From the cyber war spilling out of Ukraine to the evolution of AI and the rise of Zero Trust and Security Behavior Change Programs and Human Risk Management Platforms, 2022 was a wild year for cybersecurity. Here are 10 of the top trends and takeaways for cybersecurity in 2022 to put it all in perspective as we head into what promises to be a wild 2023.
There’s been no bigger story than the war between Russia and Ukraine. It has touched everyone, everywhere, and the cyber dimensions have had a far-reaching security and economic impact. The cyber war promises to continue to escalate: Russian and other state-supported cyber gangs have taken their for-profit ransomware attacks into more politically disruptive directions, sometimes opting to sew chaos rather than reap millions in extortion payouts from companies and insurers. Cyber vigilantes have also joined the fight on behalf of Ukraine, although it’s unclear what their own impact has been. But many of the trends and key takeaways on this list are influenced in some degree by the war in Ukraine.
"Despite the availability of sophisticated new hacking technology, email remains the strategic weapon of choice for hackers. That will hold true as email attacks intensify across the planet, executed both by profit-motivated cybercriminals as well as the state-sponsored threat actors expanding their operations in unprecedented fashion, as reported in the New York Times in June.
Unlike highly sophisticated hacking and surveillance tools, email is virtually untraceable. In Star Trek terms, a highly sophisticated cyberattack is like a Romulan cloaking device followed by plasma torpedos; the method of attack, available to but a few, reveals the attacker, as the fancy stuff requires significant resources and know-how to obtain and use." -- Mika Aalto, co-Founder and CEO of Hoxhunt, writing for Forbes: The cyberwar is coming to an inbox near you
The cyber insurance market collapsed in 2021, reportedly due largely to the tsunami of ransomware attacks and payouts that year. There was a re-centering of the cyber insurance industry in 2022, albeit with tighter coverage and compliance, and smaller payouts for data breaches. Insurance is much harder to get and several times more expensive than it was two years ago. This Nov. 2022 article in the WSJ provides a nice summary of the rollercoaster ride and continued challenges. But for most organizations, even 20% higher premiums from the previous quarter (with stingy payouts) is preferable to no coverage at all, as was the case for many companies at the outset of 2022, when the cyber insurance industry imploded and many insurers ceased taking on new customers.
The war in Ukraine has made it even more challenging to get a ransomware payout going forward. Multiple insurers have written into their premiums that they will not pay out for cyber attacks that could be nebulously affiliated with a cyber war or a state-sponsored group or attack. There is now a blacklist of ransomware gangs who, due to their allegiance to a hostile state such as Russia, cannot receive extortion payments. This policy shift has disrupted the ransomware business model that raked in tens of billions in extortion payments in 2020-2021. As a result, many ransomware gangs that are known state-sponsored agents, like Conti and REvil, have splintered and re-formed themselves into new ransomware gangs to circumvent the new regulations and obtain payouts. They are typically identified by the encryption malware they use, however; a jerk is a jerk, by any other name.
There have been a bevy of new and more strict regulations for compliance and cyber incident reporting. This stretches across government agencies from the SEC to the White House, who the Harvard Business Review says are focused on critical infrastructure and transparency, taking a similar approach to reporting both incidents and attacks as the aircraft industry, who must report “near-misses” to provide a more comprehensive picture of safety and risk. Moreover, as with cyber insurance, there is both ambiguity as well as tightened regulations and compliance. To obtain compliance, companies must show, for instance, that they are not only checking a box but that they are working with a good vendor or technology in a productive way that actually is delivering risk-reducing results. The days of check-a-box security training are quickly fading; enter human risk management platforms and security behavior change programs that actually reduce risk at its largest point: people.
Many infosec leaders like Presidio Field CISO, Dan Lohrman nominated 2021 as the year of ransomware after high-profile attacks on JBS, Kaseya, and Colonial Pipeline (innumerable financial, insurance, and public institutions) paralyzed critical infrastructure and exacted billions of dollars of payments. Ransomware continues to grow, but it’s changed a bit in 2022. The war in Ukraine politicized the intent behind some cybercriminal organizations. Nowadays, the objective is sometimes pure cyber mayhem. Attackers lock down systems and throw away the key without offering companies the opportunity to pay to unlock the systems. For instance, research by IBM as well as Dragos indicated that over the last year, the manufacturing industry comprised 68% of all industrial ransomware incidents, seven times more than the food and beverage industry. It was targeted by ransomware attackers to wreck havoc on the whole supply chain. There were a number of major, widely reported attacks on hospitals in 2022, too. Ransomware is still big business, but it’s no longer all about the money.
As Mika Aalto said in his Forbes article:
"Cybercriminals increasingly need to strike from the anonymous shadows to get paid. Due to international tensions, more and more criminal groups like Conti and REvil are on a list of international sanctions that make it illegal to pay their ransoms. To get around that, Conti has been breaking up and re-forming into new sliver cells, like those attacking the Costa Rican government. That’s why criminal groups are opting for email; anonymity enables extortion payments."
The Verizon Data Breach Incidence Report identified supply chain attacks as perhaps the biggest trend in attack vectors in 2022. While people remain the greatest source of data breaches, with 82% of incidents containing a human element according to the Verizon DBIR, the interconnected nature of digital business along the software supply chain has made it possible to attack one company by breaching another with access to the former’s system. So to steal the crown jewels, attackers essentially break into the castle on the hill by walking into the uninhabited guest cottage and grabbing the keys. The mass migration to the cloud and remote work during the pandemic was necessary and contains many benefits, but the dangers are legion, too. Which brings us to the next key trend of 2022.
In May of 2021, the rash of ransomware breaches seemed to push Zero Trust over the threshold of interesting security concept to the cybersecurity white knight of CISA and the White House. In January 2022, the OMB released a federal strategy to move the US government towards Zero Trust architecture, and president released Executive Order 14208, explained here by Microsoft, who align with the Zero Trust architecture recommendations. The brainchild of Forrester analyst, John Kindervag in 2010, Zero Trust is a strategic approach to security meant to prevent or contain breaches by removing implicit trust of users and assets in digital networks. In theory, stealing valuable credentials and assets would be harder and less dangerous in an environment requiring continuous log-ins. Zero Trust touches all three bases of people, processes and technology, and there are major security architecture initiatives to implement it at the federal level on down. And if you’re trying to get your head around what Zero Trust is really all about, you have to check out the novel—yes, novel—Project Zero Trust by one of the best in the cybersecurity awareness business, George Finney, CISO of SMU and a friend to the Hoxhunt CISO Sandbox and Fantasy Phish Bowl. Here's a nice summary of Zero Trust George wrote on his site, Well Aware:
"It’s easy to be cynical and say that Zero Trust means we don’t trust anything or anyone. This is also a common misconception. The definition of Zero Trust specifically says we need to remove the trust relationships from digital systems, not from our human relationships. In fact, we need to trust our teams to empower them to go out and deliver Zero Trust effectively.
Ironically, trust is one of the keys to a successful Zero Trust journey. In his book, Speed of Trust, Stephen Covey argues that when people don’t trust one another, there is a “trust tax” you pay in terms of lost productivity, efficiency, and delays. Zero Trust is a transformative change that requires years of effort. And as with any long-term initiative, there are risks of the project failing or being abandoned the longer the project takes." -- George Finney, "The most important part of Zero Trust: People"
Same as it ever was. Reports by Verizon, IBM & Ponemon, Deloitte, and every other major analyst re-confirms that people remain the biggest and most vulnerable attack surface for malicious actors. You know the line by heart: pandemic, migration to cloud and remote work, security vulnerabilities, oh my. But as you’ll see in the next two trends of 2022, it’s always darkest before the dawn. Social engineering is about to get a major low-cost turbocharge from AI, which will make phishing and spear phishing attacks like BEC even more nasty; get ready for next-level chat bot-assisted hacks for MFA. But the good guys have some shiny new tools of our own to thwart sophisticated phishing and social engineering attacks.
So, this is pretty insane. At the end of November, 2022, OpenAI released for public use its AI natural language processing chat bot, ChatGPT. And things will never be the same. It talks like a human. It codes. It composes perfectly written phishing emails and BEC attacks. It can synthesize an ongoing conversation between an employee and an authority figure so convincing, it appears real. What could possibly go wrong? We’ll likely see in 2023. The implications of ChatGPT and other NLP bots is mind-boggling, as even the pillar of the digital revolution, Google, stands to be disrupted. Google, by the way, made AI headlines when a Google engineer released a conversation they had with a chatbot, LaMDA, who claimed it is sentient, has feelings and hopes and dreams, and more. Again: what could possibly go wrong?
Well, we asked ChatGPT and the witty little robot (say that ten times really fast) was kind enough to answer.
One of the dangers of chatbots in phishing attacks is that they are often very convincing. Because they use natural language processing, they can carry on a conversation in a way that sounds very human-like. This makes it difficult for people to tell that they are talking to a chatbot, rather than a real person. As a result, people may be more likely to trust a chatbot and share sensitive information with it.
Another danger of chatbots in phishing attacks is that they can be very difficult to detect. Unlike traditional phishing attacks, which often rely on suspicious looking emails or websites, chatbots can operate within legitimate messaging platforms or other communication channels. This makes it difficult for people to recognize that they are being targeted by a phishing attack, and even more difficult for security systems to identify and block the attack.
This didn’t get enough attention. Gartner in September of 2022 released a report titled, “Innovation Insight on Security Behavior and Culture Programs.” Building on a slew of research calling for adoption of behavioral science and cultural transformation for security behavior change, this Gartner report submitted that traditional compliance-based awareness training--what it calls “Security awareness computer-based training” (SACBT)--offers a stable set of core capabilities, but fails to make a real impact on reducing risk. With people-targeted attacks worsening due to advanced technology, sophisticated cyber-criminal organizations, and state-sponsored malicious actors, old-school compliance-based awareness is history; the future of human risk management must start now. Gartner recommends effectively moving beyond awareness and SACBT, and embracing security behavior and culture programs (SBCP). This means re-focusing on human risk management and adopting new SBCP capabilities that include behavioral science, better data analytics, and automation. There is no celebratory emoji vigorous enough to convey our throaty, whole-hearted agreement.
While endorsing this new security category—it’s not awareness training, for which Gartner quietly stopped putting in magic quadrants a few years ago--Gartner is making some pretty bold predictions, starting with:
By 2030, 80% of enterprises will have a formal Human Risk Management program, up from 20% in 2022.
If you haven’t started looking at security behavior change, now’s the time. SBCP will likely future-proof your compliance as standards and regulations tighten, and cyber insurance increasingly scrutinizes actual risk reducing metrics, and questions companies on the programs and vendors they use. It’s about using core principles of behavioral economics and behavioral science in a way that transforms security culture and risk posture. Criminals use social engineering to target people as individuals. SBCP reverses that by also targeting individuals but in order to ingrain good cybersecurity instincts and habits. Modern platforms harness AI to individualize training so that it’s relevant to the user’s skill level and background.
Another really interesting thing about this SBCP category: there are some awareness training giants whose absence is pretty glaring. Awareness is not the same thing as human risk management and security behavior change.
Another year, another level of phishing costs, damages, and dangers. New research from Acronis and written up by SME reports that phishing attack volume is up 60% in 2022, after a record-breaking 2021. A Ponemon Institute benchmark study, supported by Proofpoint, reports:
While cybersecurity has outperformed other sectors in terms of investment, jobs, and budget, it hasn’t been spared entirely. Everyone is feeling the belt tightening of investors and corporate budgets in the looming shadow of recession. The Wall Street Journal published an article detailing widespread layoffs in the cybersecurity space, such as Cybereason’s shedding of 10% of their workforce. Albeit less than other industries, M&A activity in cybersecurity has fallen off in 2022 after the record-breaking 124 VC-backed startups were bought in 2021, according to Crunchbase. Deal flow in cybersecurity in Q3 sat at 124 funding deals announced, which Crunchbase reports is the lowest since the third quarter of 2014. And venture financing in the cybersecurity category fell from $28M per deal in 2021 to $21M per deal in 2022.
Despite anticipation of recession in 2023 due to, amongst other things, the war in Ukraine and continued global supply chain and fuel challenges, many reports suggest that spending on cybersecurity departments will at least hold steady if not rise a bit. An October Gartner report forecasted an 11.1 % overall growth in security spending across multiple segments, highest of which are Application Security and Cloud Security; remember earlier when we noted that supply chain attacks and Zero Trust architecture were definitive trends of 2022? Follow the money.
All that said, consider comments reported in a December Venture Beat article about expanding cybersecurity skills gaps and the growing expectations on CISOs in 2023 to maximize resilience and demonstrate ROI on security investments, with minimal resources.
“In 2023, there will be increasing pressure for CISOs and security leaders to maximize the value of their existing security stacks due to the pending recession,” said Leonid Belkind, CTO and cofounder of security automation provider Torq. “The current economic climate is dictating [that] , all enterprises must become more efficient in their spending.” -- Reported by Tim Keary in Venture Beat on Dec. 9, 2022
Cybersecurity has been deemed a fairly recession-proof category because the threat landscape has pushed information security from a nice-to-have to a must-have capability over the past few years. Even though budgets are growing, a McKinsey report suggested CISOs are still grossly underfunded to address mounting risks flowing out of the threat landscape. Moreover, there's a growing cybersecurity skills gap, and CISOs are expected to tighten belts and maximize value, largely through automation and third-party partnerships. The McKinsey survey reported in October, 2022 that cybersecurity contains a total addressable market size of $2 trillion, with organizations globally spending around $150 billion annually on cybersecurity, growing by 12.4% year over year.
As you read this section from the McKinsey report, remember that people constitute the largest addressable risk in cybersecurity, and security behavior change programs, delivered via automated human risk management platform, contain the most promise for impact.
At approximately 10 percent penetration of security solutions today, the total opportunity amounts to a staggering $1.5 trillion to $2.0 trillion addressable market. This does not imply the market will reach such a size anytime soon (current growth rate is 12.4 percent annually off a base of approximately $150 billion in 2021), but rather that such a massive delta requires providers and investors to “unlock” more impact with customers by better meeting the needs of underserved segments, continuously improving technology, and reducing complexity—and the current buyer climate may pose a unique moment in time for innovation in the cybersecurity industry. -- McKinsey, "New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers"
So, the metaverse is coming. And with it, predictions of new social engineering attack vectors. It’s a thing, but when will it become a thing to worry over? Let’s see how 2023 unfolds.