Authors: Morey J. Haber, Chief Security Officer, Christoper Hills, Chief Security Strategist , Brian Chappell, Chief Security Strategist, EMEA & APAC, James Maude, Lead Cyber Security Researcher
The annual cybersecurity trends prediction season is once again upon us. We come armed with our top prognostications for 2022, as well as a glimpse into what we presage happening 5 years from now.
But first, let’s take brief stock of the recent past that brought us to this moment.
In 2020, “unprecedented” suddenly became one of the most world’s most overused adjectives. Yet, few other terms seemed to capture the waves of inter-related changes and adaptations compelled by the coronavirus pandemic. Organizations hastily implemented remote working technologies and policies, with social distancing top-of-mind, but cybersecurity a distant afterthought. Digital transformation began to steeply ramp up as everyone seemed to lean into the promise of new technologies to survive as businesses through the pandemic.
In 2021, the pandemic remained with us. While cyberattackers had exploited the pandemic during its earliest stages, late 2020 through 2021 was the when the yawning attack surfaces created by rushed implementation of remote working and digital transformation initiatives began to be exploited with vigor. Cybercrime exploded. Once-in-a-decade breaches (SolarWinds, Colonial Pipeline, Verkada, JBS foods, Kaseya) seemed to occur monthly. The proliferation of cyberthreats, breaches, and the accelerated de-perimeterization of enterprises also catapulted the concept of zero trust from security aspiration to a security mandate.
During these last two years, our collective digital dependency has only increased. The stakes for protecting digital assets and critical infrastructure from cyberattacks is only getting more urgent, while ever-more difficult to achieve.
So, what security and technology surprises lie in store for 2022 and the near future? How can we prepare?
Prepare yourself by reading on for our best calculations of what the future holds.
Cybersecurity Trend Predictions for 2022
1. Space Travel
While interplanetary travel will not occur in 2022, you will have the opportunity to send your DNA to the moon or the chance to ride in a rocket as a space tourist. We are on the precipice of a huge wave of space tourism, movies filmed in space, and solicitations that promise to your send your name, DNA, and maybe even a loved one’s ashes, beyond Earth’s atmosphere.
With these tantalizing opportunities will come scams – and plenty of them. Expect phishing attacks and faux websites to crop up across social media and the Internet promising all these experiences in exchange for a modest fee, or the harvesting of personally identifiable information.
We won’t be living on Mars just yet, but plenty of scammers will be willing to sell you the stars.
2. Talent Resources
2022 will prove to be the most challenging year yet with regards to the ongoing cybersecurity talent crunch. Some drivers of this demand/talent imbalance include the accelerated adoption of hybrid cloud and digital transformation initiatives, post-pandemic projects ramping up, and budgets becoming available for spend. Security posture improvements will be at the top of the list of desired projects.
Businesses, enterprises, solution vendors, partners, service providers and many more verticals aligned to the security space are being challenged with talent acquisition. Colleges and universities aren’t producing the security professionals and talent anywhere in line to meet demand.
Ultimately, the imbalance between demand and supply will cause salary spikes across the board for every level of IT security professional. The shortage of talent will play in the favor of the employee and, ultimately, the value of a dollar will win.
3. 5G in Everything
Today, IoT technology is pervasive and is appearing in parts of the enterprise that would have been unfathomable just a few years back. Consumers and businesses can expect that newer devices will be cellular-enabled, or cellular capable, to provide services outside of local area and Wi-Fi networks. This will allow connectivity using a subscription model and remove the barriers and troubleshooting required for connectivity on home or small business networks.
This approach may even extend on the concept of Amazon’s Sidewalk technology as a fallback mechanism. Continuous connectivity, regardless of environmental conditions, will be highly appealing to most users—especially for security related systems like alarm systems and cameras.
4. Ransomware Reinvented
Record-breaking ransomware payouts in 2021, including $40 million paid by one victim’s insurance company, continued to validate the ROI and economics of ransomware for threat actors.
This year, the ransomware model evolved to include data extortion based on exfiltrated information. But ransomware is not done evolving. New paradigms to extort money will emerge in 2022.
Organizations should expect ransomware to become personalized and increasingly involve different types of assets, like IoT, as well as company insiders. Targeted disclosure of exfiltrated information may be perpetrated to specific buyers. We may even start to see more flexible terms of payment, as opposed to lump sum payouts. With installment plans, ransomware operators will decrypt victim assets over time, based on agreed upon payout terms.
5. Supply Chain Kinks
Supply chain attacks reached new heights in 2021, with far-reaching reverberations from breaches targeting widely used software, including Kaseya and SolarWinds. Unfortunately for us all, this attack vector is in its infancy.
Supply chain attacks will further mature in 2022, expand in scope, and increase in sophistication. Expect far more third-party solutions and common development practices to be targeted.
Organizations need to include third party supply chain breaches in their incident response plans and plan for a public and private response, just in case they become an inadvertent victim for a licensed solution.
6. Cyber Insurance Termination
Over the last several years, cybersecurity insurance has become an increasingly accepted part of enterprise risk management. Unfortunately, runaway ransomware attacks and other breach fallouts have put the cyber insurance business model in jeopardy. Subsequently, many cyber insurers steeply increased rates, dropped coverage of high-security risk enterprises, or even exited the cyber insurance market altogether.
In 2022, expect a tsunami of cyber insurance cancellations and a mad scramble to obtain new coverage, potentially at much higher rates. To obtain coverage and ensure the best rates, organizations will need to demonstrate the proper cybersecurity hygiene demanded by cyber insurance underwriters. Failure to have agreed upon cybersecurity controls in place will also be a key argument for insurers to refuse paying out after an incident, or to terminate coverage.
7. Freedom of Social Networks
Social networks will be under increasing pressure to control the content posted by their users. This is also likely to result in broader powers for the authorities to trace and identify malicious sources.
The anonymity of the net has allowed users to hide behind these social platforms, using them to be vicious and, even nefarious, without repercussions.
In the year ahead, expect to see either tighter controls on the content that is distributed via social platforms, reliable attestation for the source of the material, and potentially access to the data for authorities.
8. Softly, Softly
Next year will see the average time from intrusion to detection grow, giving attackers more time to perform reconnaissance and wreak havoc on systems.
Over the past couple years, so many organizations rushed remote working implementations based on VPN technology. This is one of the contributing factors making intrusion detection more difficult. Teams face far more data to sift through to try and distinguish legitimate behavior from malicious activity. The signal strength for any event will be lower compared to the background noise.
Expect a lot of careful hackers to find their way into systems and establish long-term residences there.
9. Broken Record
Since the advent of networking, the attack chain has typically been comprised of such steps as exploitation of vulnerability, obtaining of privileged access, lateral movement, and exfiltration of data or operational damage. Each year, it’s hoped that next year will be the year we get the basics right and the number of successful attacks declines.
In 2022, the number of successful attacks will continue to grow, the average cost to the victim organization per successful attack will rise, and the pattern will repeat. Why? Because with so many new and shiny technologies to choose from, the IT security basics just aren’t exciting.
Cybersecurity Trend Predictions for the Next Five Years
1. The Big One
Whether the “Big One” is an earthquake, war, or other natural or man-made disaster, the information technology community is ill-prepared for a massive, prolonged outage.
As employees continue to work from home, and our dependency on interconnectivity grows, a massive outage or data loss would be akin to a watershed moment for technology. We are setting ourselves up for this type of cataclysm in the next five years.
Whether the consequence of a cyberattack, a pandemic, or a climate change-induced natural disaster, the world will experience its first long-term Internet outage. Few will be truly prepared.
2. Digital Death & Resurrection
There is no argument—we live in a digital world. More and more resources reside on the Internet, including our photos, memories, and special events.
Unfortunately, humans are mortal. When we die, many of these resources are orphaned and unmanaged. Friends and family members may not even know the passwords to retrieve this priceless information.
In the next five years, expect to see new businesses emerge that can access and preserve a person’s digital presence after death. The services will include basic archive and retrieval, and the ability to download content in a consumable format (printed photos, slide shows, music videos, etc.) as a memorial to the deceased loved one.
3. IoT, the New ‘Space Junk’
Many assume 5G and IoT devices are secure by default. The reality is that these endpoints are often plagued by issues such as default credentials, unpatched software, or hardware vulnerabilities as manufacturers seek to churn out low-cost devices at scale.
An emerging problem over the coming years will be how these legacy IoT devices are maintained and supported. Much like space debris causes issues for new satellites, abandoned IoT projects and unsupported systems will provide ideal targets for attackers. Once the attacker has a foothold, they can build distributed infrastructure to harvest data or launch highly distributed attacks, which can be amplified by faster 5G connectivity.
What happens when your smart building is EoL’d? Who deals with a fridge that has an unpatched exploit? What is the SLA for your lightbulb?
4. Connectivity Free Zones
While service providers strive to bring connectivity to the far reaches of the globe, expect increased push back (minor revolt) from some communities and regions to reject always-connected technology. Some of these communities may already be grating at the recent increase of digital nomads now working remotely from these far-flung locations, that were once largely untouched by digital workforces.
In response to the unwanted changes and the infringement on their longstanding local way of life, “connectivity free zones” will materialize that are intentionally void of cellular and Wi-Fi technology. In some instances, these areas may even apply technology such as jammers to force users in the zone to disconnect. These zones may appear in national parks, movie theaters, places of worship, etc. where too much connectivity is detracting from the intended experience of the local environment.
5. The Future is… finally… Passwordless?
This prediction has been with us since the dawn of cybersecurity predictions. There is nearly universal consensus--passwords are generally terrible things. Humans are not wired to generate and remember unique and complex combinations of characters that don’t resemble any spoken language.
Over the years, we’ve watched awkward attempts to shuffle the problem around. More recently, “passwordless” seems to finally be gaining traction.
Authenticator apps, Windows Hello, and SSO solutions are all reducing the need for passwords. Recently, Microsoft has allowed users to go passwordless by using their Authenticator app.
With fewer access points gated by passwords, attackers will increasingly focus on exploiting users and apps to gain access to data and privileges.
Security Predictions from our Archives
Curious about our security prediction track record? We invite you to visit our prior forecasts:
BeyondTrust Cybersecurity Predictions for 2020 & Beyond
BeyondTrust 2019 Security Predictions
Cybersecurity Predictions for 2018 (+ 5-Year Predictions, Too!)
5 Cybersecurity Predictions for 2018
10 Cybersecurity Predictions for 2017
2017: Looking Forward to a New Year in Cybersecurity
2016 Cyber Security Predictions & Wishes
2022 Cyber Security Predictions: 5 Years to Plan! Top 5 Security Predictions for 2014
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
