2022 was the year that cybersecurity affected everyone’s life and lifestyle – it adjusted the price of gas for your car, if you could get a steak at a restaurant, if or when you could see your doctor, and whether or not your favorite gaming site compromised your personal financial data. Increased pressure was applied to those who are cyber professionals and practitioners borne out of a stricter regulatory climate and we will undoubtedly see government and standards bodies continue to clamp down on organizations who flout or minimalize their emphasis on cybersecurity.
We all know the 2022 data breach headlines (e.g Copper Mountain Mining, Mizuno, Intrado, Rackspace, T-Mobile, and a vast global list of public and private sector organizations). But what businesses need to ask is HOW do these attacks happen and what can we do to avoid this? This is where our job as business risk managers needs to clearly convey all the actions taken by cyber criminals to compromise digital assets and what we need to do to protect our organizations and be resilient (protect, detect and recover) from attack.
Let’s start out by using ransomware as the “Badness-o-meter” of Cybersecurity, that is using the pervasiveness and impact of this economic crime as the measure of improving or declining effectiveness in our industry. We often don’t know what, or if, a ransom was paid. There are many instances, as in Colonial Pipeline in 2021, where we know that the $4.4 million ransom was paid. Paying a ransom shows an extreme failure in your resilience, preparedness, and readiness. Let’s not forget top threat actors are very well funded and in many cases, attackers are doing significant research to understand what an organization is able to pay, in order to increase the likelihood of the payment amount demanded by the extortioner.
We do know this. That the number of organizations globally that were victimized by ransomware rose slightly to 66% in 2022 (an increase of 3% over 2021). 68% of those victims paid the ransom in 2022, a decrease of 19% from 2021. This is an important improvement but almost seven of every ten is still very high.
16% of organizations have been hit 3+ times with ransomware indicating a lack of cybersecurity fundamentals and hygiene in those organizations along with neglecting to take the remedial steps needed to not be a repeat victim. 56% of those attacked lost revenue, 50% lost customers and 43% had significant reputation and credibility loss.
What we clearly see in 2022 are larger individual attacks than ever before. 11% of ransomware attacks had their extortion dollar figures exceed $1 million in 2022 with an overall average ransom of $220,298 for the full year. However, the ransom payment amount is miniscule compared to the recovery and impact cost of $4.54 million in 2022, down just a bit from $4.62 million in 2021.
Global Ransomware damage costs (again, not the ransom amount itself) are expected to move to $265 billion by 2031 putting ransomware in the top 50 of Gross National Product sizes in the world.
Lastly, according to the World Economic Forum (WEF), “by 2025, it’s estimated that 463 exabytes of data will be created each day globally – that’s the equivalent of 212,765,957 DVDs per day!” But as more data is produced and the value of data (often categorized as “cost per record”) skyrockets, we can only expect that more bad actors will attempt to successfully exploit the emerging threat vector brought on by surging data volumes. As billionaire Warren Buffett once noted, data is clearly the new oil.
Though some of these statistics are moving in an improved direction, the increasing sophistication of cybercriminals adding Artificial Intelligence (AI) to their endless array of zero-day exploits and social engineering attacks is absolutely terrifying. Research firm Cybersecurity Ventures now predicts that there will be a new ransomware attack every 2 seconds (down from 11 seconds at the beginning of 2022) as ransomware perpetrators continue to refine their malware payloads and related extortion activities.
Furthermore, operational attack surfaces and privacy/PII targeted attacks are increasing mainly as millions more IoT, IoMT, IIoT devices come online, with some estimates at more than 50 billion devices globlly by 2030, as well as countless organizations operating in hybrid fashion (cloud and on-prem) with a largely remote workforce in the aftermath of the 2020-2021 pandemic.
Now lets look deeper at what we at Seceon predicted for 2022, then let’s look at what we predict is going to happen in 2023. Thanks for joining us on this journey!
2022 Seceon Prediction One: We will see High Employee turnover in cybersecurity with recruitment and staffing continuing to be a major issue on a global scale
In 2022, the global cybersecurity industry saw a dramatic rise in employee turnover. This was due to an increasingly competitive job market, with a large number of qualified candidates competing for the same jobs. Companies had to adjust their hiring strategies to stay ahead of the competition and recruit the best talent. ISC2 currently estimates the workforce gap at 3.1 million professionals worldwide. There appears to be a shift in entry paths for those newer to cybersecurity. 26% of pros with less than 3 years experience started in a field other than IT or cyber, whereas just 1 in 5, 20% with 8 or more years of cyber experience started in a field other than IT or cyber.
Moreover, we have a divide in the cyber workforce with most graduates from colleges and universities moving toward technical areas in cybersecurity, with very few in the domain of Governance, Risk and Compliance (GRC), at a time when the biggest need is in GRC. This is a significant risk. Talent is scarce. If you can’t obtain the skillsets you need to effectively manage cyber risk, then your cyber risk will go unmitigated, which will lead to exposures, high cost of insurance (or loss of insurance), and leave you open to attacks, ransoms and data breaches. According to ISC2, 57% of organizations have unfilled roles they cannot find a suitable pool of candidates.
Additionally, the emergence of cloud-based technology and automation meant that many of the traditional roles in cybersecurity needed to evolve with only some of the existing workforce making the journey with others leaving their positions in search of new opportunities. Despite these shifts, the demand for cybersecurity professionals continued to grow, and the industry remained one of the most sought-after sectors in the tech industry with zero percent unemployment for job seekers.
2022 Seceon Prediction Two: Expect additional Compliance Requirements
Companies around the world saw an increased emphasis on compliance across industries. This included more stringent requirements for data security, privacy, and compliance with a range of laws, regulations, and standards. Organizations of all sizes, from small businesses to large corporations, had to adhere to increasingly complex regulations and policies regarding the protection of personal data and the handling of sensitive information. Companies also had to take extra measures to ensure their systems were protected from cyberattacks and other malicious activities. In turn, cybersecurity professionals had to stay up-to-date with the latest security standards and technologies, as well as ensure their systems were compliant with new and existing regulations. Businesses had to invest in new technologies and strategies to meet the new requirements, such as cloud computing, threat intelligence, and artificial intelligence. Overall, the focus on compliance in 2022 resulted in a heightened awareness on cybersecurity threats and a stronger sense of responsibility among all stakeholders. Boards of Directors are now asking questions about cyber threats, capabilities, and what they can do to help guide their constituent companies, especially in this area we call risk management and establishing the fact that compliance is non-negotiable. Executive Order 14028, the recent revisions in the FTC Safeguards Rule, the adoption of several state privacy initiatives (California CPRA, Colorado, Connecticut, Utah Virginia), and recent directives from CISA are all indicative of increased scrutiny and legislative action to require adherence to sound cybersecurity and privacy practice.
2022 Seceon Prediction Three : The quality of AI algorithms, scalability of platforms behind those algorithms and the accuracy of the results produced will become forefront of SOC demands.
AI-powered cybersecurity technology continued to advance at a rapid pace and become more centralized. This enabled organizations to better detect and respond to security threats. Automated security tools, such as machine learning and predictive analytics, were used to better identify and block malicious activities. At the same time, cloud-based security solutions were further developed and adopted, allowing organizations to better protect their data and systems. Cloud-based solutions made it easier to detect and contain threats, as well as to quickly respond to incidents. The adoption of zero-trust security models also saw a surge in popularity in 2022. This model is based on always verifying user identity and access rights, rather than trusting users who are already in the system. This helped organizations keep their data and systems secure even when they were accessed from outside their networks. Finally, the use of encryption and tokenization also became more widespread in 2022. These security measures help protect data from being accessed or stolen, even if the data is intercepted. Further, math applied to use cases, should result in a more efficient and effective SOC with less alerts and noise being generated. AI also offers the advantage of supplying a system of measure by using security analytics to measure risk in a probabilistic manner, overcoming the challenge of not being able to quantify the likelihood and impact that a threat can be imposed on an environment.
Tomorrow, we will introduce our 2023 Cybersecurity Predictions in Part II of our blog. We look forward to your feedback and questions.