Navigating the Top Cybersecurity and Privacy Challenges of 2022

With numerous companies falling victim to attacks last year, cybersecurity was once again a burning issue. The same will be true in 2022, with some new challenges on the horizon.

Just as in 2021, the challenges of ransomware, data sprawl, remote working and supply chain security will continue to have a significant impact on cybersecurity and data protection. This year we will see:

• An increased number of ransomware attacks. The European Union Agency for Cybersecurity (ENISA) noted a 150 percent rise in ransomware in 2021 and expects that trend to continue in 2022.
• Potential data leakage as remote work increases.
• More use of artificial intelligence (AI) and machine learning (ML) technologies, intensifying the need for proper security safeguards and regulation.
• Increased security and privacy embedded in engineering’s agile process, rather than leaving requirements as an afterthought.
• Crypto applications hit the mainstream, bringing increased security concerns.
• Increased privacy regulations may expose companies to huge penalties if they make information security slip-ups.
• And, of course, third-party supplier risk will again be center stage.

Now, let’s take a harder look at each of these threats and discuss how organizations can manage them.

Ransomware

Threat:  Ransomware will continue to be the largest security issue in 2022.  Ransomware typically involves infecting devices with a virus that locks files away behind unbreakable cryptography and threatens to destroy them unless a ransom is paid, usually in the form of untraceable cryptocurrency. Alternatively, the software virus may threaten to publish the data publicly, leaving organizations liable to enormous fines and lawsuits.

What´s New in 2022:  Ransomware actors will become more relentless in their quest to quickly scale up revenue. We will start seeing more triple extortion ransomware, which is when a ransomware attack experienced by one business becomes an extortion threat for its business partner. In these scenarios, attackers demand payment from the target business, but also from its business partners who can’t afford to lose data or suffer a supply chain disruption.  Additionally, ransomware attacks targeting critical infrastructure will again demand attention.

How to Address:  Security Awareness Training is key, with research showing that employees who are aware of the dangers of phishing, for example, are eight times less likely to fall victim.

Hybrid Working

Threat:  The shift to hybrid or “work from anywhere” culture is increasing communication over text, phone, video, social platforms, and chat technologies. This, of course, increases the possibility of data leakage.

What´s New in 2022: The rise in hybrid work will intensify cyber security concerns for organizations, as they try to manage more data with more endpoint devices residing in different locations.

How to Address:  Data created outside the confines of your network, such as the cloud, will require additional protection, with proper classification for regulatory purpose. IT teams will need to leverage technologies that manage data loss prevention, privacy, and security.

Internet of Things (IoT)

Threat:  Past attacks include hackers using connected household appliances such as refrigerators to access networks, and from there moving on to access computers or phones where valuable data could be stored.

What´s New in 2022:  In 2022, we will undoubtedly see an increase in attacks on IoT devices. The number of connected devices is forecast to reach 18 billion by 2022. This means a hugely increased number of potential access points for cybercriminals.

How to Address:  IoT must be designed with security in mind, not just for functionality. Once again, education and awareness are two of the most useful tools to address these vulnerabilities. Additionally, businesses must manage the security of their IoT devices, starting by auditing every device that can be connected to the network to understand and mitigate any vulnerabilities it may pose.

Artificial Intelligence (AI) and Machine Learning (ML) Technologies

Threat:  Adversaries can compromise AI decision-making algorithms, so they do not perform as designed. Increasing dependence on AI for critical functions and services will create greater incentives for attackers to target those algorithms.

What´s New in 2022:  Hackers will use AI and ML to power their attacks and avoid detection. AI-driven attacks can mimic normal system communications, improve phishing attacks by framing email messages like a real person, solve CAPTCHAs to gain authentication – and even use voice, video, and image deepfakes to gain unauthorized access.

AI regulation will grow. In California, for example, the CPRA allows consumers to opt out of the use of automated decision-making technology, including “profiling”, in connection with decisions related to a consumer's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.  Bills pending in states including Washington, Colorado, New Jersey, and Vermont feature similar language. The EU and China are also considering regulating AI to enhance privacy.

How to Address:  Policymakers will need to develop accountability and liability regimes to govern AI security. AI developers must be required to obtain recommended certifications and submit their products to rigorous auditing and testing standards. Developers who do not meet these standards would be liable for the damage caused by their technologies if they build AI systems that are compromised.

Cybersecurity and Privacy by Design

Threat:  Security and privacy-related weaknesses are not identified early in the system development life cycle and result in costly deficiencies later.

What´s New in 2022:  We have already seen the shift toward the adoption of DevSecOps and Security and Privacy by Design principles. Here we see security embedded within engineering’s agile process, rather than left as an afterthought.  In 2022, this trend will spread out to wider standard practice, with security and privacy requirements baked into every part of product design.

How to Address:  Developer education programs will need to incorporate privacy- and security-by- design principles. Security and privacy assessments must be conducted in the design phase, including design and code reviews, application scanning, regression testing, and consideration of applicable privacy laws and policies.

Crypto Applications

Threat:  Third-party vendors are needed to facilitate blockchain transactions, such as payment processors and makers of blockchain payment platforms. These third-party blockchain vendors often have comparatively weak security on their own apps and websites, which can open the door to hacking.

What´s New in 2022:  In 2022, crypto applications will hit the mainstream. The term Web3 refers to a new generation of the Internet run on blockchains and characterized by decentralization. Unlike the Web 2.0, which features large corporate platforms hosting activities by content producers and consumers, the Web3 is decentralized, distributed, token mediated, and participant controlled.

Web3 raises privacy challenges. By design, the blockchain is open, transparent, immutable, replicable, and provable. If you had concerns about your bank or e-commerce platform “seeing” your data, now the entire world will be able to see it on a public ledger.

How to Address: Due diligence by cybersecurity professionals before embracing a new blockchain platform.

Supply Chain and Third-Party Risk Assessments

Threat:  The exposure third parties and suppliers bring with them.

What´s New in 2022:  Experts are anticipating up to a four-fold increase in supply chain attacks.

How to Address:  Third-party risk assessments are required to ensure security standards are met – not just at the time of onboarding, but continually.

Privacy and Data Protection

Threat:  With more legislation following in the wake of the European General Data Protection Regulation (GDPR), such as the Chinese Personal Information Protection Law and the California Consumer Privacy Act, more organizations risk potentially huge penalties if they make information security slip-ups.

What´s New in 2022:  Expect an avalanche of new privacy laws and regulations that attempt to impose order on a dizzying array of technology developments. New regulatory efforts will range from data protection laws in India and China to AI regulation in the EU to automated decision-making rules in U.S. states. Add to that a flurry of enforcement activities, and you get a perfect storm of tech regulation.

Despite the bipartisan and bicameral consensus around the need for a federal privacy law, don’t expect a legislative breakthrough in 2022 from a fractured Congress. Interest groups on both sides of this issue remain deeply entrenched, with business groups resisting mechanisms of redress while advocacy groups push to expand privacy law to address topics such as equity, bias, and discrimination.

In the U.S., the California Privacy Rights Act (CPRA) and Virginia and Colorado’s new laws come into force over the next 18 months. Meanwhile, new privacy legislation is in the works in Maryland, Oklahoma, Ohio, New Jersey, Florida, and Alaska. The big question is whether any of these laws will diverge from the existing regulatory frameworks.

Abroad, an alphabet soup of tech regulation is set to become law - the Digital Services Act (DSA), Digital Markets Act (DMA), Data Governance Act (DGA), e-Privacy Regulation, and the Network and the Information Security (NIS) Directive (NIS II).

How to Address:  File encryption, two-factor authentication, restricted access permissions, secure servers, organizational security policies and procedures, including data-sharing agreements with all data-sharing partners and rigorous vetting of every partner with access to an organization's personal data.

How ERMProtect Can Help

ERM Protect can help your business navigate cybersecurity threats and regulatory demands. We leverage 25 years of experience in cybersecurity to secure your data, protect your business, and manage costs and risk. For more information, contact Silka Gonzalez at 305.447.6750 or at sgonzalez@ermprotect.com.