Top 8 Cybersecurity and Privacy Trends in 2022
The year of 2022 is poised to bring multifaceted challenges in cybersecurity, compliance and privacy, while driving record cashflow and profits to cybercriminals.
1. Personal liability of directors and executives for data breaches
In June 2021, the Swiss Supreme Court held that company directors are personally liable to the company for monetary damages caused by erroneous transfer of funds in a sophisticated mixture of social engineering and phishing attack. Common law jurisdictions also follow the trend, for instance, the Australian government is considering to holding directors accountable for preventable data breaches. Likewise, the US Department of Justice has already launched a Civil Cyber-Fraud Initiative to expand the federal False Claims Act to cybersecurity and data protection failures. Whistleblowers are specifically encouraged to report cybersecurity deficiencies or concealed data breaches at their companies in exchange for monetary rewards. As a result, companies and their executives may face severe civil liabilities and even criminal prosecution. This is consonant with the unambiguous FTC warning about board’s duty to maintain adequate cybersecurity program at their company.
2. Turbulence and spiraling crisis on the global cyber insurance market
The ongoing surge of ransomware and supply chain attacks triggered rapid growth of cyber insurance premiums around the globe. While some companies like AIG announced premiums increases by at least 40% globally, others like AXA completely stopped covering ransomware payments in some regions. The average cover has dropped from 10 million USD to just a million, whereas a recent report by IBM stated that an average ransomware attack cost is about 4.62 million. Ultimately, would-be victims are considerably underinsured, while companies that are about to purchase their cyber insurance should read insurance policies closely for exclusions and exceptions that have nearly doubled since January. Given that the updated Department of the Treasury OFAC Advisory expressly mentions cyber insurance companies among the entities that may violate US sanctions by paying or facilitating payment of ransom, we may expect that in the near future no insurance will cover ransom payouts, leaving the victims with no recourse.
3. Uncontrollable attack surface with multicloud environment and containers
Gartner says that annual spending on public cloud services will reach the unprecedented 397.5 billion USD in 2022. A multicloud architecture boosts an organization’s cyber resilience and uninterrupted availability of business-critical applications. Containers and cloud-native applications increase agility and speed of software development. The novel technologies, however, also bring a wide spectrum of new risks: inventory of IT assets and data in the cloud becomes an arduous task. Software developers usually have no experience in DevOps security and accidentally expose cloud storage, unprotected serverless endpoints (FaaS) or container management systems to the Internet. Infrastructure-as-Code (IaC) technology exacerbates the problem by erecting vulnerable-by-design and unprotected-by-default cloud systems. Excessive IAM policies open doors to cloud pivoting when just by compromising a single web application, intruders may take full control of other systems, repositories and databases in the cloud. Whilst organizations rush to migrate into a cloud without providing their employees with an adequate security training, we will see new spikes of cloud-related breaches and data leaks.
4. Sophisticated and stealthy supply chain attacks affecting all industries
Supply chain attacks are projected to grow by 400% in 2022 says the European Union Agency for Cybersecurity (ENISA). After breaching a service provider, cyber mercenaries may stay dormant for years waiting for a big fish to swim into their net. Once the breached IT vendor gets a wealthy or governmental client and access to its data, the attackers will proceed to data exfiltration. Small service providers are usually unequipped to detect well-planned intrusions that are eventually never discovered. Not all supply chain attacks are, however, as elaborate as the notorious SolarWinds case. Countless small hacking groups are spreading backdoored open-sourced software on public code repositories, compromising millions of web applications to deliver malware to their users. Their techniques may be highly productive even if technically trivial, such as creating a project, package or domain name with a typo that will be used by inattentive software developers. Without a comprehensive Third-Party Risk Management Program (TPRM) many more businesses will fall victim to snowballing supply chain attacks in 2022.
5. Unmanageable regulatory landscape and skyrocketing fines around the globe
The 72-hour delay – imposed by GDPR – to report a data breach will now be seen as a luxury as US banks will soon be required to report cybersecurity incidents within just 36 hours as mandated by the Federal Deposit Insurance Corporation (FDIC). While Amazon is battling in courts to reduce a record 746 million EUR GDPR fine, the well-known EU law is no longer the sole legislation keeping privacy officers awake at night. 2021 was marked with a plethora of emerging privacy legislation including LGPD in Brazil, POPIA in South Africa and several state laws in the US. Sanctions also become significantly harsher. For example, the South African version of GDPR includes, among other penalties, imprisonment of up to 10 years for major privacy violations. The newly enacted Personal Information Protection Law (PIPL) in China applies extraterritorially like the European GDPR but has higher penalties going up to 5% of the annual global turnover. Even more data protection and privacy legislation is expected to come in force in 2022, making compliance and privacy management extremely onerous task.
6. Targeted and persistent ransomware campaigns with unbeatable ROI
Thanks to untraceable cryptocurrencies, complexities of international law and underfunded law enforcement agencies, most ransomware kingpins enjoy impunity today. Cybercriminals have already widely adopted a double-extortion scheme demanding ransom not just to send a decryption key but also to refrain from leaking the stolen data on the Dark Web thereby punishing unsubmissive victims. In 2021, experienced cyber gangs launched several underground marketplaces where anyone can freely buy sensitive data stolen from banks, hospitals and IT companies. The data is later re-sold and used in password spraying attacks, spear phishing, Business Email Compromise (BEC) attacks and the so-called whaling campaigns. Other groups adopted fake extortion techniques by menacing IT suppliers to leak some data entrusted to them by customers and allegedly stolen due to supplier’s fault, while in reality the latter has nothing to do with the incident. Likely, some suppliers will abide by the rules of the perfidious game to avoid negative publicity, loss of business and costly litigation. Unsurprisingly, the famous Ryuk ransomware group alone claims to earn over $150 million in less than a year, whereas 2022 will undoubtedly set up a new grim record of ransomware profits.
7. Armor-piercing whaling attacks with AI and deepfakes
The human factor is the weakest link in the cyber defense chain since the invention of modern social engineering by venerated Kevin Mitnick. Modern AI technologies, such as deep learning, make human-targeted attacks super-efficient by flawlessly imitating one’s voice or even voice with video on a Zoom call. The World Economic Forum (WEF) estimates that number of deepfake videos has been increasing at the astonishing annual rate of 900% this year. Modern whaling attacks aptly leverage deepfakes to fool financial and accounting teams to sending millions of dollars to offshore accounts that will likely never be recovered. Variations of deepfakes are also used to bypass different security measures when, for example, a bank manager must call the client to confirm a suspicious bank wire order. Inventive scams, imitating technical support and intended, for instance, to steal MFA tokens, will heavily rely on seamless fakes and fraudulent imitations in 2022.
8. Creative use of cyber threat intelligence in litigation
Finally, we expect some creative usage of cyber threat intelligence data in 2022. President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity expressly mentions the importance of sharing cyber threat intelligence among governmental agencies and private sector to bolster overall resilience and preparedness to continuously evolving cyber-attacks. Indisputably, modern cyber threat intelligence may be very different, spanning from unverified public threat feeds that generate useless noise and avalanche of false positives – to governmental TAXII servers vetted and curated by state or federal agencies with highly restricted access to the data. The more intrusion data is publicly shared, the more chances one has to scrutinize TTPs (Tactics, Techniques and Procedures), other shared data or its context and successfully infer some unobvious details or events than the disclosing party actually did not aim to share with the community. For instance, aggressive law firms that bring class actions in large-scale data breaches may ferret out invaluable evidence about reportable security incidents and intrusions that – for a reason – remained undisclosed. Be careful what you share in 2022.
Ilia Kolochenko, Chief Architect & CEO at ImmuniWeb, says: “Comprehensive visibility of your IT systems and data across cloud and on-premises environments remains vital to prevent data breaches and meet regulatory requirements. Properly implemented automation of security monitoring, patch and configuration management, as well as response to security incidents helps to offset the shortage of cybersecurity skills and keep your team busy with those tasks that truly deserve human time. Keep in mind, however, that automation, for example your CI/CD pipeline, also expands your attack surface and should be hardened and adequately protected.
Ongoing training of your security team remains essential to stay up2date with emerging technologies and the rapidly evolving cyber threat landscape. To comply with data protection and privacy laws in 2022, every cybersecurity team will also need legal professionals, so it’s good idea to team up with your legal department or talk to an external law firm specialized in cyber law. The creation and continuous improvement of a risk-based Third-Party Risk Management Program is indispensable to prevent supply chain attacks, one-size-fits-all vendor questionnaires do not work anymore.
2022 agendas of many governments and lawmakers have a strong focus to penalize organizations for poor cybersecurity practices. While deterrence of deliberate misconduct is crucial, I’d rather focus on supporting would-be victims of cybercrime, notably SMEs, healthcare providers and educational institutions. Provision of free cybersecurity training, that can even become mandatory one day, will prevent millions of security incidents. Likewise, cyber divisions of law enforcement agencies require undelayed increase of budgets to hire new talent, acquire costly software and hardware appliances for digital investigations. Finally, global initiatives, such as the recent joint operations by Interpol, Europol and national LEAs, are a formidable weapon to suppress international cybercrime that no country can defeat alone.”
- Explore 18 use cases how ImmuniWeb can help
- Follow ImmuniWeb on Twitter and LinkedIn
- See the benefits of our partner program
- Request a demo, quote or special price