Faced with ransomware attacks from Colonial to JBS to Kaseya, companies of all sizes were forced to internally assess their cybersecurity and risk and come to some uncomfortable and frankly embarrassing conclusions. With digital transformation accelerating and remote work becoming increasingly prevalent, the attack surface has grown for cyber attacks. Combing through spreadsheets for compromised security controls and faxing sensitive information are just two of the many unsafe cyber practices that large companies still employ. 2021 forced businesses across industries to admit that their cybersecurity was not on the same playing field as most attack vectors, especially malware.
With the FBI taking a more assertive approach to tracking down ransomware threat groups and indicting culprits, 2022 is poised to be a year of seismic shift with expected changes within critical infrastructure industries, malware threat actors, and cyber insurance policies. As the threat landscape dangerously transforms, there is an expected shift in understanding risk and responsibility, impacting the relationship between C-suite executives and the boardroom.
Padraic O’Reilly, Chief Product Officer and Co-founder of CyberSaint, characterizes 2022 as a year of transitioning over to accountability and responsibility.
“We’re beginning to see to see a shift over to the preventative, risk-management side,” said O’Reilly. “That’s why we’re seeing the FBI go after attackers, it’s why the White House put out a ransomware task force, and rules are saying not to pay out ransoms in a knee-jerk reaction. Officials are trying to get their head around this so that they can get out of reaction mode.”
Companies will try to shift from a reactive mentality and attempt to get ahead and look at the preventative aspects of data security and risk. Take a look at the 2022 cybersecurity predictions from our thought leaders at CyberSaint.
With the government scaling up its defenses against ransomware, critical infrastructure sectors are now required to increase their pace in achieving cybersecurity maturity. If not, these critical sectors run the risk of continuing to be easy targets for hackers. While all critical infrastructure sectors are targets for ransomware, some are more vulnerable than others, like emergency services, healthcare, water treatment, and local government.
In 2020, there were 239.4 million attempted attacks on the healthcare sector, and 560 providers were compromised. These numbers alone display the barrage of threats that loom over this critical sector. In a positive light, vulnerable sectors are expected to improve their ransomware posture on the fly with an aggressive and efficient approach.
Ransomware will not disappear on its own. Instead, there will likely be an internal dynamic change between threat groups. Typically, there are malware developers and then smaller operators that buy malware kits that carry out attacks. These groups have different incentive structures, with developers cautioning against attacks on larger companies and critical infrastructure since the government now has a stricter approach. Developers fear their operations being jeopardized after the FBI tracked crypto payments to the hackers who carried out the Colonial pipeline attack.
Smaller operators function like outsourced attackers; with less at stake, they aim to attack larger important companies for a more lucrative outcome which could be a source of tension between threat groups.
With the rapid adoption of cryptocurrency this year, threat intelligence suggests that crypto is another reason malware has proliferated the way it has. Criminals can hide their whereabouts by demanding ransom via crypto. Security experts will have to keep an eye on this in the upcoming year.
The Implications of Deep Fake Technology
Ransomware attacks could scale up dangerously with the intersection of deep fake technology and cyber. Threat groups could embed deep fakes in spear-phishing attacks, which manipulate targeted employees into sharing sensitive personal information. Hackers could use deep fake tech to steal voices and visuals of executives since that information is already available on the internet.
Not only can deep fake aid ransomware attacks, but cybercriminals could also embed deep fakes in phishing scams, business email compromise, and social media hacks. Deep fake tech could equip cybercriminals well enough to extort companies directly and avoid ransom exchanges.
Agencies and information-sharing networks have put in great effort at providing accessible knowledge and best practices for enhanced cybersecurity. Companies can no longer use the excuse that they didn’t know threats were looming or that agencies were gatekeeping the information. Cybersecurity knowledge is available from NIST to CISA to the more specific E-ISAC. And while some recommendations may be costly, companies can start with more basic affordable practices, like multi-factor authentication and updating passwords.
With this accessible information, cyber insurance companies will be looking to ramp up their premiums and enforce more significant security requirements. Companies cannot use cyber insurance to circumvent steps to increase security; it should extend your existing cybersecurity approach - the last resort option. In the upcoming year, insurance companies might refuse to pay the ransom if they find that the company fails to keep up with the bare minimum requirements of cyber safety.
“CISOs have begun to realize that they can’t go in and unnecessarily present deeply technical issues and then, offhandedly, say that the risk might be this or that,” says O’Reilly. “The conversation needs to be more disciplined, and it has to be driven in terms of dollars.”
As companies shift from a reactive mentality to a preventative mentality, C-level executives will be required to report cyber practices and postures more effectively to board leaders. For a company to truly get ahead of a reactive approach, it needs to have full support from non-technical units up to the board level so that cybersecurity receives the necessary visibility and investment. Board members need to understand where they need to invest and the advantages of risk mitigation.
CISOs and CEOs need to communicate cyber vulnerabilities in an approachable way for board members through presenting the financial lens of security and risk.
“We’re starting to see CEOs now being required to report to their board on a regular basis on what their cyber posture is and what their cyber risks are,” explained Jerry Layden, CEO of CyberSaint. “Historically, it was frustrating to see the largest companies in the world looking at their cyber risk through the lens of spreadsheets. Now we are seeing a market change towards real-time monitoring, and we’re seeing ransomware and other more frequent attacks as a factor driving them to understand cyber risk in real-time.”
2022 could be a big year for risk management. We could see trends of C-level executives and board members trying to educate themselves more on cyber risk and become more collaborative with security leaders. It is a necessary shift as we see ransomware evolving to a more malicious degree. This could be the year during which companies begin their transition to preventative risk management and finally graduate from having a disaster mentality.
Contact us to learn about CyberStrong’s risk management approach and board reporting capabilities.