When it comes to cybersecurity, there are typical predictions and then there are these unique ones below. Some even go beyond 2022 to paint a futuristic picture of what’s to come 5 years from now.
Let’s begin with Saket Modi, CEO and Co-Founder, Safe Security, a global pioneer in cybersecurity and digital business risk quantification, who offered the following 6 cybersecurity predictions for 2022.
1- The first phygital catastrophe is coming
A central mission-critical application will go down and create a ripple impact across businesses and for consumers around the world. For example, a hack on a major central system like an internet gateway, public cloud provider or a healthcare system will upend healthcare, deny businesses of digital services, cancel flights, disrupt food and supplies, and more.
2- The consumerization of cyberattacks will rise for easier wins
The attack perimeter is becoming more personal, and the consumerization of attacks will rapidly increase. For example, the last iOS update alone had 11 zero-day attacks. Hackers will amplify attacks on mobile apps as steps consumers need to take to protect themselves have not increased in tandem.
3- Cybersecurity and data science fields will unite
Cybersecurity and data science have been disconnected fields but will come together to help organizations better understand and proactively protect against increasing threats. The fields will collide and continue to grow together out of necessity, as application creation and enterprise data continue to explode and dramatically expand the attack surface.
4- Cyber insurance will be mandated
In the next 12 months, in a similar manner to requiring everyone to have auto liability insurance, high at-risk industries will be mandated to have a minimum level of cyber insurance. For example, companies may be required to have insurance to cover at least 2% of their annual turnover.
5- A healthcare cyber regulator will be established
Healthcare continues to be the most targeted and attacked vertical, putting consumers at risk. A healthcare regulator or governing body will be put in place soon to help strengthen the healthcare industry’s security and consumer protection.
6- More cybersecurity services will be sold by non-cyber companies
In the next 5 years, cell phone service providers and device manufacturers will embed cybersecurity as a service into their plans to help consumers manage their security. Businesses will purchase cybersecurity offerings within their IT plans to protect employees and infrastructure.
Gartner’s version of predictions
Sam Olyaei, Research Director at Gartner, said enterprises need to evolve their thinking, their philosophy, their programs, and their security architecture to meet today’s cybersecurity challenges.
He offered 8 strategic cybersecurity predictions from Gartner analysts:
1- Modern privacy laws to greatly expand
By the end of 2023, modern privacy laws will cover the personal information of 75% of the world’s population.
GDPR was the first major legislation for consumer privacy, but enterprises will be managing data protection legislation in various jurisdictions, and customers will want to know what kind of data is being collected and how it’s being used. Enterprises will need to focus on automating privacy management systems.
2- Financial impact of incidents to decline
By 2024, organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90%.
Cybersecurity mesh extends to cover identities outside the traditional security perimeter and create a holistic view of the organization. It also helps improve security for remote work.
3- Cloud adoption will increase
Organizations are leaning into optimization and consolidation and by 2024, enterprises will adopt cloud-delivered Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) capabilities from the same vendor.
4- Cybersecurity risk to be main transactional factor
By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
Investors, especially venture capitalists, are using cybersecurity risk as a key factor in assessing opportunities. Increasingly, organizations look to cybersecurity risk during business deals, including mergers and acquisitions and vendor contracts.
5- Ransomware legislation to rise
The percentage of nation-states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30% by the end of 2025, compared to less than 1% in 2021.
While broader regulations may currently apply to ransomware payments, security experts should expect a more aggressive crackdown on payments.
6- Cybersecurity committees will be in place
By 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member and stricter oversight and scrutiny. This increases the visibility of cybersecurity risk across the organization and requires a new approach to board reporting.
7- Organizational resilience to be enforced
By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coincident threats from cybercrime, severe weather events, civil unrest and political instabilities.
8- Human casualties will fall as a result of cybercrime
By 2025, threat actors will have weaponized operational technology environments successfully enough to cause human casualties.
As malware spreads from IT to operational technology (OT), it shifts the conversation from business disruption to physical harm with liability likely ending with the CEO.
Mandiant, a leader in transformative expertise and frontline intelligence to security teams of all sizes, provided 3 key predictions for the coming years.
1- No honor among thieves
There will be increased conflict amongst Ransomware-as-a-service actors throughout 2022, and may ultimately lead to bad outcomes for victims. Conflicts may occur when targets don’t pay, or if law enforcement disrupts threat actors’ ability to get paid. Conflicts may also occur when victim organizations do end up paying while a specific actor may feel they didn’t get paid enough or that they’re not getting their fair share.
In the next 12 months, Mandiant expects to see many situations where victims will pay $1 million dollars or more to keep their stolen data from being published. In some of these situations, some or all that data may be published by one of the actors in the operation because of conflict. The more this happens, the more it’s going to affect the way organizations think about making ransom payments.
2- Deep fakes
State-sponsored and financially motivated actors have demonstrated growing interest in deep fake technology. Mandiant observed posts and advertisements about deepfake technology in underground Russian and English language criminal forums throughout 2020 and 2021. Users on these underground forums advertised customized deepfake videos and images, as well as training for users to create their own manipulated media. Deepfake audio has facilitated business email compromise (BEC) type fraud schemes.
Open sources highlight how threat actors have used manipulated media to bypass multi-factor authentication (MFA) security protocols and Know Your Customer (KYC) identity verification measures.
Mandiate anticipates that as deepfake technology becomes more widely available in 2022 and beyond, criminal and espionage actors will increasingly integrate manipulated media into their operations to make social engineering more convincing, easily tailor content to specific targets and defeat some automated identity verification systems.
In the coming years, Mandiant expects to see continued growth of Internet of Things (IoT) devices, many of which will be inexpensive and created without real consideration given to security. The number of vulnerabilities they introduce, in both software and hardware, will make it hard for bug hunters to keep up. Because all these devices are connected, we’ll see the general attack surface expand with the potential for serious impact. Unfortunately, there hasn’t been enough emphasis on security in fundamental IoT device design to fix these issues.