Cybersecurity trends for 2022

This article was first published in Infosecurity

With the Omicron variant now sweeping through the population at pace, and booster jabs well underway, we are expecting 2022 to cement the hybrid working we put in place this year by continuing to work remotely as well as in the office.  This emphasizes, rather than changes, the focus for cyber security in 2022 - but that’s not to say it’s going to be ‘just like last year’. 

The similarities are likely to be a continued targeting of the supply chain and ransomware still prevalent, with cyber an enabler for conventional crime. It is likely, however, that Operational Technology (for example, in the Critical National Infrastructure) and Internet of things (IOT), (the soft underbelly of our ‘convenience software’) will be more of a target as the software they run on is often old and un-patched. We may also see a significant SaaS compromise, either through attack or accident, as Cloud proliferates and there is a mismatch between provider and consumer security expectations. 

There are some key areas we have begun to make inroads in 2021 that we need to build on in 2022:   

• Resilience 
• Secure by Design 
• Skills 
• Technology 

Resilience 

COVID-19 has highlighted the need for resilience and the role of government and business in providing it. The ability for organisations to grow in the digital world and take advantage of new technology and routes to market is underpinned by good cyber security - both of the organisation itself and its supply chain.  

In 2022 the idea of being resilient throughout the supply chain and being able to continue to operate in the digital space regardless of the physical, will become more of a focus. The optimism that we will get ‘back to normal’ is replaced by a realization that this is the new normal and organisations have to design their systems and processes to make the most of it. 

Secure by Design 

The increasing interconnectivity between – and across – the UK infrastructure and information means that an expectation that systems are ‘Secure by Design’ has to become a reality. This is as much the responsibility of the manufacturers and users as it is of government. Government needs to set the standards, but industry should be designing security in whether they are asked to or not. In parallel, consumers should be using the systems as they were intended and valuing their own data security. 

Electric vehicles, for example, can now be updated remotely and are reliant on a charging network that also carries financial information. This rapidly becomes a significant target unless security is designed in, along with the mindset that it is more than just a fueling and maintenance facility; the implications of access to all a vehicle’s data and systems is far greater than that. Similarly, with IOT, a country wide consumer device breakdown would be inconvenient if it’s your fridge, uncomfortable if it’s the central heating, but potentially life threatening if it’s your medical device or only form of communication. 

Skills 

The skills gap is certainly not new for 2022. Globally we have been short of cyber skills by about 40% for several years (according to the Department of Digital, Culture, Media and Sport and others).  This indicates that we are looking at a ‘lagging’ skills market and will always be short of scarce skills as the demand for digital and cyber skills grows. So, we need to look in non-traditional pools and train people to generate scarce cyber skills in 2022.   

Alternative routes to cyber skills have looked at aptitude, curiosity, persistence and natural interest in cyber and digital. The results were astounding; drawing from a wide pool of people who hadn’t worked in cyber or STEM before - ranging from firefighters to chefs to beauticians - several hundred candidates were considered for 29 places, leading to 25 still in technical cyber jobs three years later. 

Getting this technical cadre in will help. As will de-mystifying cyber and making it more relevant and accessible to the workforce as a whole. 2022 needs to be the year of using remote working to make cyber security a key enabler to organisations meeting their business objectives. 

Technology 

There are many tech trends that will impact 2022 but the key ones to call out are: AI, Cloud and Quantum 

• AI – the discussion will move even more to the ethics and governance of AI, and how we protect the data sets upon which it bases decisions. AI is as biased as the world in which it operates so we need to design in the ability for it to question and be sceptical of the data sets it ingests and for it to ask for advice to keep it on the straight and narrow. 
• Cloud – The cloud is still someone else’s server and there has to be a mutual understanding of what your data needs and the security your Cloud provider offers. We are likely to see more complex multi cloud environments to enable data to be physically located within countries where required. This will add to the complexity of cyber monitoring and security.  
• Quantum – While not yet widely available, quantum capability is coming and there is a potential for rogue actors to capture encrypted information (IP, government data and so on) now in the anticipation that quantum will enable its decryption in a few years’ time. 

So while there is likely to be a continued increase in reliance on digital and data, and a commensurate increase in attacks, there are a variety of actions we need to take to embed cyber security in our systems, processes and mindset.  Doing these well will mean we can seize the opportunities offered by new technologies to grow safely in the digital world.