“Unprecedented” is a word that defined 2020 and 2021. Once the pandemic hit, a record number of businesses implemented work-from-home systems to ensure business continuity – remotely and online. With this rise in digital transformation, we’ve witnessed a blurring of the traditional online perimeters that companies need to secure. As CrowdStrike notes, these days a company’s network can be on-site, in the cloud, or a hybrid of both, with resources and staff spread across locations. This creates cybersecurity challenges, and there’s been a dramatic increase in exploits (use of a code that lets criminals access a network remotely and steal information) .

    Suddenly, “once-in-a-decade” breaches of the past are now happening monthly, with a laundry list of companies falling victim. This proliferation of cyber-attacks has catapulted the zero-trust security framework into the limelight. Zero trust is no longer a security aspiration; today, it’s a security mandate to vet all users each time they request access to a company’s online assets.

     Netskope says zero-trust models “support the implementation of ‘least privilege access’, which is designed to grant selective access to only the resources that users require, nothing more”. It’s a critical part of privileged access management (PAM), since gaining entry at a privileged level is every hacker’s ultimate goal. This year, the number of successful attacks will rise, making a zero-trust PAM framework crucial. The cybersecurity trend will be prominent in 2022, alongside five other trends:

    1. More pervasive triple-threat ransomware

    Over 2021, we saw record-breaking amounts for ransomware pay-outs. For example, a US insurance company paid a $40 million ransom in March – $10 million more than the largest attempted demand in 2020, says ZDNet. It’s not only the dizzying amounts that are worrying. Ransomware is evolving, so organisations should expect more personalised or targeted attacks. These increasingly involve different assets, such as Internet of Things devices. The latest evolution, as Check Point Research explains, is the ‘Triple Extortion’ ransomware attack. This attack builds on the previous ‘Double Extortion’ tactic of stealing sensitive data from an organisation and demanding payment to prevent it from being released publicly. Criminals are simultaneously targeting the organisation’s clients and/or business partners, squeezing them for an additional ransom.

    2. Higher cybersecurity standards for insured businesses

    Cybersecurity insurance is fast becoming an accepted part of enterprise risk management. In South Africa, dozens of well-known providers, from Chubb to King Price, offer it. However, many insurers have found their models jeopardised by extortionate ransomware demands and the far-reaching financial fallout of recent security breaches. Subsequently, many have hiked their rates, with some exiting the cybersecurity market altogether. These both will lead to a tsunami of insurance cancellations in 2022, with businesses scrambling to find new coverage, albeit at higher rates. To ensure continued coverage with providers offering the best rates, businesses will need to demonstrate they meet the strict security measures insurers now demand.

    3. Strengthening cybersecurity culture across businesses

    More companies are seeing the value in creating a solid cybersecurity culture, which is heartening, as this wasn’t always a focus. Historically, enterprises spent millions on security solutions that protected their hardware and software, while neglecting to educate employees about security. Most breaches boil down to human error – 95% of them, according to a 2014 IBM study, while a 2020 report from US network provider Verizon found 85% of breaches included a “human element”. Human errors cover behaviours that can inadvertently (sometimes deliberately if it’s an insider threat), leave the door open to malicious external hackers. The IBM report highlighted a few common examples of human errors by staff:

    • Double-clicking on an infected attachment or unsafe URL.
    • Losing a company device.
    • Using weak passwords.

     To build a cybersecurity culture, companies must create a “living” set of security standards that they can update and share regularly. Adoption of this culture has been slow as the benefits are hard to measure, making it difficult to justify the expense. However, training staff to recognise threats, curbing poor security behaviour, and following basic security habits is ultimately a wise investment that will result in a marked drop in attacks.

    4. Small and big businesses equally targeted

    Many small- and medium-sized businesses (SMBs) struggle with what to prioritise: their need for cybersecurity versus their reliance on cutting-edge tech that enables innovation and opens doors to geographically diverse markets in an affordable way. The problem is that SMBs face the same threat landscape as big businesses, though often with less resources. Even though SMBs may appear a less lucrative target than larger corporations, they’re still at the mercy of cybercrime – in fact, Verizon’s 2020 report found 43% of cyber-attacks are targeted at small businesses. Another international survey notes that 60% of SMBs will close their doors within six months of a breach, unable to deal with the crippling financial fallout. It’s essential for SMBs to reprioritise budget spend on tightening security measures and focus on staff security awareness.

    5. Growing cybersecurity skills gap

    Cybersecurity jobs are in high demand, offering competitive salaries and job satisfaction.  As the World Economic Forum (WEF) points out, “Cybersecurity professionals protect the digital world from cybercrime much the same way that police officers protect neighbourhoods.” These are jobs with purpose that can be truly rewarding. The latest skills gap figure is a massive 3.12 million – that’s the number of jobs available to cybersecurity professionals! Without an urgent drive to increase existing staff reskilling and include cybersecurity curricula within schools and universities, this gap will widen, leaving businesses at risk. The WEF offers free cybersecurity training online to upskill people for 10 crucial roles that are most in demand: network security engineer; threat intelligence analyst; security operations engineer; application security engineer; cybersecurity architect;, cybersecurity risk manager; cloud security engineer; security awareness specialist; technical project manager; and cybersecurity compliance analyst.

    Vodacom Business is here to help

    What’s the red thread that connects these five trends? The fact that no one is immune to cybercrime. Private individuals and businesses and government agencies must prioritise cybersecurity education and invest in layered cybersecurity solutions from trusted providers, like Vodacom Business, to ensure they stay safe online.

    - Garith Peck, Executive Head of Cloud Security at Vodacom Business