuals than traditional tactics, and appear more authentic, are not going anywhere,” Gill said in an email to Threatpost. “As the rise in personalized phishing gives way to new customization tactics in 2022, organizations will respond by prioritizing building more specificity into their email defenses.”
Ransomware-as-a-Service Actors Pivoting to SMBs, Prospering
Ransomware-as-a-service (RaaS) has helped make digital extortion a booming business, and 2022 is likely to be another banner year for ransomware threat actors.
“In 2022, the RaaS model will see continued growth as it has proven to be an incredibly efficient vehicle for maximizing profits,” Gill said. “While the growth trajectory is staying the same, the primary target of ransomware attacks will not. Government involvement in defense of critical infrastructure will motivate ransomware groups to target small and medium-sized businesses (SMBs) to draw less attention than larger, high-profile targets.”
One clear emerging trend is the rise in cybersecurity inequity between the Fortune 500 companies and SMBs. It’s something Arctic Wolf’s McShane calls the “haves and the have-nots.”
“It’s become abundantly clear that cyberattackers don’t discriminate based on the size of their targets,” McShane said. “Small businesses and mid-market enterprises have proven to be just as lucrative for things like ransomware attacks.”
With government and big companies pouring cash into cybersecurity, underfunded and understaffed SMBs are prime targets for ransomware groups.
Cybersecurity Industry Needs Better Coordination in 2022
Over the past year, threat groups have shown they have the resilience to come together to solve problems with greater coordination. Cybersecurity? Not so much.
“As we have seen with the evolution of malware-as-a-service and phishing-as-a-service, threat actors are willing to join forces for mutual success,” Gill explained.
For instance, he pointed out after Emotet was taken down by law enforcement in January, TrickBot stepped up to help and “began re-seeding Emotet infections to get them back into operation.”
Even cybercrime competitors understand the benefits of a robust ransomware market capable to refining their tools and generating noise to hide behind, Gill added.
“That is why in 2022, we will see cybercriminals form even more robust working relationships to facilitate their continued success,” Gill said.
When it comes to the cybersecurity community, there is more work to be done to shore up the entire ecosystem, according to Ian McShane. That means larger companies sharing tools and talent with SMBs without resources to protect themselves alone, among other actions.
“The industry needs to work to democratize security, particularly as the talent gap and retention continue to stretch teams thin,” McShane added. “Digital transformation and technology expansion has created a massive opportunity for attackers and securing the entire supply chain is the only way to protect all of us.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.