ROUNDTABLE: What happened in privacy and cybersecurity in 2021 — and what’s coming in 2022

In 2021, we endured the fallout of a seemingly endless parade of privacy controversies and milestone cyber attacks.

Related: The dire need to security-proof APIs

The Solar Winds hack demonstrated supply chain exposures; the attempted poisoning of a Tampa suburb’s water supply highlighted public utilities at risk; and the Colonial Winds ransomware attack signaled cyber extortionist rings continuing to run rampant.

On the privacy front, California beefed up its consumer data privacy regulations even as Facebook and Apple publicly feuded over how each of these tech giants abuse of consumer privacy and loosey handle sensitive data.

Meanwhile, President Biden issued a cybersecurity executive order finally putting the federal government’s regulatory stamp on foundational cyber hygiene practices many organizations should have already been doing, yet continue to gift short shrift.

Last Watchdog sought commentary from technology thought leaders about lessons learned in 2021– and any guidance they might have to offer heading into 2022. More than two dozen experts participated. This is the second of two roundups (click here to view the first roundup) highlighting what they had to say. Comments edited for clarity and length.

Maor Bin, CEO, Adaptive Shield

Many companies are failing to adequately address the security risks of GitHub, Office 365, Salesforce, Slack, SuccessFactors, Zoom and many more SaaS app. Security teams are tasked with ensuring security configurations for each app are set correctly, yet no two are the same.

Businesses must consider new approaches to protecting data stored in SaaS apps. The answer for many is SaaS Security Posture Management (SSPM.), These tools monitor security settings to ensure correct configuration and can automatically spotlight misconfigurations. The door can then be closed to potential exposures.

Patricia Thaine, CEO, Private AI

More demand is being placed upon developers to figure out how to comply with data protection and cybersecurity regulations, with few tools in their arsenal to do so reliably. Many developers still rely on regular expressions to discover personal information and remove it from very messy text.

As developers’ data protection education advances, and as more data leaks and privacy violations occur due to faulty internal systems, we will start to see a growing understanding that, just like cryptography, most people should not be building their own privacy technologies.

Erkang Zheng, CEO, JupiterOne

Seemingly every state and country has started coming out with their own unique privacy regulations. It’s a mess from a security standpoint because there is no uniform standard. New rules create complexity and introduce vulnerabilities and security risks. We need to see greater simplification on the process side, driven by more unified regulations.

One clear trend we will continue to see is the continuing rise of the resource and skill shortage. Organizations will need to reform their image, culture, and mindset to attract new talent and give those people new opportunities on the job.

Barry Hensley, SVP, Secureworks

The ransomware-as-a-service model has lowered the barrier to entry and helped ransomware groups rapidly scale their activities. Fortunately, ransomware attacks can be mitigated  with a full understanding of your attack surface, along with good security basics.

The faster organizations understand their exposures,  the better the  chances of preventing any attack from escalating. Companies need to get the basics right: implement multi-factor authentication, lock down Internet systems and remote access solutions. And then, ensure you have full visibility of your entire environment, not just endpoints

Casey Ellis, CTO, Bugcrowd

In 2021, Lloyd’s of London adjusted their policies to not pay ransom costs anymore, likely because their actuaries told them it was irrational to insure against a problem we’re not very good at preventing. That step will likely signal big changes coming for the insurance, fintech, and security industries in the year ahead and beyond.

Ransomware has been working well for the bad guys for quite some time now. Hopefully providers will be forced to innovate and develop a new category of security solutions to disrupt the economics of ransomware.

Jasmine Noel, product marketing, ReversingLabs

SolarWinds brought mainstream awareness to the fact that threat actors are attacking the software supply chain by exploiting the gaps in AppSec solutions, which cannot inspect installation binaries for malicious behavior.

Mitigating these threats requires an automated static file analysis process where components embedded within the software are extracted and enumerated into the software bill of materials (SBOM.) Businesses must then inspect for quality issues and policy violations which, when found, can be scored and assigned a grade that represents the overall quality of the software package.

Doug Dooley, COO, Data Theorem

Automated hacker toolkits will become popular in 2022 because IT security teams can use them to breach their own systems and then discover any exploitable vulnerabilities. This new approach will build trust and credibility between SecOps and DevOps teams.

SecOps should focus on activities that could substantially damage a brand and lower the stock price; this focus on exploitable vulnerabilities will then start to have a higher business priority. Security teams do a lot to filter out the noise and help business leaders focus on what matters in the coming year.

Tony Pepper, CEO, Egress

Security teams are realizing that training isn’t enough. The focus needs to shift to de-risking behaviors by using technology as a  safety net for employees as they carry out their work.

In 2022, we’ll see an inevitable continuation of attacks that have plagued businesses for years. Ransomware, phishing and social engineering attacks will all continue to increase. In response, we’ll see a renewed focus on preventing ransomware – and since over 90 percent of malware is delivered via email, organizations will ramp up their anti-phishing defense

Chris Olson, CEO, The Media Trust

The most malicious source code throughout the digital ecosystem is coming from everyday content we engage with through websites and apps – and we do not have that locked down.

In 2022, organizations will begin to defend themselves in earnest and understand their impact on the digital ecosystem. They can no longer put their head in the sand . . . and those who get ahead of it by monitoring ALL code on their websites and apps will be the clear winners – in revenue, reputation, and brand loyalty.

Ronnie Tokazowski,  Principal Threat Advisor, Cofense 

Business Email Compromise (BEC) as accounted for over $500 billion in losses.  If we continue to ignore BEC fraud, the problem will continue to get  worse, just as it has every year for the last 20 years.

Meanwhile, until further negotiations are made with foreign adversaries, ransomware will continue to rise, as well, as will fraud against government relief programs —  just as we’ve seen over the last two years.

Edward Roberts, VP, marketing, Neosec

As the world has adopted the use of APIs to create more revenue streams, the focus on protecting them is going to be vital. APIs power the world’s economy and contain the crown jewels of business data for many organizations.

In 2022 we’re going to see the rise of API abuse. Most B2B partners assume API machine calls are authenticated and safe. But today, the majority of Internet traffic is based, not within APIs in websites or mobile apps, but within business-to-business APIs that are largely undefended. Ignoring API protection has become perilous.

Nikhil Handigol, Co-founder, Forward Networks

IT and security teams need a shared single source of truth to work from. Effectively collaborating while being geographically distanced is going to continue to be a major challenge.

Technology can help teams collaborate, align their work, and share information without giving up control over their domain. Leadership should think about how to create processes and incentives that make collaboration natural, attractivev – and secure. Doing more of the same will not get you different results.

Tom Hickman, Chief Product Officer, ThreatX

In 2022, targets will change. Attackers will begin paying more attention to smaller organizations and demanding much smaller sums of ransom, think $2,000. This will enable attackers to avoid encounters with law enforcement and risk of going to jail.

Large-scale ransomware attacks won’t go away. But there will be many more smaller transaction attacks that won’t be worth law enforcement’s attention. For criminal enterprises, this is a true market opportunity — and we think attackers will move into that space.  Kind of like micro-payments for ransomware.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/roundtable-what-happened-in-privacy-and-cybersecurity-in-2021-and-whats-coming-in-2022/