Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.
And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.
Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.
And on Twitter, the feeling is similar…
So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.
We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.
Infinity Trend One: People are (still ) gonna
fall for the same ol’ sh*t
Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why.
You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.
Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO
Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.)
Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO.
If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.
Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday)
Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs).
Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.
Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this…. incoming!
It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions?
Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’
The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.
Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges
Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.
Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.
InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.
So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.
So our number one cybersecurity trend’ for 2022?
Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?
Until then, Happy Holidays!
Josh Yavor
Chief Information Security Officer