By Jamie Wilson, Founder and Managing Director of Cryptoloc
In this article:
- Rules and regulations are coming
- Cybersecurity will be treated as a company-wide responsibility
- Cybercriminals are becoming more professional, and more predatory
- Supply chain attacks are set to escalate
- Cyber insurance will become harder to obtain
In 2021, no sector of the Australian economy was safe from cybercrime. From government agencies to family businesses, and every type of organisation in between, it’s been one of the worst years on record – so it’s important to stay ahead of the curve and be aware of what’s coming down the pipeline in 2022.
The explosion in remote work and the accelerated pace of digitalisation have opened plenty of doors for cybercriminals to walk through. The Australian Cyber Security Centre (ACSC) received a report of a cyber attack once every eight minutes over the 2020-21 financial year, up from once every 10 minutes the previous year, and unfortunately, those attacks will probably only become more frequent in the new year.
But when it comes to cybercrime, a little planning and preparation go a long way – so here are the trends your organisation should be focused on in 2022.
Rules and regulations are coming
One of the reasons that cybercriminals have been able to operate with virtual impunity is that they’ve felt secure in the knowledge that technology has always been a step ahead of regulators.
But with the total economic impact of cybercrime estimated at $3.5 billion in Australia alone, and $1 trillion worldwide, the law is finally catching up to the threat these criminals pose – and in 2022, we can expect to see much greater regulatory pressure to address the risk of cybercrime.
We’ve already seen legislation for consumer privacy pick up steam, beginning with the EU’s General Data Protection Regulation (GDPR) and followed by Brazil’s General Personal Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA). It’s a sure thing that jurisdictions around the world – at a national level, but also at a state and local government level – will continue to pass legislation along these lines.
But that’s just the beginning. In Australia, we’ve seen the recent introduction of emergency laws that require the operators of ‘critical infrastructure’ to report cyber attacks to the Australian Signals Directorate (ASD) as they happen. The laws give the ASD the power to plug into the networks of these organisations to help them fend off attacks.
Those laws were just a prelude to a second bill, expected to be introduced in 2022, that will impose positive security obligations on businesses, requiring them to develop risk management plans and reach certain cybersecurity standards. Under these laws, company directors could be made personally liable for cyber attacks.
I expect we’ll also see the Government move to make the payment of ransomware illegal – Labor has already introduced a bill that would require ransomware victims to disclose whenever they make a payment, and my sense is that both sides of the aisle are keen to disincentivise and defund hackers by criminalising payments altogether. (Whether or not this would actually help victims is a more complicated question.)
In their totality, these laws could make the regulatory landscape more confusing and/or costly for organisations that aren’t prepared for them. But they should also have the effect of raising the cybersecurity floor, and setting a new standard that, quite frankly, most organisations should be meeting already.
In much the same way that tougher legal obligations made workplace health and safety a top priority for employers, we’ll see businesses lift their game when it comes to cybersecurity, and start taking their stewardship of data more seriously in order to comply with new rules and regulations.
Cybersecurity will be treated as a company-wide responsibility
I was recently speaking to the CEO of a large organisation with 10,000 employees. I asked him how many people were in his cybersecurity team – ‘10,000’, he responded, without missing a beat.
That’s the attitude every employer should have moving forward. Cybersecurity awareness and training for all staff will be absolutely crucial – because while not everyone on your team needs to be an IT professional or a cybersecurity specialist, everyone will need to be regularly briefed on the latest techniques being utilised by cybercriminals, and be aware of best practices.
Businesses have never been more at risk, and the widening of attack surfaces that’s resulted from the COVID-19 pandemic is a major factor. With more employees using more of their own devices, it’s harder than ever to secure the perimeter.
IBM and Ponemon’s Cost of a Data Breach Report 2021 found that data breaches are 17.5 per cent more costly where remote work is a factor, and that organisations that have more than half of their workforce working remotely take 58 days longer to identify and contain breaches, on average.
That’s why every member of your team will need to be trained to make their connection more secure, and made aware of the importance of updating passwords and patches, avoiding public networks, backing up data regularly, and recognising the signs of social engineering scams like phishing emails.
It’s always been the case that when it comes to cybersecurity, your people have the potential to be your biggest weakness – because if they can be tricked into granting access to an intruder, all the perimeter security and monitoring in the world won’t be able to protect your system from being compromised.
But now, with the ever-increasing interconnectivity and borderless nature of the modern workplace, it’s more important than ever that every link in your chain is as strong as it can be.
Cybercriminals are becoming more professional, and more predatory
It’s no secret that ransomware is on the rise. In June 2021, the Director-General of the Australian Signals Directorate told the Parliamentary Joint Committee on Intelligence and Security there had been a 60 per cent increase in ransomware attacks on Australian businesses over the previous 12 months.
What’s less understood is the fact that the organisations behind these attacks are becoming increasingly sophisticated. Rather than operating as lone wolves, hackers have developed cyber cartels that operate much like the mafia, collaborating as affiliates to pool resources, pass on stolen data, and exploit security vulnerabilities within hours of their disclosure.
The tradecraft of ransomware is evolving at a rapid rate. In 2020, ransomware group REvil popularised the tactic known as double extortion, which not only requires organisations to pay a ransom to unlock their files, but also requires them to pay an additional ransom to prevent those files being leaked.
The double extortion tactic quickly became ubiquitous, and has now evolved into triple extortion, in which ransom demands are also directed at a victim’s clients or suppliers – a method we expect to see plenty of in 2022. In effect, ransomware has become less of a singular attack, and more of a series of rolling demands springing forth from the initial intrusion.
Cyber cartels have also begun offering ransomware-as-a-service (RaaS) to would-be cybercriminals lacking the expertise to pull off attacks on their own, even going so far as to provide them with 24/7 technical support, in return for a slice of the unskilled attacker’s profits. This has effectively lowered the barrier to entry to the ‘industry’ – and the more cybercriminals are active, the greater the chance that your organisation may be targeted.
A major factor in the increasing complexity and professionalisation of these cartels is that many of them operate freely within nation states that are willing to turn a blind eye to their activities, and even provide them with tacit support.
These ‘contract hackers’ are carrying out state-sponsored activities, while at the same time extorting businesses for their own financial gain. In 2021, the United States took the unprecedented step of naming and shaming the Chinese government as the benefactors of the hackers responsible for the Microsoft Exchange attack – but the cyber cold war has only gotten hotter since then, and you can expect more high-profile breaches and raids on hospitals, universities and state-owned utilities in 2022.
Supply chain attacks are set to escalate
It’s one thing to ensure your own organisation is secure. But in 2022, we can expect to see attacks on supply chains – including widely used software products and services – expand in scope and frequency.
In 2021, the high-profile Solar Winds and Kaseya hacks helped to popularise this attack vector. Closer to home, a recent attack on external payroll software provider Frontier Software enabled hackers to access the records of up to 80,000 South Australian government employees, including their names, dates of birth, tax file numbers, home addresses, bank account details, remuneration and superannuation contributions. The records, which were stolen and published on the dark web, may even have included Premier Steven Marshall’s details.
The PWC 2022 Global Digital Trust Insights Survey, which polled 3,602 high-ranking business, technology, and security executives around the world, found that 56 per cent of respondents are expecting a rise in breaches via their software supply chain in 2022.
The advantage of this approach, from an attacker’s point of view, is that they can compromise a large number of organisations in one hit, making the potential reward for a successful attack quite significant. The downside for you is that your organisation might be one of those affected, even if you may never have previously been on the attacker’s radar.
Given the high risk of collateral damage if a supplier falls victim to an attack, it will be up to organisations to closely scrutinise the security credentials and protocols of the third-party vendors they entrust with access to their data.
Cyber insurance will become harder to obtain
Given the increasing frequency of cyber attacks, and the losses that organisations stand to incur if their data is compromised, it makes sense that cyber insurance has become highly sought after.
The problem is that most insurers never had any real risk matrix for cybercrime, and therefore no real sense of what they’d be left paying out. As ransomware has gone through the roof, they’ve been left scrambling to put limits on the coverage they’re willing to offer.
Cyber insurance premiums for Australian businesses have shot up by up to 30 per cent, and are expected to keep rising in 2022. Some insurers are refusing to take on new clients, or capping their coverage at about half of what they used to offer.
To obtain coverage at reasonable rates in 2022 and beyond, organisations will need to be able to demonstrate that they meet strict cybersecurity standards and are following best practices, which may include providing cyber security education for all employees, using multi-factor authentication, implementing zero trust policies, securely backing up and encrypting their data, and having data breach incident response plans in place.
Of course, my stance is that cyber insurance should only be used as a last resort, and that organisations should have these policies and practices in place anyway – because if there’s one thing we know for sure about cyber security in 2022, it’s that cyber criminals aren’t going to take the next year off, so you can’t afford to, either.
With its unique three-key encryption technology, Cryptoloc is the most secure way to store, share and transfer data. To show you take cyber security seriously, visit cryptoloc.com.