Businesses need to be on their guard for an escalation of cyberattacks. Palo Alto Networks’ chief security officer Greg Day predicts what 2022 will bring on the cybersecurity front.
The crippling ransomware attack on the HSE in May 2021 attracted a lot of attention but also highlighted that these attacks happen all the time and that many businesses have had to pay hackers to allow them to access their own systems.
In other words, the prevalence of cyberattacks is often brushed under the carpet by firms to protect their reputations.
“As organisations shift to support new, digitally enabled working models, to accommodate the shifting work environments, it’s increasingly important to ensure that their assets and traffic to those assets are secure”
Knowledge is power and by sharing and opening up the conversation on cybersecurity businesses can fight back.
If 2021 was anything to go by, 2022 will bring with it the onslaught of a whole slew of new threats and dangers from hackers and scammers.
In recent days alone, the National Cyber Security Centre (NCSC) has advised organisations to urgently assess their web servers for exposure to a new vulnerability, and to take measures to address the risk of compromise.
With office workers back working at home, the opportunities for hackers to hit businesses have increased substantially, Palo Alto Networks’ country manager Paul Donegan warned recently.
Working in cybersecurity for three decades, and as an adviser to Europol on cybersecurity, Greg Day, vice-president and chief security officer (EMEA) at Palo Alto Networks has identified a number of predictions to keep a close eye on as we head into the new year.
Ransomware problem evolves on multiple levels – make sure not to get blindsided
Through 2021, the EMEA region has seen an increase in cyberattacks, in particular, ransomware attacks have risen in prominence. The Unit 42 Threat Report, 1H 2021 Update found that the average ransom demand increased by 518% and the average ransom paid climbed by 82% from 2020. Part of the evolution is how ransomware functions will continue to evolve, as we have fought back collectively though communities such as nomoreransom.org, and we are seeing nations lean in further to shut down groups and their campaigns, as well as looking at how they can interrupt or intercept the money flow.
“Data is money, both for legitimate business and also criminals, we can only expect to see criminals become more focused in data analysis and how to expand their ways to monetise it”
One side effect of this evolution is the term “ransomware” now has an almost intangible meaning, conversations become confused as where one sees it as traditional ransomware compromising a local device or user, another may see it as structural elements and infrastructure being compromised before it even reaches our internal landscapes. As a result, CISOs need to train and educate their executives and peers across the business on the different types of attacks, why they are important, what the different business impacts are and how to strategically build tailored approaches to best detect and respond.
Give me my data nack!
Ransomware continues to broaden its scope of not only removing access to data but analysing it, and looking at how they maximise revenue streams, for example reselling it to 3rd parties.
Data is money, both for legitimate business and also criminals, we can only expect to see criminals become more focused in data analysis and how to expand their ways to monetise it. It is therefore likely we are going to see both businesses, and to a lesser degree individuals, hunting for where their data has been resold onto and challenging those that have gained it to delete copies.
Additionally, there is the potential for data acquired from data theft to find its way back into more genuine circles – through supply chains. As a result, businesses will have to take even more care in choosing the organisations they work with to guarantee that the data they are leveraging hasn’t been acquired nefariously. This could see the boom of new industry virtual data detectives, and we are sure it will become a challenge for the enforcement of data privacy laws worldwide to understand if copies of data have been legitimately acquired or not.
Data privacy: globalisation v localisation
In 2021 we continued to see the division of cloud infrastructure and rules based along geopolitical lines (Who’s data can reside in which countries? How do you move data between geographical zones where sensitivities exist?), as countries or regions look to secure local industry and guarantee the sanctity of their citizens’ data – this is only going to increase. The Gaia-X project in Europe is an example of regional desire for control over what is quickly becoming critical infrastructure.
Cybersecurity teams are having to grow their legal expertise, as a result of a more complex use of the cloud and the added security controls that come with it. The above is reminiscent of the 1990s around issues such as grayware or potentially unwanted programs (PuPs); the concern then was we would need more lawyers for security than actual security experts. Today, the question is whether an organisation’s legal division and/or Governance, Risk, and Compliance team ends up being larger than its cybersecurity team, as it tries to deal with the numerous cloud sovereignty issues that it will come up against. This is only going to get more complicated as we move further to SaaS and Cloud.
2022 – Passwords will be deleted
Gartner predicts that by 2022 90% of mid-sized and 60% of global enterprises will shift toward passwordless authentication methods. Every business is currently dealing with an explosion in the number of sets of credentials each user has, and with these new credentials comes an amount of risk. With the collaboration, SaaS & cloud adoptions skyrocketing due to the new flexible ways of working, we will see attacks focus in two directions.
Firstly, the obvious targeting of these new credential systems, this can be down to poor user management, are weak passwords being used? Is the same password being used?
Secondly, there will be a focus on the backend systems. Whilst many have been using AD, Radius and other authentication processes for years, many of the new SaaS tools each have their own credential management processes, that being nascent can be more prone to exploitation. Moving forward we will continue to see password authentication slowly being replaced, as companies want to try and remove the reliance on passwords. It all started with the iPhone, and we are now seeing a significant increase in the number of people and organisations using passwordless authentication such as Windows Hello.
The compromised home
Hybrid working is here to stay – working-from-home enterprise employees are increasingly using a broader range of internet of things devices – both corporate and personal devices – to access enterprise applications from wherever they are working. So, it is only natural that our home networks should become a target for cyber criminals. This is especially true when controls on home networks are typically not nearly as strong as those on corporate networks.
“The lines between personal and work are becoming increasingly blurred and complex, and we are all becoming integration points in our own worlds, as a result”
Businesses that had historically locked down laptops, USB ports, personal printers and many other things typically would be blocked. However, to function in the hybrid working world users now need these capabilities so security controls have had to be relaxed. This spans the gap into shared family devices. Even when turned off for a short period of time, the business device is at risk to all the other systems connected to the same network, many probably have never been patched and most are still using their default admin passwords, if they had one, that is!
The good news is that awareness around this topic is increasing across the EMEA region, with leaders feeling more confident than ever, when it comes to having full visibility of the IoT devices on their organisation’s business network, with 70% completely confident in 2021 versus 58% in 2020 – as highlighted in our 2021 IoT Security Report “ The Connected Enterprise”.
Cybersecurity education needs to evolve with new work lifestyles
As we become a more connected society, we must also think about how we make cyber education have greater longevity in such an agile digital world. This means moving away from the risk du jour “don’t click on this” “don’t open that” into what will be fundamentally good design and utilisation principals. For example, how many now work from their own homes? What happens if you let someone else use your work device, just for a minute? Or what happens if you need to do some work and you can’t use your work device?
The lines between personal and work are becoming increasingly blurred and complex, and we are all becoming integration points in our own worlds, as a result. From grass roots to late technology adopters, we have to start thinking of every person as a digital innovation point. Let’s ask ourselves: What are the core principles of good information sharing both in our personal and professional lives? Today, most education focuses on what should and shouldn’t be done – for example: clicking on a questionable link, opening phishing emails, sharing your password. These are now 10-15 year old lessons, valuable yes, but they don’t align with the new ways of working.
Cyber hygiene: Will it get worse before it gets better?
So much has changed so fast in business IT. Evolution is not slowing down and the inconsistency of security capabilities, especially Cloud and SaaS, are challenging businesses where everyone is now a CIO.
While DevSecOps is still maturing and lacks industry standards, and there is no industry “best practice”, CISOs still need to switch from a tactical approach to thinking strategically (the bigger picture) or risk being in a lot of trouble by the time that the standards do arrive.
Getting buy-in from executives and key stakeholders on a solid cybersecurity approach for the business is an important part of this strategic mind shift. As policies continue to take shape and regulations fall into practice, organisations must work from the ground up by laying a solid foundation of good cyber hygiene and best practices.
Shedding the cyber safety blanket
The digital world has evolved so much in recent years, and the expectations from cyber security teams have never been greater. More threats and more business processes to secure, go hand in hand with more cyber security capabilities.
The challenge – typically businesses are less tolerant to downtime and outages, as their dependencies on digital systems grow. This is the cyber time paradox – more with less. As our cyber security world evolves, it is time to embrace that mantra in a different way. The only way we can do more, is to have less legacy.
For every one new capability required, the security team should look to relinquish two. The challenge being, we are humans and we become emotionally attached to things that have had a material impact on our lives. Most security people can attest: “this capability saved my bacon”. The problem being: our world is evolving at pace! As a result, we have to continually reassess the value of legacy security controls, and be willing to let go faster than what “saved our bacon” in the past, and what has been superseded by smarter, better capabilities.
This has never been more key than now – as cloud services provide evergreen capabilities. How can security teams have the time to look at the incremental new cyber security technology provided, as part of the service? Or be required to keep pace with the changing scope of a service, if they are restricted by a legacy world that continues to grow unabated.
Zero trust enterprise necomes the security standard
As organisations shift to support new, digitally enabled working models, to accommodate the shifting work environments, it’s increasingly important to ensure that their assets and traffic to those assets are secure. Zero Trust Enterprise is an approach to risk reduction based on the concept of “never trust, always verify.”
It spans everything: users, applications and infrastructure. Zero Trust is about applying the relevant identity, device/workload access or transactional controls to verify and limit the risks to the business. But doing this with disparate point solutions will only create complexity and security gaps. It will be imperative that organisations choose an interoperable ecosystem of security providers aligned on the company’s security goals.
While many businesses will get Zero Trust wrong, the ones that embrace a Zero Trust Enterprise Ecosystem approach will get it right. We live in the instant gratification world, as such, we can expect some to look for a quick fix Zero Trust solution, which will reinforce that many simply haven’t understood that Zero Trust is a strategy, not a product or project.