What a year 2021 was! While in some ways it was a welcome reprieve from the year prior, 2021 has provided its own set of challenges. At a time in which IT departments are scrambling to patch one of the most critical vulnerabilities in years, Lloyds of London wants to discourage additional cybersecurity business and companies are now contending with yet another COVID strain, it seems like we could use some intelligible insights into the coming year.
So, once again, I have turned to some leading experts in the cybersecurity and IT industries for their predictions. This time for 2022.
1. Preventing Ransomware will be the #1 Objective
All our experts agreed that ransomware is only going to get worse in 2022. Most professionals in the industry probably feel the same way. Jeremy Moskowitz, Microsoft MVP, and Founder and CTO of PolicyPak Software goes as far to say that everything else is secondary in terms of cybersecurity.
With the proliferation of ransomware attacks throughout the world, there is no doubt that companies must accelerate their efforts to prevent the infiltration of this crippling menace that has not only cost enterprises companies $21 billion in downtime in 2020, but also contributed to the supply chain issues for a list of products including cream cheese of all things.
According to Dave Fafel, Chief Architect at Worldcom Exchange, Inc., one of the reasons for the increasing threat is that ransomware groups are now involving people on the inside that have legitimate access to the networks these threat actors want to target. Referred to as initial access brokers (IABs), these users are being offered lots of money in return for their cooperation. (Read also: How Businesses Should Respond to a Ransomware Attack.)
Fafel explains that enterprises will have to turn to AI-based tools to examine transactions within the network in real-time to uncover behavioral anomalies of authoritative accounts and unusual traffic patterns.
2. Huge Increase for Risk Management Services
Chris Cronin, an ISO 27001 Auditor, Halock Security Labs team member and Chair of the DoCRA Council, predicts that 2022 will be the year that we can expect a clear definition for reasonable security. Whether it be through litigation or the growing number of state regulatory compliances coming into law, organizations are now expected to perform their duty of care by protecting their organization.
This means taking sufficient measures to secure the sensitive personal data of other people as state regulators are now starting to use a clear definition for reasonable, risk-based security in their injunctions. In terms of litigation, a demonstrated due of care shows the absence of negligence which is a determining factor in lawsuits. A growing number of security frameworks are now available that can help organizations define what “reasonable security” actually.
PCI DSS 4.0 will be released sometime in the first quarter of 2022, and it will be the last of the major security controls frameworks to make risk the basis for compliance. Cronin also points out that the first phase in providing cybersecurity policies in the marketplace has failed financially. As a result, insurers and policy holders will start adding the public to cyber risk analysis, thus increasing the demand for these services even more.
3. MSPs will Require Reasonable Security Measures of their Clients
Over the recent years we have seen small/mid-sized businesses (SMBs) abandon break-fix IT services in favor of a managed services approach as they have accelerated their technology investments to grow their business. With half of all ransomware attacks involving small businesses today according to a Judiciary Committee Hearing in Washington this past summer, managed service providers (MSPs) are being forced to become more security focused in 2022. (Read also: Data Breach Notification: The Regulatory Environment.)
MSPs are now increasing their security stack to include tools such as Endpoint Detection and Response solutions, while offering additional services such as penetration tests and vulnerability assessments. Danny Kennedy of JDK Professional Services says that because so many ransomware attacks take place during off-hours, MSPs will increasingly partner with security operation centers to monitor their client networks on a 24/7 basis. MSPs are requiring clients to have a written incident response plan and actively rehearse them.
Like Kennedy’s own firm, many MSPs will begin adapting minimum security expectations of their clients. Clients that fail to follow these reasonable security measures will be increasingly dropped as clients. Of course, security starts within the MSP’s own IT estate. Says Kennedy, “How can I secure my customers if I can’t even protect my own house.”
4. Hybrid Work Architectures Introduce Touchdown Spots and Hot Desking
“I’m not sure anybody two years would have predicted where we are now,” says Greg Labrie, Director of Technology Solutions for WEI. Certainly, the remote work strategies that were implemented overnight in 2020 were considered as only stopgap measures at the time. As things flipped virtually overnight, there was little time to consider matters relating to security and access.
In the closing months of 2021, the mantra of remote work has transitioned to hybrid work models. Hybrid work is all about greater work flexibility. Rather than dedicated offices, Labrie says employees will have ‘touchdown spots’ that they can return to a set number of days a week for team building, brainstorming, client interaction, departmental meetings and the like. (Read also: The Pros and Cons of The Hybrid Workforce.)
Jeremy Moskowitz perceives the idea of “Hot desking” taking hold in 2022. It is the concept of anyone claiming a desk on premise on any given day. Users simply pick a station and start working. This approach will help companies reduce the size of their office footprints and reduce costs. The challenge in 2022 for hybrid work will be ensuring that users have a desktop that is “ready to go” wherever they start to work, whether that be an on-prem PC, mobile laptop, remote VDI connection or Windows 365.
5. The Role of the IT Department Changes in 2022
The Wall Street Journal recently published an article titled, “It’s Time to Get Rid of the IT Department.” While no one on our panel thinks the IT Department is going away, they do see it transitioning in 2022.
According to a recent IDG Study on the State of Digital Transformation commissioned by WEI, companies are increasingly relying on staff augmentation strategies to obtain the technology specialists they need. A surprising 82% of survey respondents cited IT staff augmentation to be highly important for their organization with more than one in ten ranking it as critical. They also said that 40% of their IT staff is considered temporary.
Chris Cronin predicts that the shortage of cybersecurity professionals will be augmented further in 2022 as organizations realize that the cloud is not as secure as they hoped and begin to bring some services back in-house. Companies will lessen their dependence on admins that specialize in a specific facet such as storage or networking over the coming years. Instead, they will transition to operational staff that know how to run their entire environments whether those resources reside on-premise or in the cloud. At some point, enterprises will no longer have internal staff that build the environment, only manage it.
We seem to be operating in volatile times right now, which is why many organizations are in search of a roadmap to help navigate them through these turbulent times. There’s no doubt that we will witness profound changes in 2022. The question is how we contend with those changes. In the words of Elon Musk, “Some people don’t like change, but you need to embrace change if the alternative is disaster.