2021 was a record-breaking year for cyberattacks, with more hacks and breaches recorded last year than in any year past. This record was set despite the federal government putting in place new cybersecurity standards to address the issue, and was exacerbated by the continued proliferation of remote work. In 2021, more U.S. workers than ever worked outside of an office, with a survey of U.S. businesses finding nearly 70% have permanently closed some or all of their office space. As a result, there has been a corresponding increase in threat vectors opening.
This year, we anticipate that there will be a continued rise in hacks and breaches and expect to see more organizations employing Zero Trust architecture and principles to combat the following threats.
Despite government intervention, supply chain exploits are here to stay
Both from a hardware and a software perspective, 2022 will likely see significant supply chain exploits. As the pandemic stretches on, more personal hardware that is used for remote work, such as laptops and wireless routers, may be running out of date firmware or use weak passwords, providing hackers easy access to an organization’s network.
Meanwhile, the Log4j vulnerability reminded the world about the security risks of open-source software.
The “Software Bill of Materials” (SBOM) mandate in May’s executive order was a good start to increase visibility and prevent these types of attacks, but vulnerabilities and gaps remain. Contractors that work with federal agencies are subject to complicated guidelines and they will likely struggle to accurately and consistently submit certifications that show all of their software components are safe and defect free. One miss could leave open a window for bad actors to strike. Additionally, while generating a SBOM for new software is relatively straightforward, this process is much more difficult for software that has already been installed. Vulnerabilities for existing software may pose unseen supply chain problems this year.
Cyber mercenaries will increasingly carry out thinly-veiled Nation State attacks
While supply chain issues will lurk in the back of the minds of many IT professionals this year, homeland security and defense organizations worry that nation states jockeying for power in cyberspace will carry out bolder, less subtle strikes. Over the last few years, attacks serving political and espionage purposes have gone from clandestine, to semi-publicized to borderline-brazen.
This year, several countries will likely continue to up their game and carry out more attacks, while increasingly leveraging cyber mercenaries to do their bidding, giving nation states some degree of thinly-veiled deniability. This increase could come sooner than later, with many experts predicting that the Ukraine-Russia conflict will serve as a flash point and could result in sustained cyber campaigns.
The United States government seems to agree, with the Department of Homeland Security warning that Russia may lash out at the U.S. in cyberspace.
Mergers & acquisitions will pose greater risks
In 2021, global mergers & acquisitions shattered records, with the value of transactions globally topping $5 trillion for the first time ever. During that period, countless hours were spent performing financial due diligence to help organizations fully understand every potential risk.
With another potential record year for M&A activity ahead, there is an increased risk of breaches and hacks . As organizations combine networks and data, they run the risk of inheriting hidden security issues. One of the most notable recent examples of the implications of not conducting thorough cybersecurity analysis during a merger was in 2017, when the price of Verizon’s acquisition of Yahoo plunged $350 million due to a data breach that affected the latter and that compromised over 1 billion customer accounts.
M&A deals can essentially be viewed as another vector for a supply chain attack, and as activity increases, security incidents will as well. In 2022, organizations need to give equal consideration to due diligence around cybersecurity or else run the risk of suffering damaging cyber security incidents.
Zero Trust will play a greater role, but may be the root of missteps
The Biden Administration’s recent executive order required federal organizations to quickly adopt Zero Trust architecture to prevent major breaches like those seen in the past two years. While the mandates in this order applied to government agencies, NIST 800-207 requirements are now trickling down to federal contractors, who are starting to see cybersecurity standards built into contract terms.
This is a positive development but also presents risk. If these contractors and other organizations do not put in the time and effort required to properly implement Zero Trust architecture and principles, they may end up with incomplete models that can be both ineffective and vulnerable. Some organizations are under the impression that Zero Trust just means multi-factor authentication, but they also need to focus on securing communications and your key resources.
This is not a simple task, and companies have to be prepared to take the time to build a substantive solution. If done correctly, Zero Trust will ensure their resources, including applications, data and services, will be protected by ensuring only approved users are able to access those resources.
While 2022 will see a continuation of the trends and threats that emerged last year, the government’s guidance on Zero Trust and supply chain reporting are encouraging. With a renewed commitment, hopefully we will see organizations public and private turn a corner and reduce the amount of incidents ahead.
Vice President of Threat Intel and Research
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.