Upcoming cyber security trends enterprises must prepare for

As the cyber threat landscape continues to evolve, we expect the coming months to bring new threats for all organisations – as well as an increase in familiar threats. So, what do we think will be the most significant cyber security trends in the next financial year?

Hackers for hire

The concept of hackers for hire is hardly new – many computer hackers who are untroubled by law or moral scruple find it lucrative to offer their skills to whoever will pay them. However, the industrialisation of the hacker-for-hire market has grown substantially in the past few years.

The ENISA Threat Landscape 2021 report explains that “hacker-for-hire companies operate legally in their country of operation and the market as a whole is currently semi-regulated”. Their clients – often nation states – “pay them mostly to conduct cyber espionage operations, get access to advanced offensive cyber capabilities and enjoy plausible deniability”.

ENISA identifies two main challenges: first, hackers for hire are unpredictable as their actions are governed entirely by their clients and, second, because hackers for hire are proxies, it is difficult for victims to identify either the hackers’ sponsors or those sponsors’ objectives.

Meanwhile, Facebook’s parent company Meta reported in December 2021 that its investigation into “cyber mercenary” firms targeting its users had identified “seven entities who targeted people across the internet in over 100 countries”.

We expect this threat to increase in the coming year as the hacker-for-hire market continues to grow – despite action from organisations such as Meta.

IoT and firmware attacks

It is likely that malware attacks on the IoT (Internet of Things) and firmware will increase.

Criminals will always pursue the easiest targets. So, as organisations get better at deploying technological cyber security solutions, attackers will focus on areas that are more likely to be overlooked.

With IoT devices, security is all too often an afterthought and default security settings are frequently left unaltered – if the opportunity to reconfigure them is available at all. This gives attackers greater opportunity to infiltrate networks.

As organisations concentrate on identifying software vulnerabilities and applying patches, they can also overlook firmware security. Indeed, a Microsoft report from last April found that 80% of organisations had suffered a firmware attack in the previous two years, but only 29% of security budgets are allocated to protecting firmware.

Unsurprisingly, there have been several high-profile firmware attacks in the past couple of years, such as Thunderspy and RobbinHood. We expect to see more of them this year.

According to a BBC article, also from last April, firmware attacks are most likely to be carried out by nation-state attackers.

Russia, China, North Korea and Iran

Much has been written about the blurring of the boundaries between war and peace in the information age. Perhaps the most useful explanation of information warfare can still be found in the Russian Chief of the General Staff Valery Gerasimov’s article “The Value of Science is in the Foresight”, originally published in the Russian paper Military-Industrial Kurier in February 2013.

Russia’s modern warfare strategy, known by many in the West as the Gerasimov Doctrine as a result of that article, recognises that “nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness”.

This rise in the effectiveness of cyber and information warfare explains the rise in nation-state attacks from other nations too.

So, as well as an increase in state-sponsored attacks from Russia and China as they try to dominate the cyber threat space as part of their longer game against the West, we expect North Korea and Iran to become more effective players as they attempt to counteract the impact of sanctions by stealing more and more money via cyber crime.

The skills shortage

The increase in attacks will be exacerbated by the ongoing shortage of appropriately trained and skilled information security and cyber security practitioners.

A March 2021 DCMS (Department for Digital, Culture, Media & Sport) report estimated that the UK’s cyber skills shortage ran at about 10,000 people a year and according its infographic “Cyber Security Skills Gaps and Shortages in the Cyber Sector in 2021”, the biggest areas of concern were:

• Incident management, investigation or digital forensics;
• Assurance, audits, compliance or testing;
• Cyber security research;
• Threat assessment or information risk management;
• Cyber security governance and management;
• Implementing secure systems;
• Operational security management; and
• Business resilience.

Harvey Nash’s Digital Leadership Report, meanwhile, found that more than two thirds of digital leaders were “unable to keep pace with change because of a lack of expertise”, with three skills more highly sought than any other: cyber security experts, big data analysts and technical architects.

Ensuring your organisation has the skills it needs to counter the risks it faces is critical to its security and success. As the skills gap is expected to worsen, it is more important than ever to invest in training to nurture the capabilities of your existing employees.

Ransomware defences

One glimmer of optimism among all this doom-mongering is the prediction that ransomware defences will improve across the board.

Awareness of the increasing threat of ransomware is growing. Enough high-profile incidents have occurred for organisations to understand that the risk is real and the effects of a successful attack can be devastating.

We therefore expect organisations to implement better technological security solutions as well as training their staff to better understand the ransomware threat and how to counter it.

However, as organisations adapt and improve their defences, attackers adapt too. We therefore also expect ransomware attacks on supply chains to increase. You can, after all, cause far more damage and disruption – and make more illicit money – with an attack on a supplier that affects many other organisations.

Organisations therefore need to ensure they include information security audits in their due diligence processes, or use only those suppliers that can provide suitable assurances about their security via certification to accepted standards, such as ISO 27001.

Defence in depth

In the face of the challenges that the rest of 2022 will bring, we expect more organisations to take a defence-in-depth approach to cyber and information security. This recognises that multi-layered defences are the most effective way of forestalling cyber attacks and preventing data breaches.

Keeping your technological systems up to date by conducting regular penetration testing to identify vulnerabilities and applying patches in a timely manner is only part of the battle: some attacks will inevitably get through these defences, so it is essential to train your staff to recognise their role in securing the organisation.

As your last line of defence, it is critical that they recognise phishing emails – the means by which most malware, including ransomware, is spread – as well as understanding exactly what to do if and when an incident occurs. Having appropriate cyber incident response plans in place will mean that your reaction is fast and efficient, enabling you to return to business as usual with minimal disruption.

Alan Calder is CEO of GRC International Group