Coping with increasing cybersecurity challenges (from the good side and the bad!)
Article by Varonis VP of APAC, Scott Leach.
Let’s spare a thought for cybersecurity professionals as we look into our crystal ball to see what 2022 holds. They’ll be under increasing pressure from the ‘bad guys’ and the ‘good guys’ as well. No matter what industry these professionals work in, it will become more challenging to secure data and maintain compliance with government regulations.
It should come as no surprise that the volume and sophistication of attacks will increase — this trend has been accelerating for years. But more effort will be needed to maintain regulatory compliance. Forthcoming legislative changes, such as the mandatory disclosure of ransomware payments, will see many organisations struggle to maintain compliance with evolving government regulations.
And organisations will find it tougher to obtain the protection and peace of mind that comes from cyberthreat insurance. Faced with the increasing size and proliferation of ransomware payments, insurers will get tougher, and cover will become more expensive, making it financially unviable for many organisations. Here are some more details on what we can expect in 2022.
Ransomware costs will ramp up
The 2020-21 financial year saw more Australian organisations suffer ransomware attacks than ever before, with the ACSC recording a 15% per cent increase in ransomware reports from the previous financial year. Ransomware and other cyber-attacks cost the Australian economy around $3.5 billion a year. A magnitude increase in that figure should be expected in 2022.
Australian organisations are the most willing in the world to pay a ransom if hit by an attack, according to a report by analyst firm IDC. The report notes that 60 per cent of Australian companies are willing to pay a ransom, compared to 49 per cent for both the second and third most likely countries, Brazil and Singapore, respectively. Most recently, JBS foods paid a $14.1 million ransom demanded following an attack.
Use of deepfakes and AI by cybercriminals will ramp up
In October, Forbes reported how an elaborate exercise in cyber deception could have stolen as much as $US35m from a Hong Kong-based bank. A key feature of the scam was a deep fake voice - hackers cloned the voice of a familiar company director. They sent this to the bank manager, alongside some very convincing emails to legitimise the phone call.
Forbes said the incident had occurred in early 2020 and was “only the second known case of fraudsters allegedly using voice-shaping tools to carry out a heist.” Unfortunately, it won’t be the last. And these deceptions will increase in sophistication as scammers hone their skills and as deep fake technology evolves.
Many will go without cyber insurance
Insurers are placing increasingly stringent contractual obligations on organisations seeking cybersecurity insurance, particularly those that have previously fallen victim to attack. The result will be one or other party walking away from cyber insurance contracts. For insurers, the risks might be too high. For organisations, the costs of insurance premiums will be too high, or the requirements too onerous.
Organisations with existing policies can expect to face more scrutiny and audits by insurance providers to demonstrate they have the proper cyber controls and cyber hygiene measures in place.
In January 2021 the Harvard Business Review reported: “While companies might look to cyber insurance to protect themselves from … growing [cyber] risks, there’s another problem: there might just not be enough money in the still emerging sector to cover their needs.” It suggested they would need to seek alternative, innovative protection measures.
Regulation will get tougher
The newly-introduced Security Legislation Amendment (Critical Infrastructure) Bill 2021 has not only expanded the definition of critical infrastructure but also imposed much more stringent cybersecurity requirements on organisations within this category. As a result, organisations in sectors such as food and grocery, higher education and water and sewerage, which were never considered to be critical infrastructure before, now have a massive range of new regulations imposed on them. Many of these organisations will be critically underprepared for this and struggle to meet new compliance measures, leading to more fines and other penalties.
Supply chain attacks will continue to increase
This will be one of the biggest cybersecurity issues in 2022 and a tough one to counter. The European Union Agency for Cybersecurity (ENISA) predicted in July that the number of supply chain attacks in 2021 would be four times greater than the number in 2020.
ENISA analysed 24 attacks and concluded, “strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers.”
To function effectively, supply chains rely on the exchange of data (often highly-sensitive in nature) by various links throughout the chain: a compromise of just one link can easily become a compromise of many.
We expect organisations in supply chains, especially the lead members, to start requiring details of partners’ security measures and demanding audits. These requirements could even extend to parties one step removed from the chain.
Some good news
The good news for cybersecurity professionals confronted by all these challenges is that unemployment is unlikely to be one of them: their skills will be in high and growing demand for the foreseeable future.
(ICS)2’s Cybersecurity Workforce Study 2021 reported that the number of cybersecurity workers in Australia had grown from 107,000 in 2019 to 135,000 in 2021 and said an additional 25,000 were needed to sustain its growth in 2022 and beyond.