As 2021 draws to a close, we see a world still challenged by Covid-19, necessitating new business models, new channels and a shift (perhaps for the long term) to remote and hybrid working.
But one thing seems enduring: the ruthless exploitation of our digital society by organised cybercrime. So, looking to 2022, I offer seven cyber security predictions.
1. Ransomware is endemic — and demands a strategic response
Ransomware has become endemic, it seems, with criminal groups becoming more sophisticated in their extortion tactics as they aim to automate the process of encrypting systems, destroying online backups and blackmailing organisations with the threat of data release. Insurers have an eye to reducing their portfolio risk given the rising costs of paying ransoms, governments treat cybercrime as a national security threat and regulators impose sanctions on criminal groups and demand that banks track and report ransomware payments.
2022 will bring more examples of ransomware groups exploiting supply chain and cloud service weaknesses. It will also bring more aggressive action by the national security community to tear down and disrupt the infrastructure used by these groups. This includes tracking and stopping the use of cryptocurrencies for cash out. The debates on whether payment of ransoms should be made illegal will continue, along with the frustrations over countries providing safe havens to such groups.
2. Digital worlds fail in surprising ways
The impact of ransomware on organisations is getting the board’s attention and has fed a broader debate on operational resilience.
Expect to hear the word “resilience” a lot in 2022 as organisations realise that they need to prepare for the worst — and work through the practicalities of how they would deal with a major ransomware (or other technology disruption) event. Response and recovery will get more attention. The Digital Operational Resilience Act and Network Information Systems Directive version two will hit the streets in Europe as regulators focus on the resilience of a very different world of digital infrastructure — and the systemic risks that come with that dependency. We will also see digital infrastructure fail in surprising ways, exposing links and connections between systems we didn’t know existed.
3. Geopolitical tensions will play out in cyberspace
The world seems a complex place, with many political tensions and polarised opinions. These will play out in cyberspace as nations exert increasing control over “their” cyberspace, the information which flows through it and even how opinion and narrative are expressed.
2022 will see those issues come to a head. Privacy legislation will continue to make it to the statute books, creating an increasingly complex global web of regulation and extra-territorial obligations. The debates on liability and the scope for class action and group litigation continue — and with regulators less willing to relax as the economic impact of Covid-19 recedes, there will be some headline-grabbing fines coming up.
We will also see more aggressive cyber-attacks by nation-states around political flashpoints, whether they are disputed borders in the real world or disputed narratives in cyberspace. Those virtual confrontations will trigger consequences in the real world — diplomatic and trade-related.
4. Security has changed — but we may not have noticed
The shift to hybrid working accelerated the transition to cloud services during 2021. With that change has come a very different IT environment of home working, bring your own devices, split tunnelling of traffic, and DevOps processes. Conventional security models are becoming obsolete, and talk has turned to zero trust, cloud access security brokers and secure access service edge (SASE).
2022 is the year when the debate moves from the theoretical and aspirational to a necessity, as organisations realise their existing security models no longer match this new environment, leaving them increasingly blind and unprotected. The shift in security model will demand new skills, new solutions and new vendor relationships. The ripples will be felt in the market, with winners and losers among cyber security firms.
5. Supply chain security isn’t an afterthought
So often, third party assurance can descend into a compliance and tick box activity, even though the bulk of the IT environment now resides outside company buildings and data centers. The growth of SaaS, PaaS and IaaS has changed the IT environment beyond recognition. 2021 saw two supply chain attacks which gave the community pause for thought, and we will see more in 2022 as organised crime realises that supply chain attacks can scale to hit hundreds or thousands of victims.
Managed service and cloud providers will get greater regulatory attention as they are increasingly regarded as part of our critical digital infrastructure. Third party risk scoring services will continue to mature but will still offer an incomplete and partial view of risk. Discussions on containerising and limiting the impact of software or service compromise will ramp up. The whole area of third party risk demands more attention.
6. Time matters, more than ever
The time to exploit systems is decreasing rapidly, with ransomware now triggering just a few days after the initial point of compromise as attackers turn to automated tooling to accelerate their exploitation of compromised systems. The defenders are also exploring security orchestration and automated response, albeit constrained by the complexity of their IT environments and the consequences of over-reacting to a potential security event.
2022 will see security orchestration and automated response move from an optional activity to improve efficiency to a required and critical response to a rapidly changing threat. That response will need to extend beyond internal networks to community-wide actions. It will disrupt criminal infrastructure as we see active defense programs piloted in the public sector extend a protective umbrella to cover private sector critical infrastructure.
7. Emerging technology, emerging regulatory challenges
2022 will see the first rafts of regulation around the use of artificial intelligence and machine learning systems, including action to outlaw the most extreme uses of AI to manipulate human behavior and govern high-risk applications, as well as direct interactions with people. This is just one aspect of the increasingly complex nexus between technology and society, also bringing robotics, autonomous and embedded systems and even deep fakes.
Our world is changing, crime is changing, and our approach to cyber security must evolve as well. Let’s help protect this new world together. Being a community matters more than ever.
Originally published on KPMG.
Please mind the gap… or healthcare may fall
Imagine sharing a lengthy train journey with others. From beginning to end, imagine how often you might hear ‘mind the gap’ messages about embarking and disembarking safely. Picture how navigating…
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…
Look anywhere – the future is ‘aged tech’. But Scotland needs to be more adventurous
Scottish Care, as the representative body of independent social care providers of care home, care at home and housing support services, has been working over several years with colleagues in…
Women Lead: Engineer turned entrepreneur
We are always fascinated by other people’s stories. It’s how we connect, grow and learn from each other. Until very recently I always felt like I didn’t have a story to tell. Who…
‘Women – together we will change the dynamic in tech’
I was inspired to start a career in technology when personal computers were in their infancy and the internet decades away. My childhood dream of becoming a scientist was shaped by…
It’s time to change the future of tech apprenticeships – and we need your help
In his latest exclusive column for Futurescot, Ross Tuffee, chair of the Skills Development Scotland (SDS) Digital Economy Skills Group, calls on tech employers to get involved in shaping the…
What AI difference a year makes
Amazingly, it’s been one year since the publication of Scotland’s AI Strategy. And what a year it has been. Demanding but rewarding, with good progress made and great foundations laid…
International Women’s Day: It’s time to harness power of women in technology
As we celebrate International Women’s Day, I hope to be part of a future where barriers that prevent women from competing on a level playing field in the work environment…