In 2021, we suffered the fallout from a seemingly endless parade of privacy controversies and massive cyber attacks.
Related: The urgent need for secure APIs
the Solar Wind Hacking demonstrated supply chain exhibitions; the poisoning attempt a suburban Tampa’s water supply has highlighted utilities at risk; and the Colonial Winds ransomware attack reported that cyber extortion rings continued to be rampant.
On the privacy front, California reinforced its consumer data privacy rules, even though Facebook and Apple quarrel publicly on how each of these tech giants abuses consumer privacy and loosely handles sensitive data.
Meanwhile, President Biden issued a decree on cybersecurity finally put the federal government’s regulatory seal on basic cyber hygiene practices that many organizations should have already followed, but continue to donate in the short term.
Last Watchdog has solicited feedback from tech thought leaders on lessons learned in 2021 and any advice they may have to offer by 2022. More than two dozen experts participated. This is the second of two roundups (Click here to see the first roundup) highlighting what they had to say. Comments edited for clarity and length.
Maor Bin, CEO, Adaptive shield
Many companies fail to adequately manage the security risks of GitHub, Office 365, Salesforce, Slack, SuccessFactors, Zoom, and many other SaaS applications. Security teams are responsible for ensuring that the security configurations for each application are set correctly, but no two are the same.
Businesses need to consider new approaches to protect data stored in SaaS applications. The answer for many is managing the SaaS security posture (SSPM.), These tools monitor security settings to ensure correct configuration and can automatically detect configuration errors. The door can then be closed to potential exposures.
Patricia thaine, CEO, Private AI
Developers are increasingly under pressure on how to comply with data protection and cybersecurity regulations, with few tools in their arsenal to do so reliably. Many developers still rely on regular expressions to discover personal information and remove it from very messy text.
As developer training in data protection progresses and more data leaks and privacy breaches occur due to faulty internal systems, we will begin to understand that just like cryptography, most people shouldn’t be creating their own privacy technologies.
Erkang Zheng, CEO, JupiterOne
Apparently, every state and country has started to adopt their own privacy regulations. It’s a mess from a security point of view because there is no uniform standard. The new rules create complexity and introduce vulnerabilities and security risks. We need to see more simplification on the process side, driven by more unified regulations.
A clear trend that we will continue to see is the continued increase in the shortage of resources and skills. Organizations will need to reform their image, culture and mindset to attract new talent and provide these people with new opportunities at work.
Barry Hensley, Please Secureworks
The ransomware-as-a-service model lowered the barrier to entry and helped ransomware groups grow rapidly. Fortunately, ransomware attacks can be mitigated with a complete understanding of your attack surface, along with a good foundation of security.
The faster organizations understand their exposures, the better the chances of preventing any attack from escalating. Companies must master the basics: implement multi-factor authentication, lock down Internet systems and remote access solutions. And then, make sure you have complete visibility of your entire environment, not just endpoints.
Casey Ellis, CTO, Crowd
In 2021, Lloyd’s of London adjusted its policies to stop paying ransom fees, possibly because their actuaries told them it was irrational to insure against a problem we are not very good at preventing. This step will likely signal big changes to come for the insurance, financial technology and security industries over the coming year and beyond.
Ransomware has been working well for bad guys for quite some time now. Hopefully vendors will be forced to innovate and develop a new class of security solutions to disrupt the ransomware economy.
Christmas jasmine, product marketing, ReversingLabs
SolarWinds has made the general public aware that malicious actors attack the software supply chain by exploiting loopholes in AppSec solutions, which cannot inspect installation binaries for malicious behavior.
Mitigation of these threats requires an automated static file scanning process where the components built into the software are extracted and listed in the software nomenclature. (SBOM.) Companies should then inspect for quality issues and policy violations which, when detected, can be rated and assigned a rating that represents the overall quality of the software package.
Doug Dooley, COO, Data theorem
Automated hacker toolkits will become popular in 2022, as IT security teams can use them to breach their own systems and then uncover any exploitable vulnerabilities. This new approach will build trust and credibility between the SecOps and DevOps teams.
SecOps should focus on activities that could significantly damage a brand and drive down the stock price; this focus on exploitable vulnerabilities will then begin to have a higher business priority. Security teams do a lot to filter out noise and help business leaders focus on what matters in the year ahead.
Tony Pepper, CEO, Exit
Security teams realize that training is not enough. Emphasis should be placed on risk reduction behaviors by using technology as a safety net for employees as they perform their jobs.
In 2022, we will see an inevitable continuation of the attacks that have plagued businesses for years. Ransomware, phishing, and social engineering attacks will all continue to increase. In response, we’ll see a resurgence of interest in ransomware prevention – and since more than 90% of malware is delivered via email, businesses will step up their phishing defense.
Chris Olson, CEO, Media trust
The most malicious source code in the digital ecosystem comes from the everyday content we interact with through websites and apps – and we haven’t locked it down.
In 2022, organizations will begin to seriously defend themselves and understand their impact on the digital ecosystem. They can no longer put their heads in the sand. . . and those who get ahead of the curve by monitoring ALL code on their websites and apps will be the clear winners – in terms of revenue, reputation and brand loyalty.
Ronnie Tokazowski, Senior Threat Advisor, Cofense
Business Email Compromise (BEC) accounted for over $ 500 billion in losses. If we continue to ignore BEC fraud, the problem will continue to get worse, as it has every year for the past 20 years.
Meanwhile, until further negotiations are conducted with foreign adversaries, ransomware will also continue to increase, as will fraud against government aid programs, as we have seen in both. last years.
Edouard roberts, vice-president, marketing, Neosec
As the world embraces the use of APIs to create more revenue streams, it will be essential to focus on protecting them. APIs power the global economy and hold the crown jewels of business data for many organizations.
In 2022, we will see an increase in API abuse. Most B2B partners assume that API machine calls are authenticated and secure. But today, the majority of internet traffic is based, not in website or mobile app APIs, but in business-to-business commerce. Widely undefended APIs. Ignoring API protection has become perilous.
Nikhil Handigol, Co-founder, Transfer networks
IT and security teams need a single, shared source of truth to work from. Collaborating effectively while being geographically distant will remain a major challenge.
Technology can help teams collaborate, align their work, and share information without giving up control of their domain. Leaders need to think about how to create the processes and incentives that make collaboration natural, engaging – and secure. Doing more of the same will not give you different results.
Tom Hickman, Product manager, ThreatX
In 2022, the goals will change. Attackers will start to pay more attention to small organizations and demand much smaller ransoms, think $ 2,000. This will allow attackers to avoid encounters with law enforcement and the risk of going to jail.
Large-scale ransomware attacks will not go away. But there will be a lot more smaller transaction attacks that don’t deserve law enforcement attention. For criminal enterprises, this is a real market opportunity – and we believe attackers will move into this space. Kind of like micro-payments for ransomware.
Pulitzer Prize winner Business journalist Byron V. Acohido is dedicated to raising awareness about how to make the Internet as private and secure as it should be.
*** This is a Syndicated Security Bloggers Network blog by The last watchdog written by bacohido. Read the original post on: https://www.lastwatchdog.com/roundtable-what-happened-in-privacy-and-cybersecurity-in-2021-and-whats-coming-in-2022/