By Michael Aminzade, VP of Consulting Advisory Services at Viking Cloud
There is an ongoing battle in the cyber world between criminals with malicious intent and cybersecurity experts attempting to stop them. This conflict has gone on for a long time and has only gotten more frequent as years of gone on. The reason for this can be chalked up to how the landscape of cybersecurity has changed over the last few years, some of it a natural evolution of technology and part due to the worldwide pandemic that shifted the dynamics of the workplace substantially.
As many organizations shifted focus to the changing approaches to work and new expectations from customers, the risks created by cybercrime began being treated as a low priority. This is a problem because during the first half of 2021 there was a 93% increase in cybercrime when compared to the first half of 2020, and it’s entirely possible we will see a similar increase this year as well. So cybercrime is on the rise and companies can’t risk treating it like it’s not.
This isn’t a matter of negligence on the part of decision-makers however, rather the landscape is shifting so much that it’s hard to keep track. There are so many factors to consider it can be overwhelming for someone not in the know already. With that in mind, where should companies be focusing their efforts on treating cybersecurity and what support do, they have for this – both from regulators and third parties?
Corporations vs. Governments, who is more at threat?
Last year we saw a ransomware attack on the Colonial Pipeline in the US which left the public on the west coast struggling to get petrol and fuel. This attack showed that the targets/victims of ransomware are not just corporations with a lot of money to pay out, but the public as well. These types of attacks will only increase because our global infostructure is more reliant on technology than ever before, which introduced new vulnerabilities. Taking a step back and looking at the wider picture shows that the Internet of Things (IoT) is being utilized to connect cities and landscapes, driving society to become dependent on this technology. This has created more high-profile targets for hackers and blurred the line between corporate and government-focused disruptions.
That said, attacks against corporations will continue to be the norm. Depending on the organization, the effects of an attack may cross over into the government space (like attacks against healthcare) but the focus for the vast majority of hackers is to earn money, not cause worldwide panic. Cybercriminals are very mindful of direct attacks on a country’s government, and if they do decide to attack, it will almost certainly be at the local level, as it’s easier to manage and makes less of a scene.
The important takeaway here, however, is that the threat against governments exists because hackers have the capabilities to do so, and these same state-level attacks can also be applied to a corporation. There has been a mindset in the corporate world where they don’t expect these types of state-level attacks on their organization. This needs to change as it can leave your business unprepared and ultimately lead to a situation where the risk and cost of managing a cyberattack, ransomware attack, and data compromise is higher than protecting your organization from them in the first place.
The 2022 working environment has changed
The last two years have been tarnished by the COVID-19 pandemic. To survive these turbulent times, organizations had to adapt – and not just to changes in cyberattacks. The pivot to working from home for many businesses came with concerns, but the proof has been in the pudding for many businesses who have prevailed in spite of COVID, highlighting it is possible for employees to work from home and still deliver. Whether a company allows working from home to continue long term will influence the digital security of the network.
The obvious issue with working from home is it introduces several more entryways into a network. Even if employees have company-mandated laptops and phones updated to have the best digital security programs covering them, the home network an employee would use would naturally have their own devices connected. Smart TVs, personal smart devices, and even home computers won’t be protected by a business’s vulnerability management solution, making it a potential route for hackers to get onto a network.
While this might mean the better option would be to force employees to work back at the office to reduce security risks, this can have different consequences and produces other forms of security risk. An employee might prefer working from home, and being forced to come back into the office could lead to several social engineering issues. A lack of motivation to work leads to a lack of tact and care, which hackers can exploit. In the most extreme cases, it may even lead to an employee becoming an insider threat.
There are still a lot of challenges in this space that need tackling, and we will see that throughout 2022. Training employees about the risks working from home brings to both the business and their own personal data is a good start. Another tactic is to limit the number of third parties that come into contact with your data who lack any contractual obligation to keep it safe. There are multiple ways to achieve this; encryption, controlled access, virtual desktops data are just a few examples.
A less immediate action that can be taken by an organization (but one that will surely help) is a shift in focus to how data is handled. Rather than focusing on what is trying to enter the network (especially with networks you don’t control and manage directly), a company should focus on limiting what can leave these networks. This can be done by introducing different network tiers and controls with a mapping of what data can move between tiers. This will form the beginning of a third-party trust model. Limiting employee access to key data within the business from a “need to know” access model will also be a key part of the trust model. The shift won’t be an easy one, but in my opinion, it is a concept that needs to be adopted as part of a larger security program.
Regulators will help by being firmer
As cybersecurity evolves, both on the side of those protecting and attacking businesses, the standard expected for acceptable security rises. Regulators around the world are constantly re-evaluating compliance laws and standards for security, and 2022 will be no different. We already know of several new standards being introduced this year that will change the state of cybersecurity.
This year’s big new standard for payments is PCI 4.0. Due to be released in Q1 2022, the adoption timeframe for companies to become compliant will extend into 2024. However, businesses will find they should become compliant sooner rather than later. This is because other compliance standards are being retired following the introduction of 4.0, such as PCI DSS 3.2.1 in January 2024.
While receiving new standards is always beneficial, as in theory, it will ensure the best digital security is in force, one thing I’ve heard a lot from my customers is that businesses want to see a big push in consolidating cyber and compliance programs. One of the biggest hurdles for ensuring compliance is not the fines but audit fatigue, where an organization has to spend a lot of time and resources on assessments and audits from multiple companies. These audits programs consume a lot of organizations’ resources throughout the annual cycles, with a single company handling it all or combining multiple audits within the same cycle. This can provide organizations with a more efficient compliance cycle and more time for their staff to assist with business goals instead of being 100% focussed on external regulatory requirements.
Over the last two years, regulators have been somewhat lax about enforcing fines for data breaches and lack of compliance due to the pandemic. This was done with some consideration for the situation many companies found themselves in, but now the world is returning to the normal standard. So, in 2022 organizations can expect regulators to return to a pre-pandemic approach to enforcement, especially regarding fines. It will be key for organizations to work more closely with regulators as the world returns to a post-pandemic “new normal”.
In 2022, the cybersecurity world will no doubt see several changes, both good and bad. In order to stay on top of these shifts to the landscape, the industry will need to work together, partnering with external cybersecurity experts to handle compliance regulation vulnerability management and train employees in the best cybersecurity practices.
The cybersecurity landscape is tough to navigate, but understanding what changes are coming and how cybercriminals are now attacking will make your business better prepared to defend itself from that next inevitable attack.
Michael Aminzade has over 20 years of experience within the cybersecurity, governance, risk and compliance (GRC) industry. A highly professional, experienced, self-motivated and committed industry leader who specialises in achieving business goals with high levels of team and client satisfaction. He has a demonstrable track record of success as well as excellent communication and interpersonal skills being able to work at all levels of a business with ease. Identifying and developing strategic business partnerships within the Cyber and GRC landscapes has enabled Michael to develop the industry-leading capabilities and service offerings for his clients.