The answers to these questions were used for the article, "Cybersecurity in 2022: What’s hot and what’s not", published by Barracuda MSP on the SmarterMSP. Click here to read the article in it's entirety.
What are the big cybersecurity trends you think will emerge in 2022?
Small businesses have always been in the crosshairs, but small businesses will move from a target of opportunity to more of a stalked target as large businesses and governments improve and less sophisticated attackers seek low-hanging fruit. I would love to believe that 2022 is the year businesses go back to the basics and security as a whole gets some real wins. Unfortunately, I expect much of the same as years past since the “basics” tend to be difficult and most are in search of the non-existent easy button. I’m also concerned that we will see a level of burnout that cybersecurity has never seen before, which is a worst case scenario with so many in security already overworked and understaffed.
Will ransomware continue its rampage? And how will ransomware change and evolve?
“The beatings will continue until morale improves.” Only in this case, the beatings are ransomware and morale is security. It has become increasingly common for ransomware gangs and state actors to add new, sweeping vulnerabilities to their attack arsenal. The primary difference is that the time from vulnerability disclosure to attack will shorten to days or even hours instead of the weeks, months, or years as we’ve seen in the past. On the business policy side, it will also be interesting to see if insurance companies continue to backpedal from cybersecurity policies which have helped make ransomware exceedingly profitable.
Is remote work here to stay and what are the cybersecurity implications? Or do you think 2022 will bring more of a return to in-office normalcy?
While many businesses will undoubtedly look at moving workers back to the office, they will eventually learn that the ship has sailed. Remote work is here to stay as it has transformed from job “perk” to job “must” for droves of workers and job seekers. The ill-fated side effect is that this will be the year that we see numerous compromises resulting from incorrectly configured remote setups. At the time, there were a lack of options if a business didn’t already have a robust, security-centric solution in-place. Now, going back and investing dollars to fix what works (devoid of security concerns) will be a tough sell to upper management.
Looking back at this year, are there any cybersecurity trends or events that surprised you?
I continue to be amazed at how overly reliant we are on software components that few have heard of previously… Here’s looking at you log4j! Overall, 2021 was full of some nasty bugs that were headline-worthy and/or difficult to squash. As interconnected as our modern systems are, hopefully those are anomalies and not trends.
Another interesting revelation was various governments intervening on multiple occasions to shutdown attacks or even hack back. No, this isn’t new, but it was more public than in the past as if the “announcements” had intent. It will be interesting to see if political pressure can thwart cybercriminal behavior whether that occurs at the highest levels of government or in the individual psyche.
What areas of cybersecurity do you really want to see MSPs and CISO's investing time/resources in 2022?
Despite endless debates, the cybersecurity talent shortage is real and it’s not going away. While everyone wants and needs results now, we also need more people in the industry and the reality is that everyone has to start somewhere. Even if someone doesn’t check all of the boxes, yet they are smart and show initiative, give them a shot. Don’t be afraid to grow talent. Similarly, invest in people first, tech second. Send employees to training and encourage them to attend local conferences/meetups. That is how you make security part of your very fabric rather than an afterthought.
Second, pick an easy to follow cybersecurity framework (such as the Critical Security Controls), determine what capabilities you have today, understand where your gaps lie, and move forward one foot in front of the other. Meanwhile, produce quantifiable results from your various efforts so you can chart your travels. Don’t forget to report those results back to the business stakeholders so they better understand the process that is cybersecurity. Finally, don’t lose sight that this is a journey, not a race.
Small businesses need Peak, the small business cybersecurity platform. Need help securing your business? Please keep TreeTop Security and the Peak platform in mind for a better approach to small business cybersecurity. We provide cybersecurity peace of mind for small businesses.