By Simon Eyre, Chief Information Security Officer, Drawbridge

Increasing data exfiltration and data leak threats

As traditional ransomware attacks are gaining attention from governments and cyber-awareness has improved, we will see more data exfiltration and data leak threats. These threats can cause significant damage to an organization’s reputation, privacy, and intellectual property. As a result, businesses will prioritize a comprehensive understanding of data flow processing and subsequently apply the correct risk assessment mitigations.

Also Read: Suffered a Data Breach? Here’s the Immediate Action Plan

Heightened regulatory action

Throughout 2021, we have seen regulators become increasingly involved in cybersecurity issues, which will likely continue in 2022. This year was marked by more prescriptive requirements from the Securities and Exchange Commission (SEC) and Monetary Authority of Singapore (MAS) around cybersecurity and the likes of the Financial Conduct Authority (FCA) stepping up their expectations for Operational Resilience. It is clear regulators are working hard to ensure the increase in hybrid working has not affected cyber and operational requirements. And although increased regulation has begun, it is likely only the start.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post We’ll See More Data Exfiltration and Data Leak Threats appeared first on CISO MAG | Cyber Security Magazine.

The one thing organizations should never do in 2022 regarding their cloud security and compliance program:

• Never forget that you may outsource the work but never the risk. The increasing pace of security exposures, scarcity of cybersecurity professionals, and technology sprawl demand organizations that exceed their capacity. In 2022, we’ll see enterprises suffer the consequences of breaches because they trusted an outsourced provider and failed to verify and govern.

 

By Dr. Joel Fulton, Co-Founder, and CEO of Lucidum

How organizations can prepare themselves for the onslaught of data privacy and cybersecurity mandates on the horizon:

• Plato, cribbing from the Bible, wrote, “Good people do not need laws to tell them to act responsibly.” Based on recent decisions and behavior by organizations who should have known better, the rise of strict, one-size-fits-all security and privacy mandates is inevitable. Many act as though they need laws to tell them how to act responsibly with other’s data.
• Rather than be surprised by sudden regulatory requirements with jet-fuel deadlines, be well-prepared by adopting ethical data handling practices now – and verifying them. Shockingly, few significant breaches result from zero-day vulnerabilities. Nearly all come from shadow IT, rogue cloud, zombie user accounts, and poor patch management.

Also Read: This is How Ransomware Gangs Select their Victims

Where organizations should focus compliance efforts in 2022:

• Focus on hygiene and good practice, make it your expertise, and reward your team for foundational excellence. You’ll never be caught flat-footed by a mandate – and avoid expensive, embarrassing breaches.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Outsource The Work But Never The Risk appeared first on CISO MAG | Cyber Security Magazine.

By Prateek Bhajanka, Senior Principal Analyst, Gartner, Inc.

GDPR was the first major legislation for consumer privacy. Still, others quickly followed it, including Brazil’s General Personal Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA). The sheer scope of these laws suggests you’ll be managing multiple data protection legislation in various jurisdictions, and customers will want to know what kind of data you are collecting and how it is being used. It also means you will need to focus on automating your privacy management system. Standardize security operations using GDPR as a base and then adjust for individual jurisdictions.

By 2025, threat actors will have weaponized operational technology environments successfully enough to cause human casualties. 

Also Read: Data Privacy Week: The 3 Ps Vital to Enhancing Your Online Data Privacy

With India’s emphasis on increasing the GDP contribution from the manufacturing industry to 25%, the industry is expected to see advancements in the areas of technology, business models, and value creation. With multiple factors such as a significant percentage (12%) of the workforce employed in the industry; IT-OT convergence and malware spreading from IT to OT; an increase in the number of nation-state attacks – it shifts the discussion from business disruption to physical harm with the liability likely ending with the CEO. The security and safety of the workforce would also become a key responsibility for CISOs. Focus on asset-centric cyber-physical systems, and make sure there are teams in place to address proper management.

By 2024, 30% of enterprises will adopt cloud-delivered secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall as a service (FWaaS) capabilities from the same vendor. 

Indian organizations are rapidly becoming digital businesses to increase their value proposition, introduce new channels, reach new markets, find efficiencies in business models, etc. They adopt cloud technologies in various forms and embrace a hybrid architecture to become digital. Also, with the need for working from anywhere and anytime access, the security controls that existed in the corporate networks should be available irrespective of the source of the connection. On the other hand, organizations are leaning into optimization and consolidation. Security leaders often manage dozens of tools, but they plan to consolidate to fewer than 10. SaaS will become a preferred delivery method, and consolidation will impact adoption timeframes for hardware.

About the Author:

Prateek Bhajanka is a Senior Principal Analyst for the IT Leaders (ITL) constituency, focusing on Security and Risk Management for Gartner Research. His areas of research include Endpoint protection platforms/Endpoint detection and response (EPP/EDR), malware and ransomware prevention, etc. His key tasks encompass creating high-quality, actionable and consumable written research and give clients insights and advice on various security problems they face. Bhajanka also helps organizations save money on new contracts and renewals on endpoint protection platforms and endpoint detection and response.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post There Will Be More Focus on Data Privacy, IT-OT Security, and Vendor Consolidation appeared first on CISO MAG | Cyber Security Magazine.

 

 

By Jeff Pollard, VP and Principal Analyst, Forrester

 

Nearly 60% of security incidents will result from issues with third parties. Hyper-efficiency leads to fragility, as seen over the last two years with just-in-time supply chains. More and more companies will reduce their concentration risk by adding more suppliers in a shift to just-in-case (JIC) supply chains. More suppliers bring more connectivity, and more connectivity brings more opportunities for intrusions, which equals more risk that one of those suppliers will serve as the bridge into your environment. Improving the maturity of your third-party risk program and adopting zero-trust approaches will help reduce the likelihood and impact when it happens.

Also Read: What the Cybersecurity Leaders Are Saying About Data Privacy

At least one security vendor collapses in an Enron-Theranos-esque scandal. In recent years, record levels of investment and merger & acquisition activity give us hope that cybersecurity problems will start getting solved. And more capital flows in every day. Plenty of unsolved problems still exist, but easy access to capital also incentivizes fraudsters and charlatans to exploit investors, shareholders, and customers. At least one vendor will get brought down by “accounting irregularities” in the next twelve months. Security leaders should diversify their vendor portfolio, think twice about publicly endorsing early-stage vendors as public customer references, pay special attention to vendor-provided financials and compare these with what’s provided to regulators or investors to identify potential areas of concern.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post The risk of intrusion will increase as companies add more suppliers in a shift to just-in-case supply chains appeared first on CISO MAG | Cyber Security Magazine.

By Rajesh Dhuddu, VP & Practice Leader Blockchain & Cybersecurity Tech Mahindra

Today, cyber threats and attacks are pervasive, and the surface area of attack has also increased with the Work from Home (WFH) model. Organizations must focus on re-evaluating IT strategy, ensuring an end-to-end, robust, and strategic infrastructure design based on zero-trust architecture to improve overall infrastructure security posture, including business and network security lifecycles. Enforcing agile perimeter security, and attack surface anonymization and reduction will enable enterprises to detect, mitigate, and prevent network threats while securing remote workplaces simultaneously.

While remaining in sync with these emerging cybersecurity trends, we at Tech Mahindra attempt to help customers navigate the uncertain future and remain secure. We have also strengthened the internal security policy for the benefit of our associates. In all this, I believe, security leaders will be focused on consolidating and simplifying operational systems, allowing users to have a cohesive view of things rather than everything being siloed. Companies will seek to use low-code automation to harness the collective knowledge and form a centralized record system, with appropriate fail and foolproof points, for operational data.

About the Author

Rajesh Dhuddu leads Blockchain & Cybersecurity practice for Tech Mahindra. He is responsible for guiding a team of 500+ highly accomplished Cybersecurity professionals empowering Global customers in EMEA, APJ & India to strengthen their enterprise wide Cybersecurity posture and build a highly resilient security organization. He works closely with Global CISOs, advising them to leverage best practices both in technology and operations covering Cloud Security, Network Security, Advance Threat Management, Zero Trust, Offensive Security, Cyber-risk Quantification & SASE.

The post Focus on Consolidating and Simplifying Operational Systems appeared first on CISO MAG | Cyber Security Magazine.

By Muhammad Tariq Ahmed Khan, Head of Information Security Audit, Internal Audit Department, Riyad Bank, KSA

Here are my three trends.

1. The Surge in Ransomware Attacks. Ransomware attacks have become worse in the last two years, and it is expected that the curve will continue surging in 2022. While the volume of ransomware attacks is alarming, the usage of technologies adding up their capabilities is a matter of concern that will continue to target the organizations. This is probably due to the growing convergence of Information Technology (IT) and Operational Technology (OT) networks, which has enabled attackers to target organizations through the vulnerable home and remote workers’ devices.

2. Evolving Artificial Intelligence.  Since artificial intelligence is evolving unprecedentedly and providing more opportunities to organizations, the cybercriminals will continue leveraging AI to circumvent all controls, gain privileged access to organization’s data and erase traces to avoid detection. It is expected that cybersecurity vendors will combine the strengths of AI, Machine Learning Algorithms (ML) and Deep Learning (DL) networks, enhancing the capability of AI making it more effective and efficient.

3. Scarcity of Cybersecurity Talent. With the increase of cybersecurity threats and the diversity of the attack landscape, cybersecurity talent is expected to remain scarce in 2022. The demand of cybersecurity professionals will rise to cope with the constant battle against cybercrime. This imbalance will result in salary hikes for cybersecurity professionals.

Also read:

Ransomware! Ransomware! Ransomware! The Problem of Blind Reductionism

About the Author

Muhammad Tariq Ahmed Khan is Head of Information Security Audit, Internal Audit Division, Riyad Bank, KSA. He has over 21 years of experience in the Banking industry, in areas such as Information Technology, Cyber & Information Security, Business Continuity Management & Disaster Recovery and related Audits. He has a solid understanding and application of Risk-Based Audit methodology, ISMS (ISO 27001), ISO 22301, NIST and COBIT, IT & Information Security regulatory compliance.

He is double Graduate (Finance and Computer Science) with one Master’s Degree in Computer Science. In addition, he holds a number of professional certifications such as CISA, CISM, CRISC, CDPSE, CISSP, PMP, CEH, ISO 27001 ISMS Lead Implementer & ISO 22301 BCMS.

Tariq has published articles on different topics of Cyber & Information Security and IT Audit and also spoken at regional and international seminars and conferences.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Act Sooner to Prepare for the Increasing and Emerging Security Challenges appeared first on CISO MAG | Cyber Security Magazine.

By Zachery Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group

1. Introduction of Artificial Intelligence (AI) into cyberattacks. We can’t just dismiss cybercriminals as being unsophisticated imbeciles. It would be a mistake if we did. Cybercriminals are now using computer generated hacking algorithms to create more persistent and efficiently resilient cyberattacks, yielding incredibly favorable results. AI-generated attackers don’t have the weaknesses associated with their human counterparts. They don’t grow weary of trying heuristically to access their targets’ networks. Consequently, they continue until they achieve their ultimate objective.

2. Increase in Cryptojacking. Criminals hacking criminals does not get a lot of press. After all, who cares, right? Wrong! Cryptojacking, if left unchecked, will bleed over to legitimate enterprise activities. Cryptomining of blockchain-generated cryptocurrency has become more attractive to cybercriminals of late. Hackers are leveraging the resources of legitimate computer systems to launch attacks against dark side extortioner sites. The criminals feel like they will go unpunished in that they are attacking the financial resources of a hacker, and no one would care. In the final analysis, who can the criminals being victimized, voice their complaints to?

Also see: How Cryptojacking and Cryptomining Assaults Work

3. Increase in the implementation of immutable backup systems. This will reduce the impact of ransomware attacks.  More organizations have established positions of not negotiating with cyber extortioners. They are deploying technology that will assist them in recovering quickly from cybercrime in the form of ransomware. One technology, in particular, is that of immutable backups. Regular backups offer some resilience against such attacks, but not much. If they themselves are compromised, they are rendered useless. On the other hand, an immutable backup is a backup that cannot be modified or altered by the intruder, thereby making it easier for an organization to recover from a ransomware attack.

Read more predictions from other experts in our January 2022 issue.

About the Author

Zachery S. Mitcham is a 20-year veteran of the United States Army where he retired as a Major. He earned his BBA in Business Administration from Mercer University Eugene W. Stetson School of Business and Economics. He also earned an MSA in Administration from Central Michigan University. Zachery graduated from the United States Army School of Information Technology where he earned a diploma with a concentration in systems automation. He completed a graduate studies professional development program earning a Strategic Management Graduate Certificate at Harvard University extension school. Mr. Mitcham holds several computer security certificates from various institutions of higher education to include Stanford, Villanova, Carnegie-Mellon Universities, and the University of Central Florida. He is certified as a Chief Information Security Officer by the EC-Council and a Certified Computer Security Incident Handler from the Software Engineering Institute at Carnegie Mellon University. Zachery received his Information Systems Security Management credentials as an Information Systems Security Officer from the Department of Defense Intelligence Information Systems Accreditations Course in Kaiserslautern, Germany.

The post Avoid Negotiating with Extortioners and Implement Solutions for Recovery and Resilience appeared first on CISO MAG | Cyber Security Magazine.

By Christina M. Gagnier, Shareholder, Carlton Fields

Here are my three key things that policy makers and organizations need to do in 2022.

Implementation of new requirements from government agencies on cybersecurity. Federal agencies will institute more aggressive and proactive requirements for operations and resources under their direction. The Transportation Security Administration is a prime example, as in December it announced requirements for passenger and freight rail operators to conduct vulnerability assessments, create incident response plans, and institute recovery mechanisms to avoid disruptions in operations in the wake of potential security breaches. Agencies will further prioritize reporting and oversight, creating focal points and coordination for data security incident reporting. The White House has announced programs to bolster the protection of the United States’ water supply, instituting cybersecurity measures to close the vulnerability gaps that exist due to the multiplicity of organizations that have a hand in the stewardship of this critical national resource.

Regulation of consumer data privacy and security at the device and product level. The privacy and security conversation surrounding the Internet of Things has centrally developed around the applications that leverage these advancing technologies, with much focus on companies creating applications that can be applied to certain devices or products rather than evaluating the devices and products themselves. In the United Kingdom, newly introduced legislation, the Product Security and Telecommunications Infrastructure bill, aims to share the cybersecurity burden with manufacturers and distributors of IoT devices, ranging from smartphones and tablets to smart home appliances. The change is a reflection of the identification of these devices and products as a point of vulnerability and target for hackers. A whole new sector of businesses will need to turn their attention to implementing robust privacy and security programs.

Incentives for businesses to develop cybersecurity infrastructure: Across the United States in recent years, state legislatures considered a variety of bills that would have created incentives for businesses that invest in cybersecurity. In Connecticut, H.B. 6161 was introduced, which had it been adopted, would have created a safe harbor tax incentive for any business that had a cybersecurity plan reflecting industry best practices. In Hawaii, H.B. 454 would establish an income tax credit centered on businesses that innovate in the fields of cybersecurity and artificial intelligence. This “carrot versus stick” approach has traction, and the 2022 state legislative cycle will likely see more bills of this nature.

Read more predictions from experts in our January 2022 issue.

About the Author

Christina Gagnier, a shareholder in Carlton Fields’ Los Angeles office, is an experienced technology lawyer whose practice focuses on cybersecurity and privacy, blockchain technology, international regulatory affairs, technology transactions, and intellectual property. She advises clients on digital strategy to help them navigate uncharted legal territory, and guides a variety of technology companies and consumer brands through emerging legal and policy issues such as digital currency, the sharing economy, network neutrality, and the ever-changing area of consumer privacy law.

The post Shifting from a Reactive to a Proactive Cybersecurity Paradigm appeared first on CISO MAG | Cyber Security Magazine.

By Dick Wilkinson, Chief Technology Officer at Proof Labs

2022 will see more proliferation of ransomware and likely a higher average payout for each attack. This trend has been ongoing for several years and does not seem to be nearing a peak or plateau. The relative impunity available to ransomware criminals means there is no end in sight other than the market capacity of how much companies are willing to pay. If you successfully robbed a bank and knew you couldn’t get caught, wouldn’t you do it again?

The good news for 2022 is the increase in cyber professionals entering the workforce. The labor shortage in cyber skills has been well documented, with projections showing the gap widening soon. The projections may be wrong. The recent upheaval in so many people’s careers has caused a significant shift to security roles where a new certification vs. a new degree could land you a great job. Barriers to entry in the security market are also being identified and actively changed by many industry hiring managers. The skills gap won’t close this year, but the tide has likely shifted in the right direction.

I believe we may globally see some cyber “firsts” where nation-states or APT groups deploy a new method of attack that was previously held back for political concerns. Many countries now see cyberspace as a legitimate realm to create strategic outcomes. The unspoken agreement to use cyberspace as a battlespace for proxy agitation, and escalation will be more obvious this year and some players will not hold back on the more damaging attacks any longer. Criminal APT groups are already part of the proxy nature of cyberwar being directly controlled and funded by nation states. Their involvement will rise, but the veil of secrecy on who they work for will become thinner.

Also see:

With Cyberwars, Cyber Espionage has Reached New Level

About the Author

Dick Wilkinson is the Chief Technology Officer at Proof Labs. He also served as the CTO on staff with the Supreme Court of New Mexico. He is a retired Army Warrant Officer with 20 years of experience in the intelligence and cybersecurity field. He has led diverse technical missions ranging from satellite operations, combat field digital forensics, enterprise cybersecurity as well as cyber research for the Secretary of Defense.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Countries Now See Cyberspace as a Legitimate Realm to Create Strategic Outcomes appeared first on CISO MAG | Cyber Security Magazine.

By Favour Femi-Oyewole, Global Chief Information Security Officer (CISO) at Access Bank Plc.

In addition to this, I also predict the following trends:

The rise in Cybercrime Innovation and Commercialization. We will see an increase in cybercrime innovation, which will lead to increased compromise of organizations as hackers leverage more use of zero-day attacks. The commercialization of hacking as a service will draw skills from the underground and formal cybersecurity job market where brilliant minds with a dark side converge for bounty and bug hunting as they are induced or rewarded to discover vulnerabilities in demand on the dark web. The ability of well-known corporate brands to offer comparative reward incentives may skew discoveries in their favor.

Security Misconfiguration in SaaS Application will be widely felt. Security misconfigurations related to identity and access management in the CI/CD pipeline at a critical supply chain provider would cause a cyber-incident like the SolarWinds debacle. At the same time, organizations will be stretched thin regarding fighting cyber threats on all fronts, the ability of organizations to maintain a presence of mind approach to cybersecurity by ensuring excellent security hygiene & posture re-assessment.  This should scale and withstand the rigors of time, and operations will be a differentiating factor for global service providers. Sadly, this often forgotten corner piece of cybersecurity will once again come to the fore in 2022 as someone drops the ball.

Also see:

The Importance of 5G Security in Today’s World

About the Author

Favour Femi-Oyewole is a Doctoral Student at Covenant University, Ota, Ogun State, Nigeria. She is the Group Chief Information Security Officer in the Access Bank Plc overseeing the Information & Cyber Security of the Group office and the Subsidiaries. Favour also holds several certifications in the IT & Information Security and Cybersecurity field. She is a Cisco Certified Security Professional, Checkpoint Security Administrator, 1st female COBIT 5 Assessor certified in Africa, Certified Chief Information Security Officer, Certified ISO 27001 Lead Implementer, and Lead Auditor. She is also the first female in Africa to be a Blockchain Certified Professional.

Favour is a Certified ISO 27001:2013 Lead Implementer Trainer. She is an Alumni of both Harvard Kennedy School (HKS, Harvard University, and Massachusetts Institute of Technology (MIT), USA. She is a member of the Cybercrime Advisory Council in Nigeria. Favour emerged as the 1st woman in the world to win the Global Certified CISO (C|CISO) of the Year 2017 from the EC-Council in the U.S.

Favour is also an active member of the Global Certified Chief Information Security Officer (CCISO) Advisory Board & Scheme Committee of the EC-Council in the U.S. She is a certified Data Privacy Solutions Engineer (CDPSE), a certification recently awarded to her in June 2020 by ISACA.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Cybercriminals Will leverage IoT and 5G for Large-Scale Attacks appeared first on CISO MAG | Cyber Security Magazine.