While the full impact of these incidents will unfold in the months and years ahead, 2022 will present a new set of cybersecurity challenges that will impact how organizations build trust in this constantly evolving digital age.
1. Cybersecurity becomes an ESG (Environment, Social, and Governance) Issue
As our lives become more digital, and digital and physical controls collide, investing in cybersecurity to keep society safe will become recognized as the fourth responsibility of ESG for corporations. We’re already seeing demand for separate board-level cyber risk committees, and we’ve experienced how cyberattacks have more than just technological implications. As the digital/physical worlds converge around cybersecurity, it’s clear that keeping people safe and society productive is going to require more than troops, planes, and battleships. It’s going to require governments and the private sector to take cybersecurity seriously. A society that is not secure (digitally and physically) is a society that is not free.
2. Multi-Factor Authentication (MFA) Mandate
In the ongoing war against global cyber threats, one of the weakest links in our security systems is the use of password-only protection to secure access to sensitive information and systems. It’s estimated that over 80% of breaches occur because of stolen or compromised passwords. As a result, companies are turning to multi-factor authentication to bolster their digital front doors, and we are seeing companies mandate MFA for everything in order to protect themselves.
Further accelerating this shift is the cyber risk and insurance industry, which requires MFA to obtain cyber risk insurance.
3. Bad Bot Tsunami
Bots are over-running customer-facing systems, which means enterprises will need to leverage artificial intelligence (AI) and machine learning to both detect and protect against bots impersonating humans when creating or attempting to take over accounts.
Bots today dominate fraudulent eCommerce and online activity, with bad bots now accounting for 25% of internet traffic. That’s because they have increased in sophistication and can now mimic human behavior.
4. Focus Shifts to Authorization
Driven by zero-trust security models (don’t trust the user, the device, or the network. Verify always), a decade of focus on authentication will begin to shift towards authorization. Namely, what can the user do? In a zero-trust world, companies want their policy to be the perimeter. While allowing users to be productive and access corporate resources securely from any device is the desired end-state, companies need to not only ensure that the user and device are making the request but that that user is authorized to make the request. In the new highly distributed world (users working from anywhere, workloads served from anywhere), authentication (who is making the request) and authorization (what are they allowed to do) become the backbone of a new zero-trust security paradigm.
5. The Rise of Digital Wallets
For the past 50 years, you and I have been second-class citizens when it comes to our digital identity. Companies run the systems that manage our digital identity.
In 2022, a new paradigm will emerge. A paradigm in which users will become individuals and digital identity credentials will begin to be stored on an individual’s phone. Proof of identity, proof of employment, proof of loyalty, proof of membership, proof of creditworthiness, proof of certification, and proof of education. These digital credentials will find their way into a secure digital identity wallet stored on our phones and accessed via our biometrics like FaceID.
This will usher in a new paradigm for personal control, personal privacy, and sharing data about ourselves. One in which users will have more control over who and when their data is shared.
It will be key for companies to think through how their existing identity systems will interface with this new paradigm.
6. Attacks on zombie and shadow APIs
APIs cannot remain the most used, most abused, and least visible part of our enterprise infrastructure. Though APIs have enormous benefits for those who utilize them, the extent to which they are used can, unfortunately, lead to blind spots in our security programs, particularly with the increased use of zombie and shadow APIs. These rogue APIs happen when an API is developed as part of an application, but the API itself is considered an implementation detail of the application and is only known by a close-knit group of developers.
Currently, these threats are not on the radar of security operatives because they don’t have visibility into the implementation details. But it’s projected by Gartner that over 90% of attacks will focus on APIs in 2022. For those companies without well-formed API governance, controls, and security practices, APIs will become the weak link.
7. Convergence of IT and operational technology (OT)
Threats and attacks to physical infrastructure will only increase in 2022 as our OT infrastructure becomes smart and connects to our digital infrastructure. As a result of this modernization, enterprises will be forced to rethink how they address new and emerging cybersecurity threats as they will have very real-world, physical impacts. Information technology and operational (physical) technology will collide, and IT teams will take over responsibility for the security of OT. This will lead to a need for interoperability between IT/OT initially and, ultimately, a convergence of redundant technology to control who can physically get in the building and who can access apps.
8. Rise of the chief information security officer (CISO)
The CISO’s role is to help their enterprise support new services and offerings while ensuring the security, safety, and reliability of the company’s IT infrastructure. As corporate boards put cyber risk more front and center, identity leaders will increasingly report directly to the CISO, and the CISO will report to the board. Gartner predicts that 40% of boards will have a dedicated cybersecurity committee by 2025.
9. Identity Focus Shifts from Security to Experience
Much of the focus in identity and security has been on simply making it work and keeping pace with the demands of the business. But as new no-code and low-code identity and integration options emerge, the focus will shift to enabling frictionless end-user experiences. Business leaders will take a more active role in demanding exceptional experiences to compete in a largely digital-first world.