Top 2022 Cybersecurity Trends: Truths and Tall Tales
At the end of each year, research analysts, security pundits, and security product vendors look in their crystal balls and make predictions for the coming year about what’s going to be hot and what’s not.
In this post, The Reformed Analyst’s last for 2022, we will look in the rearview mirror at the top predictions from a year ago and review what kept cyber professionals up at night and what registered as barely a blip.
The end-of-year predictions posts are upon us! Every December, as we close out the calendar year, entire industries take advantage of the media opportunity to share their thoughts on the future of X. Perhaps it’s a desire to overcome the bleakness of an ending with hopefulness about the coming 12 months. Or maybe it’s the tradition of New Year’s resolutions spilling over into the corporate world: What can I do better? What can our industry do better? What shall we steel ourselves for? After all, an ounce of prevention is worth a pound of cure. And in cybersecurity, at least, there are plenty of problems for which we (perpetually) need to prepare. (In fact, that may be the most important non-trend of all time.)
If we want to take a step back and look at what was predicted to be “hot” in cybersecurity for 2022, a few themes emerge. As previously mentioned, predictions posts are plentiful, and many predictors like to include a unique twist—just to see if they can come up with something new and different. However, this is an end-of-year newsletter, so you don’t need to read 2,000 words right now. You have budgets to plan, sales to close, and products to put into production. As such, I’ve kept it to a shortlist.
Attack surface expansion
In a sense, the “top topics” listed below could all be bubbled up to “attack surface expansion.” The growth in organizations’ attack surfaces is due to many things, chiefly, an increase in the number and type of digital assets in the business ecosystem and the persistence of vulnerabilities related to those assets.
Constant digital transformation has forced myriad new devices, new capabilities, and new ways of working. It has resulted in fluctuating access methods and requirements, plus an increase in the amount of data being produced, manipulated, and shared between users and systems. All of this adds up to increased risk. However, getting a handle on the bloat is a constant challenge that isn’t ameliorated by the *reams* of skilled staff in the workforce or *trustworthy tooling* available for purchase. [Written with the utmost sarcasm.]
It’s no surprise to see “attack surface expansion” on so many lists for 2022.
Year end conclusion: Attack surface management wasn’t just a trend; it’s an important area that will continue to dominate headlines throughout 2023.
Supply chain attacks
The supply chain is a constant source of amusement for cyber criminals. Given the interconnectedness of all-things-digital running organizations’ daily operations, the potential for large scale compromise is too tempting to ignore. Supply chain attacks, also known as third-party or value-chain attacks, target weaknesses (including those in highly-distributed software) that proffer an easier way to compromise a victim than a direct attack would.
The Target breach, Log4j exploit, and SolarWinds attack (all pre-2022 attacks) are three of the most well known and software-based supply chain attacks. And though software is a fairly reliable delivery mechanism given its distribution model, and thus a prime vehicle for malfeasance, hardware is not immune. Unlike software, a cyber attack on hardware would require physical access. So it is more precarious to execute. Nonetheless, it is more than feasible that a nefarious actor could tamper with hardware components that are then inserted into other devices, or that the firmware that runs on the hardware could be intentionally infected by bad actors.
Given the opportunity for widespread damage, the plethora of possibilities for supply chain poisoning, and the proximity of the disclosure of SolarWinds, it’s also not unexpected that supply chain attacks would land on “top trends” lists for the last year.
Year end conclusion: We’ve yet to see the year-end results, but research suggests that 80% of organizations have been notified of a vulnerability or attack on their supply chain in the last year. Will this trend continue? Most likely.
“Anywhere Work” risks
BYOD made its workplace splash more than a decade ago. Still, there has been nothing like the global pandemic to introduce new, personal, and unmanaged devices and device types into the corporate digital ecosystem. Complicating device security and governance even further is the inconsistency created by this new working situation. First, wholesale remote work, and now hybrid work, have introduced complexity and expected abnormality into baselines. It’s now harder than ever to understand what “normal” looks like in the computing environment. Gone are the days of predictable access needs. Gone is the ease of placing endpoint agents on managed and on-prem devices. Gone is control over corporate-owned or managed applications.
Moving into 2022, with the health crisis starting to wane just a little bit, employees demonstrated that they won’t be forced back into the office 9-5. They expressed that they wanted flexibility and greater control over their work-life balance. They wanted to continue working from wherever was efficient, with the tools that were efficient, on the devices that offered efficiencies, and at the times that were efficient for their personal lives.
As we ushered in 2022, we started hearing rumblings that organizations that try to force employees back into the office were going to lose talent. Quickly. And we saw that prediction play out in the last 12 months. According to an Owl Labs study, “If the ability to work from home was taken away, two-thirds (66%) of workers would immediately start looking for a job that offered flexibility, and 39% would simply quit.”
Year end conclusion: It wasn’t a huge stretch to see this trend coming and we also expect more of the same in 2023.
Ransomware
A favorite attack tactic over the past several years, ransomware has shown no signs of abating. Analysts and pundits predicted an increase in reported ransomware in 2022, and the market didn’t disappoint.
Was this prediction divine inspiration or just a logical look at history and the availability of tempting vulnerabilities? I think we can all take a good guess at the answer.
In any event, the ease with which ransomware attacks are executed, and the payloads they produce made them a no-brainer trend. We still have one big month to play out to see where the numbers fall for 2022, but with online shopping season upon us, anyone wanna take a guess?
Year end conclusion: Toward the middle of 2022, there was a dip in reported ransomware, showing signs that attackers might be looking for the next big kill. Will ransomware lose favor to new trends? Probably not; it’s too lucrative. However, if companies can get a better handle on endpoint controls and security awareness, the numbers could dip in 2023.
Staffing
Also predictably, a popular prediction for 2022 was the staffing shortage plaguing the security industry. At last tally, nearly 4 million IT jobs are currently open in the US alone. If you expand that number to include the EU, the Foundation for European Progressive Studies estimates that, by 2030, the EU will have a shortage of 8 million IT workers. Of course, any security practitioner worth their salt will say, “IT does not equal security!!” But let’s not forget that our IT colleagues and non-security titles are some of our best friends when it comes to architecting systems, enforcing policies, and evaluating systems, users, and vulnerabilities.
Those numbers have continuously climbed over the last several years, so staffing issues were an obvious pick for “top trend” in 2022.
Year end conclusion: There is little doubt that cybersecurity is a growth area. And this is great news! We won’t see the need for talent wane anytime soon. That said, if security practitioners can allow automation of low-level tasks to be clawed away from their death grips, we might see more of a balance restored in terms of staffing pressure.
Now what?
It’s the end of the year so the trends and predictions reports are coming fast and furious. Two such articles/reports/blogs landed in my inbox just this morning. I expect at least two more tomorrow. By the time you read this “trends” report, you’ll probably be feeling as queasy as if you’d drunk three cups of eggnog followed by nibbling a stack of gingerbread cookies.
So what? Do I just give you more predictions or trends that are coming at us like a freight train? I could. Do I think we’re going to see more of the same? I do. I also think we’re going to have to add even more cloud security concerns, data security concerns, API security concerns, etc. to the list. Based on my day job, it would be irresponsible of me to not point out that businesses will need even more vigilance reining in their ever-expanding attack surfaces.
But you’ve likely read a ton of these articles/blogs/proclamations already. So instead, I am going to highlight a few of my security friends and their not-so-serious and/or serious-but-snarky predictions and trends for 2023.
This is an end-of-year post. Have some fun with it! And leave it to the 2,023 other posts and trends to be more serious.
Adrian Sanabria, Dir. of Product Management, Tenchi Security; Host, Enterprise Security Weekly
General-purpose AI tools like OpenAI's GPT3 will prove much more impactful to security teams than purpose-built AI/ML from security vendors.
Amélie Erin Koran, Director, External Technology Relations, Electronic Arts
The Data Lakehouse trend will end more like Jason and Crystal Lake than Henry Fonda and On Golden Pond… all the movement of data between tools that are glued together, and the lack of maturity and major upsells on cost savings from moves, will be worse than a bunch of open S3 buckets.
Rafal Los, Head of Services Strategy & GTM, Extrahop
More security tools that were developed and designed for physical infrastructure will be “re-imagined” and subsequently re-named as “cloud native security,” and analyst firms will perpetuate the insanity by creating entirely new categories for these cloud-washed tools—which may or may not actually add value in the cloud model. Security analysts will get more “single panes of glass” to stare at that will push even more alerts, leading to even greater fatigue and burn out, to the point where everyone quits and we’re all replaced by AI.
Tim Krabec, Principal Information Security Architect
We will make security job requirements more stringent so we can continue to complain that the gap for cyber talent is non-existent. Every mid- to high-level candidate will be forced to hold two PhDs and have a minimum of twenty-two years of experience. For junior roles, applicants will need to have earned a CISSP in advance. All security staff will work onsite, in a physical office in Silicon Valley, for a starting annual salary of $22,000 USD and a 2% bonus and 86-hour work weeks.
Excellent. Predictions as risks in the cyber security space will grow as technology and services also expand. One area prediction I did not see was the movement towards digital currencies by many countries including the U.S.