Ransomware, identity theft, and leaked information have been in the news more than ever lately as cyberattacks have risen. In 2021, the number of publicly reported breaches in the first quarter alone exceeded the total number of IT security incidents that took place in 2020, according to the Identity Theft Resource Center (ITRC).
With that in mind, it’s important to proactively prepare for the IT security trends companies will face in 2022.
Why should physical security pros worry about cyber risk?
Many companies consider IT security separate from physical security. They are often handled by different departments and those departments may not report to the same leaders in the organization.
That’s a mistake; physical security and cyber security are deeply and intrinsically related — especially now that technology is a part of almost every aspect of our lives. The cyberattacks in 2021 had deeply-felt physical repercussions as fuel and beef supply chains ground to a halt and government agencies were hacked by state actors. As long as we continue to see physical risk and IT risk as different, companies leave themselves vulnerable to the places where those risks intersect.
Even if physical security and cyber security are handled by different teams at your organization, they should see each other as partners when planning to handle the risks of 2022.
Need help with your security plan? Contact us now for a demo.
Emerging trends in the IT security industry
Ransomware is malware — or malicious software — that holds an organization’s information, systems, data or networks for ransom. It does this by blocking access to data, either by encrypting the data or by locking a system.The attackers then demand a ransom for the encryption key. If the ransom isn’t paid, you don’t get your data back, and some attackers will threaten to publish proprietary information on the public internet.
Many of the biggest attacks of the last year were ransomware-related, and a recent report from Verizon found that ransomware played a role in 10% of all data breaches in 2021, a sharp rise from 2021. From the Colonial Pipeline attacks in May to the Accellion breach in early 2021 that led to more than 100 organizations that were clients of Accellion being attacked, ransomware has been a popular way for criminals to make quick money off hacks and breaches.
Ransomware attacks are unlikely to stop in 2022; unfortunately criminals have found that this sort of crime pays. Despite warnings from authorities not to pay the ransom, many attacks in 2021 ended with ransom payments, including the Colonial Pipeline attack. There may soon be better guidelines when it comes to ransomware, however. Some of this may even happen in the next year; Gartner predicts that by 2025, 30% of counties will pass legislation regulating ransomware payments, fines and negotiations.
2. Data privacy regulations are likely to change
2022 is likely to see several new data privacy laws introduced or debated; Gartner predicts that by the end of 2023, privacy laws will cover the personal information of 75% of the world’s population, so much of the work of creating those laws is likely to happen in 2022.
There are already a few such laws in place. The European Union’s General Data Protection Regulation (GDPR) became the first of its kind in 2018, when it went into effect. More recently, California passed the California Consumer Privacy Act (CCPA) and Brazil passed the General Personal Data Protection Law (LGPD).
Data protection laws are good news for consumers, but compliance may be tricky for businesses — especially those not in highly-regulated industries. Businesses that haven’t had to worry about data protection previously will need to upgrade their processes and privacy to stay in compliance.
3. Get ready for Zero Trust Security
The Zero Trust Security Model is picking up steam in the cybersecurity industry. Zero Trust is an approach to IT security that allows organizations to restrict access controls to networks, applications, and environments. All connections — even if they were verified in the past, must be-reverified.
Previously, the IT security field subscribed to the mantra “trust, but verify.” The fact that so many organizations are using cloud services and contractors has made the Zero Trust mantra “never trust, always verify.” Zero Trust has so far been effective in reducing data breaches and their costs; according to Ponemon, companies that had taken a Zero Trust approach to security reduced breach costs by $1.76 million. Forrester reports that five governments will adopt Zero Trust in 2022.
4. All suppliers should be vetted
You do background checks on your new hires. You should also complete background checks on vendors, because they are often an attractive target for hackers, who can potentially gain access to many companies by breaching one. Take the Accellion hack in late 2020 and early 2021. Accellion discovered a weakness in their older File Transfer Appliance service, which was used by many companies. While the company did attempt to remedy the weakness, criminals used the vulnerability to hack more than 100 organizations. Not all the organizations were Accellion clients — some were clients of Accellion’s clients.
Vendor hacks are common. ITRC found that 31 reported attacks on third parties and suppliers affected 60 entities in the first three quarters of 2021 alone. That trend is unlikely to stop unless companies begin vetting digital suppliers.
5. The hybrid workforce will be a target for cybercrime
The hybrid workforce is here to stay and cybercriminals are more than willing to take advantage of workers who are happily working from home, outside of the protection of a corporate firewall. According to the Ponemon Institute, remote workers were targets for hackers in 2021 and it cost companies — the cost of a data breach was about 1.07 million higher when remote work was involved in the breach. In addition, organizations with more than 50% of their workforce working remotely took 58 days longer to find and contain breaches than those with 50% or less working remotely.
If your company is taking advantage of the benefits of remote or hybrid work, it’s important to make sure those workers’ set-ups at home are just as secure as the ones used in the office.
6. SIM Card swaps
Not all cybercrime happens online. SIM card swaps are crimes that combine physical security and IT security. Criminals snatch unattended devices, swap their SIM card with a malicious SIM card and take over the device routing the victim’s incoming calls and text messages to a different phone. Using SIM card swaps, criminals are often able to obtain access to a victim’s various personal accounts, including email accounts, bank accounts, and cryptocurrency accounts, as well as any other accounts that use two-factor authentication. This can be particularly devastating if a company phone or table is compromised.
SIM card fraud has become increasingly common since companies have been requiring two factor authentication, and is likely to increase in the next year.
7. People will always be the weakest link
According to Verizon’s most recent data breach report, 85% of breaches in 2021 involved a human element. This can mean a variety of things: employees who made a mistake that allows a cyberattack, malicious insiders, or a company falling victim to a social engineering attack like phishing. In fact, Verizon found that social engineering played a role in more than 35% of all breaches in 2021. Given that phishing is often a delivery system for ransomware, social engineering attacks – essentially, tricking employees into responding to messages from criminals pretending to be someone else — are probably here to stay.
That said, there are ways you can prevent your people from being scammed into giving up credentials, access, or clicking a link that will compromise your company. Training is the first line of defense against recognizing a phishing scam or making a server configuration error that might expose sensitive data. The second line of defense is testing your people — an IT team that periodically sends out test phishing emails will be able to see which of your employees are most likely to click on a bad link and who needs more training. Another line of defense against phishing scams is a good email filter. It won’t catch the most sophisticated scams, but it will weed out common phishing attacks before an employee can see or click on them.
Ready to create a plan for IT security? Talk to us now about assessing your security.