David Balaban: It feels like this year has seen numerous, high-profile ransomware attacks – Colonial Pipeline, JSB, etc. What is your biggest takeaway from the headline grabbing hacks and breaches we’ve seen this year? Why did we see such an explosion throughout 2021?
Jim Bowers: What we are seeing on a ransomware front from threat actors is really broadening. For example, nation-states like Korea, China or Russia, use to carry out attacks to disrupt our democracy. Now, more and more they are also looking to infiltrate or take and steal intellectual property – this was a major concern in the development of the COVID-19 vaccine. Additionally, you have organized crime which is looking for monetary gains and ransomware is incredibly lucrative at the movement with around $590 million that was paid out in the first half of 2021.
While nation-state attacks like Colonial Pipeline and JBS Foods were headline grabbers this year, the monetary driven attacks are the prevailing threat to most businesses. While the pandemic was the catalyst for the rise in ransomware, continued payments to attackers is what is keeping the business thriving. This year the largest ransomware payment was made out by an insurance company at $40 million. This is indicative of the behavior we are seeing from organizations. They choose to pay hackers, signaling to other attackers they are willing to play ball. One payment indicates to other cyber criminals that you’re likely willing to pay a second. This has created a vicious cycle that’s contributed to the ransomware attacks that happen every 11 seconds.
– What were the common security mistakes and flaws you’ve been seeing this year?
– Most organizations have come to terms with the fact that have multiple holes within their posture security and realize that, in many ways, attacks are an inevitability. The biggest differentiator today is that many businesses have been using cyber insurance as a crutch which is really going to prove to be a mistake going forward. For years, the level of attacks were so low that companies were more lack, thinking that if they were breached, their cyber insurance would cover any losses. With the rate and size of attacks growing, cyber insurance cannot cover the volume of breaches. So that safety net is shrinking.
– In your experience, what was the weakest point in organizations’ security posture? Why is this element in security overlooked and what can businesses do to mitigate this risk? For example, can managed security services or an increased use of VPN tackle these challenges?
– Organizations’ biggest security flaw has been and will continue to be people and this is a two-pronged problem. Typically, organizations don’t have the IT staff to fully support and cover operations. According to Sophos, 69% of IT teams have seen an increase in security workload and 54% of those individuals say the attacks have grown beyond their capabilities. This makes security experts a critical piece of your IT infrastructure and right now, those experts are scant in the job market.
Just as important are the employees – both in and outside the IT department. A staggering 95% of breaches stem from human error, which can manifest in a multitude of ways. From failing to install software security updates, having weak passwords or giving up sensitive information to phishing emails, humans, unfortunately, are often the weakest point, while also being an underdeveloped aspect, of a security posture.
To address these gaps, there are two avenues to explore in 2022. The priority needs to be security training for all employees, regardless of their status in the company or where they set up their workspace. Too often, organizations host one security training for all employees and think that will be enough. That kind of effort is not going to do moving forward. Organizations will need to invest in continuous, high-tailored security training for every employee. These kinds of services can easily be outsourced and provide an engaging way for employees to become vital components of the security infrastructure.
While you are outsourcing security training, enterprises need to start considering outsourcing some of their security needs to fill in those gaps. Managed security services are set to surpass $45 billion next year and has seen nearly a 14% growth year over year since 2016.
– Do you expect the same volume and level of attacks to persist into and throughout 2022?
– Absolutely expect to keep seeing the rate and scale of attacks continue to increase. The pandemic completely altered the threat landscape hence the record number of reported breaches in 2021. That shift plays into the hands of threat actors who are only going to continue taking advantage of displaced workforces, vulnerable systems and decentralized IT teams to achieve maximum disruption.
When it comes to where these attacks are taking place, that is where the remote worker is at a real disadvantage. Cybercriminals aren’t just waiting for you to click on the wrong email. They’ve become far savvier and are looking to meet workers where they are – which is everywhere. This includes work computers, personal laptops and in 2022, bad actors will be more present on mobile devices. In 2021, 46% of organizations had at least one employee download a malicious mobile application. Expect that number to go up throughout 2022.
– What cybersecurity trends can we expect to see in the new year? Any new threats on the horizon we should be keeping an eye on? Any specific solutions that you recommend?
– When it comes to the specific threats, of course ransomware has become an ever-present threat but expect to see more ransomware-as-a-service attacks in 2022. Organizations like Dark Side and Rebel are building tools and platforms, trying to franchise their attack toolkits. They offer a convenient platform to go out and execute a ransomware attack and as most attackers are financially motivated, ransomware as a service is a cheap and expedient method to carry out what could be a lucrative attack. I’d also expect to see more attacks against individuals – basically blackmailing people – slightly moving off full organizational assaults.
Also, we can anticipate more distributed denial of services (DDoS) attacks. We continue to see that rise having gone up 11% during the pandemic. There were 5.4 million DDoS attacks in the first half of 2021 alone so that’s going to keep accelerating. Why? Because digital transformation is accelerating, with continually movement into the cloud. So now that commodity-based internet connection is carrying critical information, and if that threat actor can tie up that pipeline, making legitimate traffic not accessible to that organization, it’s going to cost them money. So, expect to see DDoS is on the increase big time.
We might also start seeing AI play a bigger role in attacks moving into 2022 and you also have to be on the lookout for continued phishing attacks, and attackers leveraging vulnerabilities in microservices.
So, we have this ever-growing threat landscape and a deluge of attacks coming our way in 2022. What can individuals and companies do? First, you got to know all the devices connecting to your next work. It starts with visibility. What am I dealing with? Where’s the risk within my organization? What are the new entry points? What are the new attack vectors? Visibility will be the most critical aspect to any security set up and needs to be prioritized.
Once you identify entry points, then base your security practices around a framework such as NIST, which covers in five functions. From there, you can layer on other pieces of this framework, which establish a defense-in-depth approach and enables organizations to cover a majority of those entry points.
About Jim Bowers:
An accomplished and seasoned security expert, Jim brings 20+ years of in-depth knowledge in engineering powerful security solutions. Having worked with notable companies in finance, healthcare, manufacturing, technology and more, he advises on complete security infrastructure, from assessments, vulnerabilities and risk management to phishing training/simulation, DDOS mitigation, endpoint protection and Managed SOC.