This time of year is traditionally for either looking back at the previous year or looking forward to the year ahead. While there have been great advances over the years with respect to information security tools, technologies, training and awareness, significant challenges remain. What follows are my estimations of the top information security challenges for 2022. Please note that I could probably have written the same challenges for 2021, 2019, 2001 and perhaps even 1973. Some of these issues are perennial, some are new. And as a lawyer, some of these challenges are specific to security-focused lawyers rather than technical challenges which might be faced by CISOs.
10. Document Retention Policies
People often forget that digital security is, first and foremost, about information management. It’s all about the data—not the hardware, not the software. At the end of the day, the goal of data security is to ensure that the right information gets to the right people (with integrity) and that it does not go anywhere else.
To a great extent, this means doing things that are very, very hard to do. It means mapping data flows (not networks). Knowing what data is located where, where it is supposed to go and where it is backed up and stored. It also means knowing how the data flows through the system; where it passes through, what networks and devices it flows through and how it is stored (permanently and temporarily). One problem is, much of the data created (think email) may be stored or transmitted on or through third parties or may be sent to third parties which may themselves retransmit the data or incorporate it into other data streams. Sounds like fun, no?
After mapping the data flows, the next step is to classify the data. What’s secret, what’s confidential, what’s public? What data is critical from a confidentiality standpoint (what would happen to the enterprise or third parties if the data was released?)? What data is critical from the standpoint of data integrity (e.g., financial disclosures)? What data is critical from the standpoint of availability (e.g., that implanted pacemaker)? That’s just data classification from a data security standpoint. The data also then has to be classified from a data retention and data destruction standpoint. How long do you have to keep it? How do you have to keep it? Where do you have to keep it? Can the data be exported? Can it be deleted? Must the data be “wiped” rather than deleted? And, once again—if the data is to be deleted, do we know where it is?
These issues are really hard because of, well, humans. People tend to want to keep data. They tend to want to keep it handy. Which means moving it from place to place—to thumb drives, onto mobile devices and email it to themselves. Humans are also lazy. There’s little apparent utility in spending hours going through documents and emails and “classifying” them. So we end up with a huge pile of data that we never classify and never delete. Or more accurately, many huge piles of data. We have no good tools to automatically classify data and automatically delete it. And if we did have such tools, of course, they would also be powerful tools for hackers and fraudsters. So, that’s a challenge right there.
Cyberinsurance has been around—in one form or another—for more than thirty years (although most carriers don’t know that). With the increase in “successful” ransomware and extortionate attacks (and claims related to them), carriers have responded by being more selective in who and what they cover, by requiring prospective insureds to take certain actions as a precondition of coverage, by raising premiums and by excluding certain losses from coverage. They have also responded by taking a narrow and defensive position with respect to claims—rejecting, for example, claims related to files “damaged” by ransomware as not truly being “damaged.” In addition, insurance companies have forged relationships with digital forensics and investigation firms, as well as cyberlaw firms to provide “one-stop shopping” for risk reduction, risk mitigation, risk transfer and incident response. The challenge for 2022 (as in the past) is to ensure that the insurance itself and the insurance market are poised to meet the actual threats and challenges posed by the digital marketplace. Fraudulent wire transfers, supply chain interference, third-party liabilities, business reputation management and loss of cryptocurrency are all new threats (well, some are) for which most entities’ insurance policies may be inadequate. Additionally, with the increase in the price of cyberinsurance, many small and mid-sized businesses are being priced out of the marketplace. Finally, the current commercial cyberinsurance marketplace may be inadequate to meet two related problems—systemic supply chain (third party) claims, and claims related to state-sponsored cyberattacks. It may be time for a government (or multiple governments) to step in to ensure that cyberinsurance policies are reasonably comprehensive and are reasonably affordable. Or maybe not. But it’s still a challenge.
Ransomware remains a significant challenge for companies, not simply because it has become ubiquitous, but also because of the significant impact a single ransomware attack may have on a company and every other company or customer that relies on that company. Unlike previous types of “hacks” where data is stolen and then exploited or sold, ransomware and extortionware rely on payment by the victim themselves. Instead of having to steal data and then find a buyer for that data, a threat actor can sell the data (or mere access to that data) to an already-willing buyer—the victim themselves. Easy peasy lemon squeezy. With the ubiquity of anonymous payment processes through cryptocurrency, a threat actor may target a particular company, industry, computer or database, or may simply go after targets of opportunity. The defenses against ransomware—whether they are intrusion prevention, network segmentation, data backup and restoration or advanced incident response (including payment)—are complex and not comprehensive. A classic setup for a disaster.
7. Supply Chain
For these purposes, I take a very expansive definition of “supply chain.” For my purposes, a company’s supply chain is anything upon which the company depends for critical data, processes or services. Software can have an associated supply chain. Firmware, too. Hardware is part of a supply chain. Services are part of the supply chain. People are included. When we talk generically of “supply chain security” or “supply chain resilience” (a better concept), we are really talking about examining all of our dependencies and interdependencies (including who is dependent upon us) and asking hard questions like, “How do we know the provenance of that product or service?” and “What would happen if the data was not available? If the cloud was not secure? If I could not access the data?” Supply chains (under my definition) are hard to understand and ever more difficult to manage. Because of the numerous interdependencies, the security (and resilience) of any entity is dependent upon the security (and resilience) of any and all of the hardware, software, people, processes, etc. upon which it depends. While third-party audits, data protection agreements and standards all may help, the problem is really complicated, and will likely persist.
6. Multifactor Authentication
When we speak about authentication, we often mean “authorization.” Is the person accessing the data, computer, network or process the person who is permitted to do so and are they accessing and using the data etc. for a permitted purpose? Traditionally, we have used “authentication” as a proxy for authorization by providing the authorized person with some form of credential which they then represent to us to establish authorization. In the transfer back and forth of such credentials, we create vulnerabilities, including man-in-the-middle (MiTM) attacks, spoofing, theft of credentials, etc. Cat, meet mouse. Or mole, meet mallet. In addition, strong authentication can be anathema to strong privacy, since a strongly authenticated individual can be tracked by their credentials through every place they visit and everything they do. We can and will do better in authentication schemes (first thing: Let’s turn on MFA by default) but because of the power of authentication, it is often the most ubiquitous thing attacked. It’s a difficult and persistent problem, which is why it makes the list.
5. Data Protection Agreements
A corollary to the supply chain problem is the border problem. No, not that border problem. The problem that companies only directly control a tiny fraction of the infrastructure on which they depend. Their mail is provided by a third-party cloud provider. Same for their Salesforce infrastructure, billing, invoicing, HR, etc., They employ consultants, independent sales representatives, lawyers, suppliers, vendors, etc.; each of whom have access to data, networks, computers, etc. For any data or processes outside our direct control, we can (and occasionally do) compel the third party to “do something” to protect our data. Sometimes it is just a duty to inform us of a data breach. Sometimes it is a duty to comply with some data privacy or data security standard (think ISO or NIST security standards). These agreements sit on a shelf like a ticking time bomb until one of the companies suffers a data breach or other incident, and then we can sue them for breach of contract. In addition, we think that the fact that the third party has signed an agreement that they will protect our data means we are in the clear. So, the problem with data protection agreements is like the problem with the food at the borscht belt hotel: It tastes terrible and comes in such small portions.
4. International Data Privacy Regulation
Just as we begin to achieve consensus on data privacy principles (limited collection, consent, legitimate use, data life cycle, right to be forgotten, etc.) data privacy law and regulation become exponentially more complicated and difficult to comply with. The other problem with privacy regulation is that the internet has become dependent upon the lack of data privacy—entities like Meta (Facebook, etc.), Alphabet (Google, etc.) Amazon, Apple and others depend on the collection and analysis of massive amounts of personal data. It is what gives the company value. The problem with data privacy regulation is that we want both privacy and the utility afforded by having third parties collect data for and about us. Like many other complex problems, these are problems because we expect them to accomplish diametrically opposed goals. Sounds like fun.
3. Telework/Remote Access
If the pandemic has taught us anything, it is that home is where the keyboard is. And the office too. The explosion of telework and remote access, together with some of the tools that enable such telework, has created a physical disconnect between the person and the data. Data can be, and often is accessed anywhere and everywhere. The disconnect creates opportunities for hackers, fraudsters and others to attack data and networks. And as people demand more remote services (think telemedicine) and demand to be able to work remotely, the problem will only get worse.
2. Staff Shortages
We have always suffered from a shortage of good security peeps—partly because of the nature of the work itself. A good security person follows complex rules. A good security person constantly disobeys complex rules and breaks things. A good security person fixes things. A good security person knows how to connect with other people and share their insights. A good security person doesn’t care about other people and sharing insights but wants to think creatively about how to exploit people’s vulnerabilities. A good security person is a “team player.” A good security person can work for hours or days without any supervision. A good security person is a hacker at heart. A good security person would never do things that a hacker would do. Is it any wonder we have trouble recruiting and motivating good security people?
1. Security Awareness
We do lots and lots of security training. Well, actually, not so much. The average employee is compelled to take a 15-minute training session on security (Alice shares her password with Bob. Is this a) Good or b) Bad?) and then a refresher class every 18 months. It’s a chore, and a passing grade is typically 75% to 80%, which means that they can be wrong 25% of the time and still “pass” their training. And yet, in many cases, users are either the first line of defense against attacks or the first method of furthering such attacks—often, they’re both. We must find a way to go beyond training; go beyond learning to change and reinforce culture. Sure, after a major breach; after a major ransomware attack; after a major shutdown, everyone is more sensitive to the need for data security. The problem is both that many users don’t know what to do to maintain security and/or that they don’t care. Most of the time, however, it is because users believe that it is either necessary or useful to bypass a security requirement to get their job done. Thus, part of the job of the CISO is to find out how and why people are bypassing security and find a way to help them get their job done. And to inculcate a culture of security, curiosity and concern within and throughout the company. And … unicorns. Because, why not?
So these are my top 10 security challenges for 2022. And 2023. Most of these problems are intractable and are bound to be repeated. And they are hard to fix. If they were easy to fix, they wouldn’t be on the list.