Five cyber trends and predictions for 2022 and beyond
The cyber security landscape is rapidly evolving, and business leaders must adapt in order to effectively manage these changes.
Over the past 18 months, the industry has experienced a rise in ransomware attacks, increased cyber insurance premiums, and regulatory changes. As we move into the new year, Jamie Smith, Head of Cyber Security at international cyber consultancy S-RM, provides five predictions for what business leaders can expect in 2022 and beyond.
1) Increasing focus on cyber security budgets
Cyber budgets seem to have stagnated at a time when the cost of cybercrime and the frequency of attacks is increasing at an alarming rate. Recent research by S-RM carried out by Vanson Bourne revealed that 50% of organisations either ‘hit pause’ or decreased their spend on cyber security during the pandemic. Following this lack of growth in cyber budgets, IT leaders are now planning to increase their cyber budgets by an average of 8.4% over the next twelve months.
However, with inflation running high, it remains to be seen whether this modest increase in budgets will be enough to make up for ground lost during the pandemic. Many business and IT decision makers also struggle to deploy cyber security investment in the right places: our research indicates that 41% feel their organisation needs a better understanding of how to prioritise areas for cyber investment.
With cyberattacks becoming more frequent and sophisticated, the onus is now on business leaders to commit to strategic investment in cyber security. This is the only way they can reliably reduce cyber risk and minimise the financial and reputational damage caused by incidents.
2) More scrutiny on ransom payments
One result of the higher volume of ransomware attacks and their increased impact over the past 18 months is that the US government, and supporting law enforcement agencies, have become more active in combatting ransomware groups. In addition to several offensive cyber operations in 2021 targeting known criminal groups, lawmakers are beginning to grapple with how best to regulate the issue.
One proposal gathering momentum in the US is a legislative ban on paying ransoms to threat actors, which it is hoped will limit revenue for ransomware gangs and consequently reduce their capabilities and, ultimately, the threat they pose.
One effective and increasingly used method in the fight against ransomware is sanctions. Several ransomware groups and their associated cryptocurrency wallets are listed as sanctioned by the US Treasury’s Office of Foreign Assets Control (OFAC) and we expect more to be added to this list over the coming year.
For the first time, OFAC has also sanctioned a cryptocurrency exchange for facilitating ransomware payments. These measures, and others like them, serve as a significant deterrent to victims contemplating paying a ransom: victims must now ensure they have undertaken comprehensive due diligence on threat actors making demands before making ransom payments to ensure they are not falling foul of OFAC rules.
We also expect to see more cyber insurance firms remove coverage of ransom payments from their policies over the coming year. This should disincentivise ransomware groups from making payment demands, and also help the cyber insurance market reduce losses experienced in this area in recent years.
3) Supply chain attacks the number one threat
More and more organisations are increasingly reliant on third-party ‘managed service providers’ (MSPs) to service their IT requirements. Ransomware is a volume business, and for threat actors looking to exert maximal impact with minimal effort, breaching one third party IT or software provider represents an opportunity to impact the hundreds or even thousands of that victim’s clients – and their clients’ clients, and so on – all at once.
In the last 12 months, major breaches at two large US software providers have epitomised how supply chain attacks enable threat actors to penetrate even sophisticated organisations’ systems, and to strike a broad swathe of victims at once. The successful compromise of US network monitoring firm SolarWinds, which became public in late 2020, enabled threat actors to breach a host of US government agencies and at least one high-profile cybersecurity company.
Some months later, the July 2021 attack on US software provider Kaseya further exemplified this ‘multiplier effect’. Kaseya reported that the attack had affected only a few dozen of its direct clients, but that small percentage included some 35 MSPs, among whose own clientele up to 1,500 small and medium enterprises across the globe were infected with ransomware.
As the advantages of this approach become apparent to more threat actors, and as organisations become increasingly dependent on an ecosystem of different interlocking service providers, we expect to see an increase in supply chain attacks. Companies wishing to mitigate their exposure to third party risk will need to apply scrutiny to vendors, ideally including robust cyber due diligence at the start of relationships and regular monitoring of all third parties.
Nevertheless, the organisations that are best-prepared for a supply chain attack will be those that operate on the basis that, regrettably, the risk of breaches through third party vulnerabilities can never be satisfactorily mitigated, and who have robust incident response plans in place to respond when they do occur.
4) Increased focus on remote work security
Our own research suggests that we are unlikely to see a return to ‘full office’ working in the short term; indeed, companies told us they are expecting 51% of their workforce to work from home for the next 12 months.
While this shift to hybrid working models has triggered 95% of companies to change their cyber incident response plans either in part or completely, hybrid working remains the top-ranking concern for cyber decision makers, 42% of whom grapple with the tension between keeping the wider business running smoothly and staying on top of cyber security priorities.
The Covid-19 pandemic normalised home working and saw professionals investing heavily in home office kit and faster broadband. While this has been good news for meeting platforms and delivery companies, it has also been great news for threat actors, as organisations’ attack surfaces have extended beyond the confines of the office building into a myriad of poorly secured home networks, each supporting dozens of devices bringing their own vulnerabilities to the table.
The explosion of ‘internet of things’ devices, where dishwashers, lightbulbs and doorbells may all be connected with minimal security to a high bandwidth home network, further open the door for exploitation. An environment where colleagues rarely meet in person and carry out the majority of communications via chat platforms also presents opportunities to socially engineer workers into unwittingly divulging passwords or other key details to threat actors.
Over the next year, we will likely start to see new technologies and security solutions that assist companies in managing the remote working security dilemma without invading on employees’ privacy at home.
5) Cyber insurance market continues to harden
Throughout 2019 and 2020, most organisations were able to obtain cyber insurance with relative ease and at relatively low cost, as the insurance market saw intense competition for customers. As cyber incidents have increased and insurers have experienced significant losses, however, this dynamic has changed.
Insurance firms are not as willing to underwrite the risks associated with cyber security as they once were, and we expect premiums to increase and the cyber insurance market to continue to ‘harden’ throughout 2022. According to our research, 50% of IT leaders said their organisation had a cyber security strategy, but had not been able to fully implement it. Organisations such as these with an immature cyber security posture may find it increasingly difficult to obtain cyber insurance.
Alongside higher insurance premiums, we anticipate that the increasing frequency of cyber attacks may mean that some insurance firms turn to co-insurance models, where the insured and insurer agree to share costs of claims. For example, some insurers may decide to only cover those costs required to recover from a cyber incident (or a portion thereof), but may not reimburse insureds for ransom payments as many have been doing to date.
In any event, the changes to the market make it clear that cyber threats can no longer be managed by simply ‘transferring’ risk to an insurer. Prevention and cyber preparedness will become ever more important in 2022 and beyond, as organisations are forced to take more responsibility for their own security.