Why cyber-risk mitigation should be top priority for every organization

Washington-based Anthony J. Ferrante, Global Head of Cybersecurity at FTI Consulting, outlines his top 10 cybersecurity predictions for 2022.

The evolutionary nature of cyberattacks is well known. Cyber actors continually improve on already sophisticated techniques and keeping pace is a never-ending challenge.

With a threat landscape that has never been as vast or dispersed due to a hybrid workforce, cyber-risk mitigation should be the top priority for every organization across the globe.

Based on how quickly things change, predicting what is to come is difficult, but assessing what has already occurred can be a helpful indicator for preparations. Here are 10 predictions that the global FTI Cybersecurity team expects to see in 2022.

1. Regulatory hammers will fall

• Background: Cybersecurity-focused regulation, specific to government agencies and their related entities, was a focus in 2021. In October, the Department of Justice announced the Civil Cyber-Fraud Initiative, which will ‘utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.’ A month later, the Biden Administration issued a mandate requiring ‘federal agencies patch hundreds of cybersecurity vulnerabilities that are considered major risks for damaging intrusions into government computer systems.’

• Prediction: Between the increase in regulation and public demand for organizations to do all they can to protect sensitive user information, expectations for proper cybersecurity measures to be implemented are high. The private industry tends to follow suit with actions and guidelines established by the government, so it’s safe to assume that similar basic cybersecurity requirements, at a minimum, will expand beyond the public sphere and organizations will face consequences for failing to comply.

2. Critical infrastructure will remain a significant target

• Background: The consequences of the critical infrastructure sector suffering a cybersecurity incident are so dire that the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), release periodic reminders to stay vigilant. The complex nature and connectedness of digital and physical assets in critical infrastructure, combined with reliance on legacy equipment, make proper cyber-risk mitigation co-ordination a challenging task.

• Prediction: The proliferation of Internet of Things (IoT) devices within the operational technology (OT) space is growing rapidly, and the efficiency they provide is often prioritized over security. This afterthought mentality carries significant implications for sectors where IoT devices have been widely deployed, such as healthcare and the electrical grid. Cyber actors are well aware of the vulnerabilities and until protecting this industry is prioritized, it will continue to be targeted.

3. Third-party cyber-risk will be the biggest problem organizations face

• Background: At the end of 2020, US federal agencies and high-profile companies were hit with a major advanced persistent threat cyberattack. The breach occurred via a compromised and weaponized version of a software update from a connected third party. This type of prolific and widespread attack created a roadmap for other cyber actors to replicate in future malicious campaigns.

• Prediction: The increased reliance of organizations outsourcing to vendors as a result of a remote workforce has extrapolated an already prevalent threat in third-party cyber-risk. With more access points for cyber actors to exploit, and organizations unsure how to manage and protect their entire digital ecosystem, cyber actors will continue to use connected parties as access to their main target.

4. Data ethics will play a prominent role in organizational strategy

• Background: As consumers request to further understand how their personal information is used, stored, and shared, organizations are making efforts to adequately respond, especially around biometrics, such as facial recognition technology. This is especially true for organizations interested in implementing and leveraging Artificial Intelligence.

• Prediction: The ethics surrounding personal information and data will play a major role in the viability of organizations in 2022. Those who make protecting this information a priority will be viewed favorably, while those who choose to do the opposite will remain at risk to damaging cyberattacks, as well as consumers choosing to take their business elsewhere.

5. Sophisticated and targeted mobile malware attacks will become more common

• Background: Pegasus spyware made major headlines in 2021, as it was used to collect information on individuals without their knowledge or consent. The revelation that high-profile individuals, journalists, and human rights activists were specifically targeted by nation-state actors using sophisticated mobile malware was eye-opening and cause for alarm.

• Prediction: These types of cyberattacks will become more prevalent and widespread as similar perpetrators continue to refine and evolve their capabilities to evade detection. Knowing that surveillance can be conducted without interaction from the target will lead to nation-state actors further relying on these types of tools to gather valuable intelligence and influence strategic objectives in their favor.

6. Nation-states will access a digital passport or tracing app database

• Background: Depending on the country, everyday tasks, like entering a grocery store, may require displaying proof of receiving the COVID-19 vaccine through an approved app. Other jurisdictions mandate opting into location tracking on mobile devices so that tracing infected individuals is made possible. Both scenarios present situations where sensitive information is captured and stored.

• Prediction: COVID-19 has created plausibly justifiable ways to track people and collect information about them. The nature of this information, vaccination status and location data points, is valuable to nation-states who can use it for blackmail or leverage at a later date. Apps and their databases are often spun up quickly, especially in this instance, without considering the cybersecurity risks or data protection threats, and subsequently, a nation-state will breach a database as a result.

7. Cryptocurrency will face increased oversight

• Background: The FBI released an announcement in November 2021 warning of ‘fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to facilitate payment.’ A lack of federal regulation regarding cryptocurrency transactions has led to state-specific laws with varying levels of requirements and calls for uniform legislation to mitigate the spread of cybercrime.

• Prediction: As cryptocurrency companies become more mainstream and established, cyberattacks targeted at these entities will increase. The combination of cryptocurrency ATMs becoming more popular and the anonymous nature of transactions many states permit will fuel the success of cyber actors. In response, regulation regarding cybersecurity, Know Your Customer standards, anti-money laundering, and fraud can be expected to increase.

8. Soft targets will be heavily attacked

• Background: Soft targets, like schools, are organizations that notoriously have weak security protections in place for reasons like lack of skilled staff and budget. There was a record number of cyberattacks against schools in 2020, perpetuated by a shift to virtual learning, accompanied by additional entry points for cyber actors to exploit. These attacks came in various forms, from ‘ransomware attacks, class interruptions on virtual learning platforms, phishing emails and identity theft.’

• Prediction: Due to cybersecurity protections of soft targets being largely unsophisticated and also lacking resources required to identify and mitigate threats, cyber actors will continue targeting these groups. The low infiltration cost and ease of entry against weak defenses suggest that cyber actors will attack soft targets and turn their sights to more profitable campaigns, such as ransomware or theft of sensitive information.

9. More cyberattacks will be executed via commoditized devices

• Background: There are an estimated 13.8 billion IoT devices in use worldwide, a number that is predicted to surpass 30 billion by 2025. This includes products like smart thermostats and smart refrigerators, which are becoming more commonplace. The influx of IoT manufacturing means these devices are becoming more accessible and cheaper to acquire.

• Prediction: Cyber actors are skilled at analyzing a situation and determining how it can be exploited to their advantage. Regarding commoditized devices, there are endless options for cyber actors to infiltrate and compromise. In 2022, cyberattacks leveraging these connected products, ranging from accessing sensitive information stored on a home network, to spying on targeted individuals, will increase.

10. Cyberattacks will enter the final frontier

• Background: There are roughly 7,500 active satellites orbiting Earth. Similarly to operational technology, satellites are often viewed as being ‘unplugged’ from the Internet and considered protected from cyberattacks. However, access has changed since many of the satellites were launched.

• Prediction: IoT devices are more commonly being used to communicate with satellites. As previously mentioned, these devices create entry points that cyber actors can exploit and then establish a foothold, escalate privileges, and ultimately gain control of the satellite. This is a common attack progression, and it can be expected that cyber actors will replicate this technique with devices not previously considered, like satellites, in 2022.