You might be thinking: a CISO in the M&A space? Investors don't “do” technology – they’re focused on investment and ROI. In my 27 years in software security and IT leadership, I hadn’t heard of it either, but this unorthodox belief is why I came to ASG – we aren’t your typical investor.
As a CISO at ASG, I educate and support leaders of our companies through technology education and business strategy, which is why I’m excited to share my perspective on this year’s trends from a security perspective.
2022 Security trends
Every year, there are three traditions in information security (InfoSec):
1) The mid-May weekend is spent reading the Verizon Databreach Investigations Report
2) “Hacker summer camp" (Black Hat and DefCon in Las Vegas' peak August heat)
3) The annual "cyber security/information security trends for the next year."
A lot of people roll their eyes, but I pay attention to all three because they’re all connected. What we see in August's demonstrations is reflected in January's predictions and reported on in May.
Generally, security experts write about the previous year and express hope that this year will be better than the last. While COVID hasn't helped in the hope department, 2022 can be a better year from an information security perspective, especially if companies pay attention to the signs and trends. Let's look at the issues to be aware of:
1. Hackers gotta hack, script kiddies gotta imitate
The buzz for 2021 was "Software Composition Analysis" and "Software Bill of Materials," and rightly so. 2021 was the year we truly introduced software supply chain vulnerabilities at massive scale. While the SolarWinds attack opened the world’s eyes, other major attacks like Log4j showed how widespread these attacks could be. That "leading-edge" hacking technology has already found its way into the automated tools script kiddies use to execute their attacks, so the only reasonable expectation is to see more and more creative supply chain attacks, with more companies reporting breaches as they begin to detect and discover malicious activity within their networks.
2. It’s still the basics, and you're still a target of opportunity
The Open Web Application Security Project (OWASP) – a nonprofit foundation that works to improve the security of software – updated their Top 10 most critical security concerns, but honestly... it has been made up of the same basic weaknesses – such as server misconfiguration, SQL injection, or cross-site scripting attacks – just organized differently each year. I've been an ethical hacker for over a decade now, and I can pretty much deliver the same report to a client today as I wrote in my first year. What am I getting at? Most successful attacks aren't cleverly complicated; they just take advantage of basic, recurring weaknesses and vulnerabilities.
3. Phishing attacks are here to stay
A report from the Ponemon Institute shared that phishing attacks cost large organizations almost $15 million annually and $200,000 for small to medium businesses (SMBs). Human behavior represents a big risk – we are overburdened, rushed and frankly, we're all exhausted thanks to the last two years. That won't improve in 2022 – human risk will still be a major factor in overall corporate security strategy.
Best practices for avoiding these trends
Where I diverge with most annual predictions is this: I never give a prediction without strategies or solutions. The companies who weather 2022 successfully will be the companies who address the key basics. This includes:
- Analyzing your software base for its makeup – whether in-house or third-party – and getting to the bottom of what software in the organization is the most critical step in protecting the organization.
- Protecting your organization with a Web Application Firewall (WAF) in front of all applications and implementing endpoint detection, monitoring, and remediation for all workstations and traditional servers will be important for protecting sensitive assets.
- Conducting recurring vulnerability scans and remediating findings will help identify and close the windows hackers are leveraging for easy access to your systems and assets.
- For companies running in the cloud, ensuring adherence to standards like AWS' Well Architected Framework will be key in avoiding simple mistakes and the related breaches.
- Being persistent with training your users on phishing and other social engineering attacks will continue to manage your risk. Sorry to break the news, but Facebook isn't really giving a million dollars away to the first respondent, and you probably didn't win that 72" Sony TV.
- Developing and practicing an incident response process will reduce the likelihood, impact, and cost of incidents. To be clear: every company will be under attack, and mostly everyone will experience an incident. The companies that are good at incident management will detect, contain, eradicate and recover from security incidents quicker and at a lower impact (fiscally as well as brand reputation).
The saddest prediction/trend to make is that it's still the basics and it will still be the basics for a long time. The one thing I can promise is that companies who observe the past attacks and incidents, learn from it, and prepare themselves in 2022 will find that they'll have fewer incidents with less overall impact.