As the year comes to an end, it’s important to reflect on the cyber events that captured headlines in 2021 and understand the root causes, impacts, responses, and more importantly, the lessons learned from those events. The following four cyber trends highlight areas that justify increased scrutiny and attention as we transition to the new year.
Supply Chain and Third-Party Risk
It’s difficult to find someone that hasn’t been affected by supply chain issues during 2021. Construction supplies, Christmas gifts, cars, electronics, etc. – there seems to be no shortage of stories or headlines that point to supply chain issues. Unfortunately, as 2021 comes to an end, supply chain constraints and challenges will no doubt continue to be a concern for companies, governments, and individuals around the globe in 2022.
The COVID-19 pandemic forced everyone to rethink supply chain strategies and re-evaluate vendor relationships. As a good friend of mine and CISO once said, “don’t let a good security incident go to waste.” In other words, reflect on the current predicament and learn from it. Try to implement changes that can eliminate or at least reduce risk going forward. While a quick fix is not an option for the current crisis, increased scrutiny on supply chains will help to drive future benefits.
Although not as widely publicized or impactful, supply chain security incidents involving technology products and services had a major effect on companies throughout the globe. The Kaseya ransomware attack and SolarWinds compromise not only affected their intended targets, but also downstream customers. Tools from both vendors, designed to manage and maintain an organization’s infrastructure were compromised and used to spread malware and corrupt the systems of thousands of downstream customers.
Third-Party Software Vulnerabilities
The recently discovered Log4j vulnerability is a current example of a supply chain security incident that is affecting thousands of users. Rather than recreating the wheel, developers often use open-source software that has already been created for a specific purpose rather than spending the time and resources to develop something that already exists. In this case, Log4j is used for logging. Developers who want to include logging capabilities can simply adopt the component and include it in their software package.
The now-known risk with this type of development is that if a vulnerability is detected in the adopted open-source component, all software applications or tools that rely on that component are now affected or compromised. The question then becomes, what tools, applications, and resources does a company use that include the affected component? Some organizations are now requiring vendors to provide a detailed list of components, software, and packages that make up the product or solution they intend to acquire to put them in a more favorable position if and when future vulnerabilities like Log4j are discovered.
It goes without saying that cyber-attacks or vulnerabilities identified in the supply chain impact the number of affected users exponentially. It’s imperative that companies develop an in-depth knowledge of the technologies that make up their ecosystem so that they are able to respond accordingly when applicable security incidents are identified. The identification and tracking of open-source software within the ecosystem is equally if not more important. Expect supply chain attacks to continue in 2022.
The first documented security incident involving ransomware occurred in 1989. Since that time, the usage of ransomware, as well as the associated financial losses, has grown exponentially. In 2021, the Colonial Pipeline and JBS Foods ransomware attacks gained worldwide attention. Not only did the attacks cripple their intended targets, but also had far-reaching effects downstream on clients and services that depended on their products and services. “On average, ransomware attacks cause 15 business days of downtime. Due to this inactivity, businesses lost around $8,500 an hour. The total ransomware costs are projected to exceed $20 billion in 2021.”
All companies need to take ransomware seriously. While safeguards should be in place to prevent a wide range of security incidents, ransomware-focused exercises, simulations, and analyses should be incorporated into a company’s security strategy. In addition to focusing on prevention tactics, companies need to define, develop, and rehearse playbooks that can be followed in the event that they become a target of ransomware. It’s critical that executive management be involved in ransomware incident response exercises. The Cybersecurity and Infrastructure Security Agency (CISA) has provided additional guidance resources to assist organizations in combating the effects of ransomware.
When organizations hear the word privacy, they may think of the General Data Protection Regulation (GDPR) and Europe. In other words, if an organization doesn’t do business in Europe, then privacy regulation isn’t a concern and isn’t applicable. Historically, that mindset wasn’t entirely wrong, however, regulation surrounding the privacy landscape is continually changing and businesses need to ensure privacy remains a top consideration going into 2022.
GDPR was originally published in 2016 and became enforceable in 2018. Although other laws and regulations had been established prior to GDPR, GDPR significantly enhanced an individual’s control over the collection and use of their personal data as well as financial penalties for non-compliance. In 2021, Amazon was fined $888 million for reported GDPR data protection violations.
While the focus of privacy has previously been associated with Europe and GDPR, other countries and states have since then adopted their own privacy regulations. Within the U.S., the California Consumer Privacy Act (CCPA) may be the most well-known state-sponsored privacy law, however, other states such as Colorado and Virginia have similar laws and many more states are in the process of introducing their own.
In other words, organizations that have historically taken comfort in the fact that they don’t do business in Europe need to reconsider their position. Organizations should prepare for increased scrutiny and regulation surrounding privacy. While the US has not yet adopted a GDPR-like privacy regulation, organizations should prepare now by adopting a robust privacy control framework, such as GDPR or the CCPA, and then make adjustments when different state or perhaps federal regulations come into play.
Continuous Risk Assessments
As the cyber risk landscape continues to rapidly change, it’s important for organizations to take a step back and reassess their risk register. There’s a good chance that over the past two years, an organization’s operations have taken on an entirely different look and feel. While technology and cyber risks inherently have a tendency to quickly shift based on the constantly evolving technology ecosystem, the global and individual response to COVID certainly shifted the way organizations do business. As a result, previously identified risks may not be as critical as initially assessed. Other risks may now warrant additional consideration and attention or run the risk of remaining unnoticed or undetected.
For example, COVID required organizations to rapidly rethink and retool in order to maintain business operations. The rethinking and retooling wasn’t as much the concern as was the timeframe in which organizations were required to accomplish it. A colleague of mine who works for a large multinational financial institution marveled at what her organization was able to accomplish in such a short period of time in order to transition several thousand employees to a remote workforce.
Assuredly, new technologies and processes were hastily implemented in order to support her organization’s needs as well as similar transitions throughout the globe. While the rapid transitions helped to fulfill business continuity goals and objectives, security concerns and considerations were perhaps justifiably sacrificed in order to maintain business operations. Performing a robust risk assessment will help to identify potential gaps and holes that were created as a result of rapid technology transformations that weren’t addressed during implementation, or that didn’t exist prior to the transformation.
From a cyber and information security perspective, organizations should constantly be asking the questions, what are we trying to protect and what risks exist that limit us or prohibit us from achieving those goals. Failing to maintain the confidentiality, availability, and integrity of systems and data should remain the top priority, however, the misallocation of resources, budget, and time towards irrelevant or legacy risks should also be a major priority. Reassessing risks on a continual and frequent basis can help organizations ensure resources are spent on tooling and activities that support the mitigation of the current suite of risks facing the organization.
Conclusion – What is the Future of Cybersecurity?
While additional cyber trends certainly exist, the four topics discussed will most certainly be topics that we’ll hear more about in 2022. Organizations need to take proactive steps to address these trends early on to ensure they are prepared for the outcomes, or effects that each of them will have on their organizations, employees, and clients.
For any additional questions surrounding this article, or if you would like to learn more about the many audit services provided by Linford, please contact us. Please feel free to check out some of our other blogs on security and cybersecurity:
- What are the Roles and Responsibilities of Information Security?
- The DoD CMMC: What You Need to Know
- Understanding Blockchain: Security, Risks & Auditing Tips
- How Is Your (Cyber) Hygiene?
- How to Choose a VPN When Working from Home: Data Safety Considerations for Coronavirus
- October Is National Cybersecurity Awareness Month (NCSAM): How It Helps You
This article was originally published on 12/22/2020 and was updated on 12/28/2021.
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.