Every year hackers grow in numbers, aggressiveness, organization, and sophistication. And every year there are new attack types and new areas of IT infrastructure that cybercriminals target. 2022 is no different. We are about a third of the way in already and IT pros and security specialists already have their hands full with new attacks and new issues.
Gartner advises IT pros of all ilks to be on guard. “Organizations worldwide are facing sophisticated ransomware, attacks on the digital supply chain and deeply embedded vulnerabilities,” said Peter Firstbrook, research vice president at Gartner. “The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise—all while dealing with a shortage of skilled security staff,” argued the Insight giants in Gartner Identifies Top Security and Risk Management Trends for 2022.
Here are eight things security experts advise you to be on alert for.
1. Russian Cyber Attacks
Earlier this year, Goldman Sachs economists warned of potential attacks from Russian cybercriminals particularly targeting energy, financial services, and transportation in the US. These attacks could not only cause billions of dollars in infrastructural and economic damage, but they can also bring critical aspects of the economy and societal infrastructure to their knees.
These warnings actually happened before the invasion of Ukraine. Now, given that wrinkle, the threat of Russian attacks against U.S. infrastructure has multiplied.
2. IoT, the Forgotten Security Concern
The internet of things (IoT) continues to be a network security issue, in part because there are so many of these devices, and because they are not fully understood and not all see them as part of the attack surface. “The vast and ever-growing network of online, connected devices encompassing everything from industrial machinery to connected cars and smart home appliances. It’s predicted that there will be over 27 billion of these devices by 2025, creating an unprecedented number of opportunities for cyber-criminals,” argued Forbes in its article The Biggest Cyber Security Risks in 2022.
3. Ransomware Ugly Head Rears Higher
Ransomware certainly is not new. What is new is that it's getting worse, more widespread, increasingly devious, and dangerous.
In fact, Experian believes that AI will drive smarter and more insidious ransomware attacks.
Meanwhile Cybernews.com, in its Top Cybersecurity Threats of 2022 Report, argues it is not always a good idea to pay off the ransomware creeps. “There has been much debate over the effectiveness of paying a ransom between pundits. While many insurance companies opt for paying, experts suggest that such decision does not only fuel cybercrime, but also doesn’t guarantee the return of data,” the site advised.
Instead, stop ransomware from happening, or have ways of protecting the data so even if it is encrypted, there are current backups that are not frozen or corrupt. “It is like a burglar going through the neighborhood—they are not going to attack a house that probably has bars on the windows as much as the one that looks like a much easier target to penetrate,” Jack O'Meara from Guidehouse told CyberNews.
4. Attack Automation and Fraud-as-a-Service
With so many attacks it certainly appears that hackers never sleep. And indeed they don't—at least, their attacks never take a snooze. More and more attacks are automated and various attack styles are available for download or even as a service. One area credit services firm Experian is interested in is fraud-as-a-service. Here, threat actors monetize their fraudulent exploits by turning them into a cloud service that cybercriminals can simply subscribe to.
These can even include AI-style features such as voice bots which impersonate businesses and embark on social engineering exploits in robotic fashion. “The boom in this type of threat created additional issues, as it minimized the number of skills needed from a malicious actor to conduct criminal activity,” Experian cautioned.
With automated attacks and hacking as a service, criminals need virtually no skills at all in order to wreak real havoc.
Experian believes that this year “a large portion of fraudulent transactions will be submitted by legitimate consumers who are being socially engineered to not only provide data, but to use their own devices to submit what they believe are legitimate transactions,” the Experian 7 Fraud Trends and Predictions for 2022 blog warned.
5. Your Attack Surface is Growing
As your network expands and applications and devices increase, your attack surface likewise grows. “Enterprise attack surfaces are expanding. Risks associated with the use of cyber-physical systems and IoT, open-source code, cloud applications, complex digital supply chains, social media and more have brought organizations’ exposed surfaces outside of a set of controllable assets,” argued Gartner Identifies Top Security and Risk Management Trends for 2022.
6. More People are Now Security Decision Makers
We've talked about the burgeoning complexity of your network and all the applications and devices it hosts. In the meantime, we've seen business units take more control over their IT decisions, often acquiring solutions and managing them themselves. Not only are the attacks surfaces growing but there are very specific attack surfaces that IT does not necessarily understand.
That has led to a fairly radical decentralization and security-based decision making, Gartner argues. “Enterprise cybersecurity needs and expectations are maturing, and executives require more agile security amidst an expanding attack surface. Thus, the scope, scale and complexity of digital business makes it necessary to distribute cybersecurity decisions, responsibility, and accountability across the organization units and away from a centralized function,” the research house said.
This has also changed the role of the CISO to a higher level and more strategic post. “The CISO role has moved from a technical subject matter expert to that of an executive risk manager,” said Peter Firstbrook, a Gartner research vice president. “By 2025, a single, centralized cybersecurity function will not be agile enough to meet the needs of digital organizations. CISOs must reconceptualize their responsibility matrix to empower Boards of Directors, CEOs and other business leaders to make their own informed risk decisions.”
7. Hybrid Work a Hacker Field Day
The COVID pandemic created a radical shift to remote and hybrid work creating unique and serious challenges for its security professionals. Many of these remote or hybrid devices are not managed by it, and of course they connect to it from outside of the network. This not only expands the attack surface, but many of these devices and the networks they use to connect have little or no protection.
“Threat actors could start to target the homes and personal networks of top executives or even government officials, as these networks are easier to compromise than traditional enterprise environments,” argued Security Magazine in its 4 Cybersecurity Threats That Organizations Should Prepare for in 2022 blog.
Phishing is more prevalent and dangerous in hybrid work scenarios. “The line between personal and professional has been blurred, with employees using home devices for work or corporate devices for personal tasks. This will continue, and it’s likely there will be an increase in phishing attacks targeting both corporate and personal email accounts, doubling attackers’ chances of a successful attack,” Security Magazine argued.
8. Be Prepared
Forbes interviewed Equifax CISO Jamil Farshchi who should know a thing or two about breaches. After all, Equifax was hit with one of the world’s largest breaches in 2017. A whopping 148 million Americans had their data compromised, including their names, home addresses, dates of birth, phone numbers, and social security and driver’s license numbers. In short, everything a hacker needs for identity theft.
Like the growing threat of Russian state or state-inspired hacks, the Equifax breach was blamed on the Chinese military.
For Farshchi, preparedness is key. "If you've been through the steps to prepare, you can adapt in your muscle memory and respond. I grew up in Iowa—we get a lot of tornados there … and you practice and prepare for them. Then fast forward to college, when I was there, and there were tornados all over the place. When you looked around, you could tell which [classmates] had grown up in the Midwest and which hadn’t … they knew what to do,” Farshchi said in the Forbes article The Biggest Cyber Security Risks in 2022. “I was in a different circumstance—I wasn’t back in Iowa, but I knew how to respond, and I think the same thing applies here. If organizations go through the steps and they practice with their board and executives, then when bad things happen … you’re able to lean in and solve them in a very rapid fashion.”