By Quentyn Taylor*
Ransomware is here to stay
Cyber criminals are adapting every single day. In 2021, hackers realised the recipe for ransomware was simple and delivered an exceptionally high return: exploit one weakness and force companies to pay millions for that mistake. Whilst 2021 was defined by its exponential growth, 2022 will be focused on the increased sophistication of ransomware and the techniques used to extort companies.
What’s more, following the equation of low risk with a high return, attackers will continue to use email compromise and payment fraud techniques. Payment fraud requests a bank account update to the one the fraudster controls. As this process is predominantly controlled by finance in many large corporates, it can slip through the net of the tight security measures implemented company wide.
By the first half of 2021, businesses had seen a 36% growth of ransomware attacks across Europe, the Middle East and Africa (EMEA), the highest growth of any global region during that time period. While ransomware incidents in Europe are likely to stabilise in 2022, it is predicted that they will continue to grow dramatically in other EMEA regions, most notably in Africa and the Middle East. As these two regions move towards a more digital economy, they are increasingly exposed to cyber-attacks. Cyber criminals are taking what they have learnt from Europe and are applying these lessons to a new ground.
Cyber insurers will scale back to mitigate the risks
Cyber insurance is designed to protect companies from the worst financial consequences of cyber-attacks, but, actually, it’s inadvertently driving the ransomware explosion. The last thing cyber criminals want is to go after an uninsured company and risk their pay out not coming through. Insurers provide them with the assurance they need to carry out the attack and demand more from it. As a result, in 2021, more cyber insurance providers were running at a loss and now they have become more wary.
The UK is the most likely in the world to pay cyber criminals. Recent research by security firm Proofpoint’s found that 82% of British firms that have been victims of ransomware attacks paid the hackers to get back their data, compared to a global average of 58%. It’s obvious cyber insurers cannot take the load of the majority of multimillion ransomware operations, so they are cutting back as a result.
This year, we will likely see a larger scale back of cyber coverage and insurance will get more prescriptive to mitigate the risks. Insurers are waking up to the fact that it’s a losing game. Once weaknesses that can be easily exploited present themselves, insurers will start to exclude the vulnerability of the day; and cyber insurance will not provide companies with the mitigation they would have hoped.
Security teams could pay the price for the hyperverticalisation of the IT industry
Hyperverticalisation of the IT industry, where IT professionals increasingly specialise in one area, will continue to be the standard framework for the industry. The benefits of this to enterprise IT teams are obvious, yet, in 2022, security teams may continue to pay the price.
Intensely specialised IT teams may seem like an advantage as it allows more depth of expertise to a role, but it can be a significant disadvantage in that the management between teams becomes increasingly critical. In the past, more generalist teams were able to understand each other’s role so they could detect and resolve problems reactively. Now, there is the risk they can fall between the cracks. For example, the recent issue in the Java package Log4j, meant increasingly specialised operational and development teams were faced with a significant workload for them to work out where they had this package deployed. Hyperverticalisation may seem attractive, and it is but we must also remember it can come with significant risks from a security perspective.
The modern IT landscape is increasingly complicated, and this increased specialisation is needed to meet new demands. However, a balance must be found. Companies should look to ensure that there is a general management layer over the top, blending all these elements together. This is critical to prevent businesses from unintentionally opening themselves up for attack, just because there are gaps in their internal infrastructure.
Legislation will be key for bolstering B2B security postures
We have already seen government legislation enhance IoT security measures in the consumer tech industry. In 2021, the European Commission adopted the Delegated Act on Cybersecurity to the Radio Equipment Directive that aims to secure all IoT devices before they are sold on the EU market. The Act sets out the legal requirements that must be met for manufacturers to ensure products are more secure and the personal data of citizens is protected. Similarly, the UK recently enforced a Product Security and Telecommunications Infrastructure Bill that requires consumer tech companies to strengthen their security stance by banning default passwords and providing transparency to customers in fixing security flaws. These are steps in the right direction, to curb the growing security problems caused by the rise of IoT that make consumers increasingly vulnerable to attack.
2022 must be the year we see this level of security legislation coming into force in the B2B space. With many businesses planning to continue offering hybrid working options for employees, their risk landscape becomes larger and more complex. Accordingly, organisations need to focus on improving end point security in line with their evolving ways of working. Legislation will provide national guidelines for security teams to adhere to, making it easier for organisations to meet the latest standards. The same legislation will benefit consumers too, perhaps even more so, given it will tighten up security requirements across devices. Whilst businesses will pay more for employees to have a device that has airtight security, most consumers will still opt for a cheaper, less secure device.
Businesses must continue to evolve their cyber security posture in line with the rising ambitions of attackers. Ransomware operations are only set to get more sophisticated and targeted. In response, cyber insurance has been designed to compensate businesses in the event of attacks. However, it is clear organisations won’t be able to rely on it as originally hoped. We must not forget about the other side of the coin to ransomware, payment fraud which is still rampant. While external movers such as government legislation will be key to defining security standards, it is important to consider that small internal changes in lines of communication can make a significant difference. Businesses must be prepared for what is in store and remain committed to deflecting the increasing ambitions of hackers.
*Senior Director, Information Security and Global Response, Canon EMEA