“Unprecedented” is a word that defined 2020 and 2021. Once the pandemic hit, we saw a record number of businesses implement work-from-home systems to ensure business continuity, remotely and online. With this rise in digital transformation, we’ve witnessed a blurring of the traditional online perimeters needing to be secured. As CrowdStrike notes, today, a company’s network can be on-site, in the cloud, or a hybrid of both, with resources and staff spread across locations. This presents a cybersecurity challenge, giving way to a dramatic increase in exploits.
Suddenly, “once-in-a-decade” breaches of the past are now happening monthly, with a laundry list of companies falling victim. This proliferation of cyber-attacks has catapulted the zero-trust security framework into the limelight. Zero trust is no longer a security aspiration: today, it’s a security mandate, in which all users are vetted each time they request access to a company’s online assets.
No ad to show here.
As Netskope notes, zero-trust models “support the implementation of ‘least privilege access’, which is designed to selectively grant access to only the resources that users require, nothing more”. It’s a critical part of privileged access management (PAM), as gaining entry at a privileged level is every hacker’s ultimate goal. In 2022, the number of successful attacks will rise, making a zero-trust PAM framework crucial. This cybersecurity trend will be prominent in 2022, alongside five other trends.
Chief executives cited cyber threats as the number-two risk to business prospects in PwC’s 24th Annual Global CEO Survey.
More pervasive triple-threat ransomware
2021 saw record-breaking amounts for ransomware pay-outs. For example, a US insurance company paid a $40 million ransom in March – $10 million more than the largest attempted demand in 2020, says ZDNet. It’s not only the dizzying amounts that are worrying. Ransomware is evolving, so organisations should expect more personalised or targeted attacks that, increasingly, involve different assets, like Internet of Things devices. The latest evolution, as Check Point Research explains, is the ‘Triple Extortion’ ransomware attack. Building upon the previous ‘Double Extortion’ tactic of stealing sensitive data from an organisation and demanding payment to prevent it from being released publicly, criminals are simultaneously targeting the organisation’s clients and/or business partners, squeezing them for an additional ransom.
Higher cybersecurity standards for insured businesses
Cybersecurity insurance has become increasingly accepted as a part of enterprise risk management. In South Africa, dozens of well-known providers, from Chubb to King Price, offer it. However, many insurers’ models have been jeopardised by extortionate ransomware demands and the far-reaching financial fallout of recent security breaches. Subsequently, many have hiked their rates, with some exiting the cybersecurity market altogether – both will lead to a tsunami of insurance cancellations in 2022, with businesses scrambling to find new coverage, albeit at higher rates. To ensure continued coverage with providers offering the best rates, businesses will need to demonstrate that they meet the strict security measures that insurers are now demanding.
Strengthening of cybersecurity culture across businesses
More companies are seeing the value in creating a solid cybersecurity culture, which is heartening, as this wasn’t always a focus. Historically, enterprises were spending millions on security solutions that protected their hardware and software, while neglecting the simple act of educating employees around security. Most breaches boil down to human error – 95% of them said a 2014 IBM study, while a 2020 Verizon report found 85% of breaches included a ‘human element’. Human errors cover behaviours that can inadvertently (sometimes deliberately if it’s an insider threat), leave the door open to malicious external hackers. The IBM report highlighted a few examples, including staff losing company devices or using weak passwords, with the most prevalent error being “double clicking on an infected attachment or unsafe URL”. To create a cybersecurity culture, companies must create a “living” set of security standards that can be updated and shared regularly. Adoption of this culture has been slow as it’s hard to measure and therefore difficult to justify the expense. However, teaching staff to recognise threats, curbing poor security behaviour, and following basic security habits can turn into an investment, as you’ll see a marked drop in attacks.
Small and big businesses equally targeted
Many small- and medium-sized businesses (SMBs) struggle with what to prioritise: their need for cybersecurity versus their reliance on cutting-edge tech that enables innovation and affordably opens doors to geographically diverse markets. The problem is that SMBs face the exact same threat landscape that big businesses face, though often with less resources. Even though SMBs may appear a less lucrative target than larger corporations, they’re still at the mercy of cybercrime – in fact, Verizon’s 2020 report found that 43% of cyber-attacks are targeted at small businesses. Another international survey notes that 60% of SMBs will close their doors within six months of a breach, unable to deal with the crippling financial fallout from such an attack. It’s essential for SMBs to reprioritise budget spend on tightening security measures and focus on staff security awareness.
Growing cybersecurity skills gap
Cybersecurity jobs are in high demand with competitive salaries, plus, as the World Economic Forum (WEF) mentions, “cybersecurity professionals protect the digital world from cybercrime much the same way that police officers protect neighbourhoods.” These are jobs with purpose that can be truly rewarding. The latest figure around the skills gap is a massive 3.12 million. This is the number of jobs available to cybersecurity professionals! Without an urgent drive to increase existing staff reskilling and include cybersecurity curricula within schools and universities, this gap will widen, leaving businesses at risk. The WEF offers free cybersecurity training online to upskill people for 10 crucial roles: network security engineer, threat intelligence analyst, security operations engineer, application security engineer, cybersecurity architect, cybersecurity risk manager, cloud security engineer, security awareness specialist, technical project manager, and cybersecurity compliance analyst. These are the cybersecurity jobs in demand.
What’s the red thread that connects these five trends? The fact that no one is immune to cybercrime. Private individuals and businesses, and government agencies must prioritise cybersecurity education and invest in layered cybersecurity solutions from trusted providers, like Vodacom Business, to ensure they stay safe online.