On the Cyber Horizon
This blog was originally published by KPMG on December 16, 2021.
Written by David Ferbrache, KPMG.
As 2021 draws to a close, we see a world still challenged by COVID-19, necessitating new business models, new channels and a shift (perhaps for the long term) to remote and hybrid working. But one thing seems enduring: the ruthless exploitation of our digital society by organized cybercrime. So, looking to 2022, I offer seven cyber security predictions.
1. Ransomware is endemic — and demands a strategic response
Ransomware has become endemic, it seems, with criminal groups becoming more sophisticated in their extortion tactics as they aim to automate the process of encrypting systems, destroying online backups and blackmailing organizations with the threat of data release. Insurers have an eye to reducing their portfolio risk given the rising costs of paying ransoms, governments treat cybercrime as a national security threat and regulators impose sanctions on criminal groups and demand that banks track and report ransomware payments.
2022 will bring more examples of ransomware groups exploiting supply chain and cloud service weaknesses. It will also bring more aggressive action by the national security community to tear down and disrupt the infrastructure used by these groups. This includes tracking and stopping the use of cryptocurrencies for cash out. The debates on whether payment of ransoms should be made illegal will continue, along with the frustrations over countries providing safe havens to such groups.
2. Digital worlds fail in surprising ways
The impact of ransomware on organizations is getting the board’s attention and has fed a broader debate on operational resilience.
Expect to hear the word “resilience” a lot in 2022 as organizations realize that they need to prepare for the worst — and work through the practicalities of how they would deal with a major ransomware (or other technology disruption) event. Response and recovery will get more attention. The Digital Operational Resilience Act and Network Information Systems Directive version two will hit the streets in Europe as regulators focus on the resilience of a very different world of digital infrastructure — and the systemic risks that come with that dependency. We will also see digital infrastructure fail in surprising ways, exposing links and connections between systems we didn’t know existed.
3. Geopolitical tensions will play out in cyberspace
The world seems a complex place, with many political tensions and polarized opinions. These will play out in cyberspace as nations exert increasing control over “their” cyberspace, the information which flows through it and even how opinion and narrative are expressed.
2022 will see those issues come to a head. Privacy legislation will continue to make it to the statute books, creating an increasingly complex global web of regulation and extra-territorial obligations. The debates on liability and the scope for class action and group litigation continue — and with regulators less willing to relax as the economic impact of COVID-19 recedes, there will be some headline-grabbing fines coming up.
We will also see more aggressive cyber-attacks by nation-states around political flashpoints, whether they are disputed borders in the real world or disputed narratives in cyberspace. Those virtual confrontations will trigger consequences in the real world — diplomatic and trade-related.
4. Security has changed — but we may not have noticed
The shift to hybrid working accelerated the transition to cloud services during 2021. With that change has come a very different IT environment of home working, bring your own devices, split tunneling of traffic, and DevOps processes. Conventional security models are becoming obsolete, and talk has turned to zero trust, cloud access security brokers and secure access service edge (SASE).
2022 is the year when the debate moves from the theoretical and aspirational to a necessity, as organizations realize their existing security models no longer match this new environment, leaving them increasingly blind and unprotected. The shift in security model will demand new skills, new solutions and new vendor relationships. The ripples will be felt in the market, with winners and losers among cyber security firms.
5. Supply chain security isn’t an afterthought
So often, third party assurance can descend into a compliance and tick box activity, even though the bulk of the IT environment now resides outside company buildings and data centers. The growth of SaaS, PaaS and IaaS has changed the IT environment beyond recognition. 2021 saw two supply chain attacks which gave the community pause for thought, and we will see more in 2022 as organized crime realizes that supply chain attacks can scale to hit hundreds or thousands of victims.
Managed service and cloud providers will get greater regulatory attention as they are increasingly regarded as part of our critical digital infrastructure. Third party risk scoring services will continue to mature but will still offer an incomplete and partial view of risk. Discussions on containerizing and limiting the impact of software or service compromise will ramp up. The whole area of third party risk demands more attention.
6. Time matters, more than ever
The time to exploit systems is decreasing rapidly, with ransomware now triggering just a few days after the initial point of compromise as attackers turn to automated tooling to accelerate their exploitation of compromised systems. The defenders are also exploring security orchestration and automated response, albeit constrained by the complexity of their IT environments and the consequences of over-reacting to a potential security event.
2022 will see security orchestration and automated response move from an optional activity to improve efficiency to a required and critical response to a rapidly changing threat. That response will need to extend beyond internal networks to community-wide actions. It will disrupt criminal infrastructure as we see active defense programs piloted in the public sector extend a protective umbrella to cover private sector critical infrastructure.
7. Emerging technology, emerging regulatory challenges
2022 will see the first rafts of regulation around the use of artificial intelligence and machine learning systems, including action to outlaw the most extreme uses of AI to manipulate human behavior and govern high-risk applications, as well as direct interactions with people. This is just one aspect of the increasingly complex nexus between technology and society, also bringing robotics, autonomous and embedded systems and even deep fakes.
Our world is changing, crime is changing, and our approach to cyber security must evolve as well. Let’s help protect this new world together. Being a community matters more than ever.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.
Cascading and Concentration Risk: How do They Impact Your Digital Supply Chain?