From the Colonial Pipeline attack, which resulted in fuel shortages across much of the East Coast, to the devastating breach on Microsoft Exchange, it’s safe to say 2021 was a tumultuous year for cybersecurity. But what will the next year look like?
I reached out to Auth0’s leading security and privacy experts to hear their predictions for 2022, and to learn how organizations will grapple with a changing threat landscape and the ongoing pandemic.
1. The Visibility Challenge
It’s been almost eighteen months since the Covid-19 pandemic forced us to rethink everyday life. The workplace was no exception. States ordered tens of millions to work from home, as they sought to limit the virus’ spread. To accommodate this flood of remote working, IT departments raced against the clock to build the necessary technology infrastructure.
Now, the dust has settled. The pressure has eased slightly. It’s time to take a breath. But don’t get too comfortable.
The next challenge for IT leaders — and CISOs in particular — is in securing the newly acquired devices and services underpinning remote working. Monitoring and threat detection will likely prove to be the biggest headache.
“Visibility is fundamental to security,” explained Cassio Sampaio, Senior Vice President of Product at Auth0. “You can’t stop attacks you don’t see. It’s always better to see attacks in progress, rather than after they’ve occurred.”
Many workplaces deployed new hardware and software in record time to ensure the continuity of the business, leaving little time to integrate them into existing security workflows. Sampaio says the big priority for 2022 will be to bring this infrastructure into view.
“With teams working remotely for the foreseeable future, now’s the time for IT teams to start focusing on security, with monitoring and threat detection both high priorities,” Sampaio added. “Hybrid working, as well as the growth of BYOD and cloud computing, has shifted the definition of a security perimeter. It now includes identity systems, as well as firewalls and IPS tools. It’s critical organizations extend their visibility to include these.”
2. Secure by Default Becomes the Norm
Security breaches can occur because of simple user errors. In some cases, vendors inadvertently facilitate that by issuing products with insecure default configurations, putting the onus on the customer to harden them.
“Far too often, security is treated as the user’s responsibility. This approach has arguably contributed to several high-profile incidents,” said Shiven Ramji, Chief Product Officer at Auth0.
In August, researchers at Upguard learned some apps running on a popular infrastructure provider were leaking sensitive customer and business data totaling 39m records. This included Covid-19 contact tracing details, payroll records, and biographical customer data.
UpGuard attributed the issue to a default configuration that allowed unauthorized third parties to remotely query the underlying data source. But instead of considering it a bug, the provider described the issue as a well-documented feature.
In the face of massive data breaches and other unwelcome security lapses, we expect vendors will take a more proactive approach in creating guardrails for their customers. A Secure by Design approach will become the default. This philosophy sees products shipped with the most cautious settings by default, accompanied by other vital protective features, including Multi-Factor Authentication (MFA) and Privileged Access Management (PAM)
3. Malicious Actors Will Exploit Supply Chain Woes
Global supply chains are in disarray. The cost of shipping products between continents spiked during the pandemic, with ships and containers both in short supply. Meanwhile, soaring demand for semiconductors has resulted in widespread shortages of graphics cards, games consoles, and cars, with the “chip drought” expected to last until 2023.
Amid this turmoil, we can expect to see malicious actors take advantage of the situation, exploiting the widespread sense of desperation among businesses and consumers. There is evidence this has already started to occur, with the FBI reporting an increase in Business Email Compromise (BEC) attacks at the start of the year.
“If you’re a school awaiting a shipment of Chromebooks for remote learning, or a retailer expecting stock from overseas, you might not question an unexpected invoice, especially if it comes from someone you know. The urgency may override your skepticism,” said Annybell Villaroel, Security Awareness and Culture Manager at Auth0.
4. Diversity of Thought and Skill Becomes Regarded as an Asset
The security landscape continuously evolves. In the past decade alone, we’ve witnessed the emergence of malware-as-a-service (MaaS), threat actors expanding by franchising their brand and technology to others, and attacks upon national infrastructure. Deepfake technology and bulk SMS messaging have been used to devastating effect.
IT teams now face increasingly sophisticated opponents, with attacks delivered in greater volume over a variety of mediums. Combatting this will require organizations to draw from a wider range of skills when filling cybersecurity roles.
“Bad actors have already diversified their thinking. Businesses must do the same,” said Jameeka Aaron, CISO at Auth0.
“I’ve always argued for a holistic approach to information security,” she added. “Technical skills are important, but so are the soft skills.”
To find candidates with these skills, organizations will have to broaden their hiring criteria and recruit from places they didn’t previously.
“To respond to this new threat landscape, businesses will have to shift their focus away from GPAs and certifications. You need people who can build bridges within the organization and evangelize good security practices. And going forward, I can imagine hiring managers will recognize communication and language skills as assets, too,” said Aaron.
5. Consumer patience wanes over privacy breaches
Five years ago, Have I Been Pwned — a service that allows members of the public to check whether their personal credentials have been leaked — held records on 1.4 billion accounts. Today, that figure is almost 11.5 billion.
Coinciding with that almost tenfold rise is a greater awareness of security breaches among the general public, and signs their patience has begun to wane. According to Auth0’s latest CIAM survey, 92% of consumers expect businesses to keep their personal information safe.
“A decade ago, security breaches were smaller and less likely to be headline news,” said Sampaio. “Now, they’re front-page news, and they’ve ensnared some of the largest brands in the world. People are tired and scared, and they want businesses to raise their game.”
Perhaps surprisingly, the survey showed that a larger percentage of businesses, 97%, believe they are obligated to protect their customers’ personal information.
“This figure likely has its roots in many places. Security breaches are bad PR and are hugely costly for the company involved,” said Sampaio. “Recent legislation, most notably GDPR, LGPD, and APPI, introduces significant monetary penalties for organizations that experience a security breach. That raises the pressure further.”
6. Consumers Begin Expecting Data Portability & Interoperability
From healthcare and financial services to social networks, consumers increasingly recognize the value of data interoperability and portability. It allows you to seamlessly share medical records between practitioners, to see your banking and credit card information from a single central hub, and port your playlist between streaming services.
“One of the most popular apps in the App Store is Mint, which lets users track spending across their accounts. In the US, FHIR (Fast Healthcare Interoperability Resources) is making it easier for doctors to see the information held on their patients by other medical professionals. From a consumer’s perspective, interoperability is something that makes their lives easier, and data portability allows them to make real choices about who they do business with,” said Lucy McGrath, VP of Privacy at Auth0.
Data portability is already a consumer right in Europe thanks in part to GDPR and a number of global sectoral laws - particularly in finance and banking. McGrath expects demand for both portability and interoperability to increase in 2021 and beyond. The OECD has outlined the detailed benefits and challenges in its report Data portability, interoperability and digital platform competition, OECD Competition Committee Discussion Paper, here.
“It’s likely that we’ll see consumers’ expectation for choice - data portability and interoperability - enshrined in more global laws. It’s an exciting space that is spurring innovation - it’s essential the technology supporting the choice continues to protect the privacy of consumers and security of their data in these complex ecosystems” McGrath said.