The past two years have certainly taught us to expect the unexpected. That being said, it behooves us to look at the past to gain invaluable insight into the future. As we reflect on the massive changes that have occurred in our world, Panorays experts weighed in on what cybersecurity issues they see taking precedence in the coming year.
1. Security concerns will continue to take center stage
Privacy and compliance have been a priority for many companies, especially since 2018 with the establishment of GDPR and other similar regulations. Security is a significant component of the compliance process that companies, especially highly regulated ones, will continue to prioritize. Failure to do so can leave companies vulnerable to cyberattacks. Additionally, in case of a breach, organizations risk incurring legal penalties, regulatory fines and reputational damage.
Meanwhile, the sudden global shutdown caused by Covid-19 shook up the way the world did business. This “new normal” caused companies to grapple with new security concerns such as increased attack surfaces thanks to tens, hundreds or thousands of employees logging in from home offices as well as from personal devices.
And now, with hybrid work becoming increasingly mainstream, companies are preparing for new and additional security challenges requiring more tools and solutions to make this new business setup as secure as possible without compromising efficiency. As such, the focus on security will only intensify as companies struggle with questions such as how to act fast when a third (or nth) party has been breached.
2. Increasing number of third-party breaches
There’s no question that third-party breaches will continue to spread widely as cloud services and digital transformation, fueled by the pandemic, become standard and occur at a faster pace and with higher volume.
Cybercriminals will continue to take advantage of suppliers as a means to gain easy access to companies. Not only do smaller vendors, partners and suppliers often have more lax security than larger companies, but the ability to strike multiple victims is appealing to hackers.
After the infamous 2020 SolarWinds breach, 2021 followed with significant third-party breaches such as Accellion and Kaseya. Moreover, according to recent Kaspersky research, third-party incidents became the most costly enterprise data breaches of 2021. And if history is a sign of what’s to come—prepare for the inevitable.
3. Process improvement and consolidation
Given the way the world has been shaken up over the past couple of years, and the speed at which companies were forced to change their business processes, organizations are now seeking process improvement and consolidation methods. Managing security processes is among those huge challenges.
For some, especially organizations who lack the bandwidth to properly manage their security program, managed services are the answer; for others, integrations and automating processes are the solution. Companies are looking for ways to create integrations to main processes within the organization. They don’t want multiple or manual processes that are broken, slow them down and inhibit business.
Organizations will continue to look for ways to automate processes wherever and whenever they can to save time and money. This will be especially true in cybersecurity, where companies lacking manpower are looking to consolidate GRC, procurement, SRS and security questionnaire processes.
4. Supply chain security prioritization in the US
President Biden’s Executive Order on America’s software supply chain in May of this year is a clear sign of where the country is headed in regard to cybersecurity. In other words, with the federal government’s focus on cybersecurity, specifically software supply chain security, the tone has been set for enterprises to beef up their own supply chain security.
The EO urged “bold changes and significant investments” in cybersecurity to protect against increasing threats from malicious cyber threats from nation-state actors and cybercriminals. Among other things, the EO called for:
- Requirements for IT and communication government contractors to share cyber threat information and report cyber incidents
- Modernizing the US government’s cybersecurity protection through practices such as accelerated adoption of cloud networks and deployment of multi-factor authentication
- New and improved security standards for software sold to the government that address vulnerabilities in software supply chains
- A consumer cybersecurity labeling program to determine whether software was developed securely
- The establishment of a Cybersecurity Safety Review Board to analyze significant cyber incidents and make recommendations
- Requiring a Software Bill of Materials that provides an inventory of third-party components in devices
This significant step by the president to strengthen and standardize software supply chain security will no doubt be an impetus for enterprises across the country and worldwide to modernize and improve their own third-party security. It will also undoubtedly spur the growth of new solutions intended to address these new requirements.