2022 in Summary
In many ways 2022 was not much different from its preceding years and quite turbulent with cyber security threats. We witnessed intensifying security attacks on all the regular fronts including email scams, data breach, ransomware; and some newer trends focussing on crypto currency, NFT thefts and software supply chain attacks.
A report created by Splunk outlines that in 2022 consumers lost an estimated $6.1 billion to email scams. Some of the more noteworthy scams included fake MetaMask security emails, $2 million worth of NFTs stolen from OpenSea accounts, fake Ukraine charity scams and Amazon Prime Day scams.
Personal data breaches resulted in around 42 million Americans falling victim of identity fraud, with losses amounting to an estimated $52 billion. Enterprises like Samsung, Cash App, WhatsApp and Twitter all suffered from massive data breaches that caused material business losses and compromised millions of global citizens.
There will however be a shift in boardroom conversations and approaches to tackle cyber security threats this year. At the business level organizations have started to look at more then just being secure; but being holistically resilient against supply chain disruptions, climate impacts, economic uncertainty, and against cyber criminals who are constantly probing for vulnerabilities to breach an organization’s defence parameters.
Overall Resilience vs. Protection
This focus on a more holistic approach has also changed the role of security leaders in organizations. Cyber security leaders are now being compelled to consider interdependencies and options to correct the problems at the source – as opposed to the currently prevailing approach of setting up deterrents and gatekeepers. This new approach lends to baking security into the core of technology and its operations as opposed to bolting it on at the time of deployment as an afterthought.
These cyber security conversations are also varying in nature – depending on the understanding, maturity-level and the ability of an organization to pivot and avail these new approaches of defence that includes:
- AI-driven cyber security automation
- A zero trust framework
- DevSecOps practices
Some long-established enterprises with lesser flexibility and material technical debt are struggling to adopt these new approaches while more progressive businesses who are leveraging a more cutting edge technology stack may have never done it any other way.
Outlook for the Upcoming Years
As a result, the next few years will see a shift in the cyber security environment with greater decentralization and increased regulation. According to Gartner, it is recommended for security leaders to consider a number of additional planning elements in their cyber security roadmap and strategy for the up coming years.
Data Privacy Regulations
According to a Gartner report, by the end of 2023, modern data privacy laws will cover the personal information of 75% of the world’s population. In 2018 GDPR was introduced as the first major consumer legislation for privacy in the EU. This was quickly followed by Turkey and Brazil and other countries and jurisdictions such as UK, Canada and California. Cyber security solutions for global enterprises will therefore need to start conforming to more than one regulation and/or legislation.
Zero Trust Cloud Security Solutions
In the effort to reduce cyber risk and optimize operations there will be additional focus by organizations to consolidation their technology stack. This will also apply to cyber security tools and applications. From this perspective, Security as a Service will become the preferred delivery method. By 2024, 30% of enterprises are predicted to deploy cloud-based Secure Web Gateway (SWG) and Cloud Access, Security Brokers (CASB), and Firewall as a Service (FWaaS) enforcing Zero Trust Network Access (ZTNA).
Security as Criterion of Doing Business
Organizations are increasingly looking to evaluate cyber security risk of other organizations they intend to do business with. This holds especially true for supply chain partners, ICT service providers; and also for mergers & acquisitions activities. As a result, there may be requests for more data about a partner’s cyber security profile, through surveys or security ratings. By 2025, 60% of organizations are predicted to use cyber security risk evaluation as the primary determinant in conducting third-party transactions and business relationships.
Negotiation as Part of Doing Business
As frequency, intensity and magnitude of cyber attacks increases, enterprises will look to establish formal negotiation protocols with cyber criminals. Cyber security experts and service providers will in turn need to increasingly start considering damage assessments due to security attacks and negotiations for ransomware payments at an overall business level. It is predicted that by 2025, 30% of global organizations will have engaged in formal negotiations with cyber criminals.
Blurring of Cyber and Physical Security
As corporate focus shifts towards overall combined operating resilience against cyber security, physical environmental safety and political stability, efforts towards digital and front office transformations will start to include an extra layer of complexity – especially for larger multi-vendor integration projects. This will be the case even more so where digital transformation extends to include IoT and other end-point devices (modality) connectivity. Cyber attacks are predicted to intensify in causing more that just business interruptions; but also inflict physical harm. By 2025, cyber-attackers will be able to use operational technology environments as weapons successfully enough to cause human casualties.
Security Labelling of Devices
With IoT devises becoming more and more infused into daily use, there will continue to be more emphasis on protecting connected devices and the cloud systems that tie them all together. The big initiative coming up in the US is a labelling system for IoT devices supported by the NIST recommendations for cyber security labelling for consumer IoT products. In 2021, Presidential Executive Order on Improving the Nation’s Cyber security directed NIST to initiate labelling programs on cyber security capabilities of Internet-of-Things (IoT) consumer devices. In 2022 NIST has started coordination with the Federal Trade Commission (FTC) and other agencies to identify IoT cyber security criteria for a consumer labelling program criteria for a consumer software labelling program.
The AI Element to Cyber Security
Not only is that ability of machine learning algorithms to examine and learn from the vast amount of data moving across networks in real-time far more effective than the human mind; it is also evolving at an accelerating pace. As a result, cyber security attacks exploiting the superior AI capability are also becoming more proficient and dangerous. It therefore only seems necessary that cyber security defences also leverage on this exponentially growing AI computing capabilities. According to IBM, enterprises that will use AI and automation to detect and respond to data breaches will comparatively save an average of $3 million. It is also been predicted that by 2030 the market for AI cyber security products will be worth close to $139 billion – a near tenfold increase on the value of the 2021 market.
Focus on Embedded Systems
There is continuing proliferation of cyber-physical systems. This include a variety of technologies like autonomous machineries (automobiles) that do not just performing repeated tasks but are becoming more AI driven; digital twining of physical systems to support their operation, maintenance and environments; and IoT device to improve quality-of-life and to deliver healthcare. All these prospects pose increasing real-world security risk for organizations and citizens with dual frontal attacks from the physical world and cyber echo systems. Focus is therefore increasing on continual assurance of secured application development, deployment and operations. In 2022, NIST started coordination with the US Federal Trade Commission (FTC) and other agencies to identify Secure software development practices. Best practices such as SecOps and DevSecOps are becoming a default mode of operation to ensure that security is at the core of developing and operating embedded systems that drive physical devices in a variety of consumer, social and community environments.
In Conclusion
Boundaries between the physical and cyber worlds are starting to blur. Consequently, focus on ensuring security and handling threats both in the corporate and consumer worlds is shifting to a more holistic resilience that includes both physical and cyber elements. Relying solely on “bolted on” reactive security measures as an afterthought to protect business application and operations is already proving to be ineffective. Drive to overall security resilience is forcing business leaders to be more strategic about including security measures as a core to conducting business transactions, developing applications and managing operations. As prospects of cyber security attacks causing physical damage and human casualty become more real, government regulations towards secure embedded systems development and standards for device security labelling will drive a conscious approach to “baking” in security as a preventative mindset. Businesses that fail to adopt and pivot to this holistic mindset and continue to handle security as a reactive tactical approach will soon find themselves to be in a severely compromised state.
Shaji Zaidi 
Leave a comment