2022 Cybersecurity Predictions
Last year wasn’t all bad (but we’d be lying if we said we weren’t happy to see it go).
You could call it “transformative.”
#Digitaltransformation continued to be a trending topic throughout 2021 as workers carried on remotely, IT and tech spend increased, and screentime was normalized for all ages. Many of our predictions from last year held strong, including Patrick Nohe’s foresight on our collective reliance on eCommerce. Hackers were quick to pick up on the trend, with plenty of attacks to keep our resident news curator busy. As predicted, there’s also been substantial movement on the government front, with new initiatives to tackle online security and privacy on the table in the US.
Curious what our experts envision for 2022? If they’re as on-target as they’ve been in years past, we’re in for a few more memorable cybersecurity moments.
Check out their thoughts on what the future may hold, and stay for enough "related reading" to keep you busy well into January.
2022 will be the year of the SBOM
Code signing and virus scanning alone will be deemed insufficient to safeguard networks against the spread of malware. Enter the Software Bill of Materials – SBOMs. The SolarWinds hack exposed one of the greatest vulnerabilities organizations face when it comes to determining the impact of ransomware or other types of malware injected through what often looks like legitimate software. SBOM tool adoption will increase as organizations look to equip themselves with fast and effective tools to quarantine only the compromised areas of a given networks. The Wholesale Electric Industry among other critical infrastructure participants will lead the way as CISA begins providing baseline cybersecurity policies around third-party software management. By knowing exactly what software and software version is running where in a network, organizations will be able to prevent and respond in a much more agile way, reducing operational impact among other negative consequences.
Malicious parties will continue to abuse the COVID-19 pandemic
The COVID-19 pandemic and everyone working from home has sparked a series of attacks targeted towards the pandemic and new ways of working. Since March 2020 we have seen a string of diverse attacks from phishing to the sales of fake COVID-19 vaccination certificates.
It is highly likely that these attacks continue in 2022 but we should also expect to see an increased shift towards malicious parties focusing on attempting to break digital COVID-19 certificates and their validation mechanisms to produce and sell forged COVID-19 certificates.
Post-quantum cryptography (PQC) standards will start to be built
Research and discussions on quantum, most especially post-quantum, computing have increased significantly in recent years. One the most interesting security aspects to be considered is that quantum computers – whenever widely available - will be able to break many of the current public-key cryptography systems. This could represent a serious cybersecurity threat affecting various digital communications and data systems currently in use.
According to Nature, the fastest quantum computers today have no more than 100 qubits, and are plagued by random errors. In 2019, Google demonstrated that its 54-qubit quantum computer could solve in minutes a problem that would take a classical machine 10,000 years.
Post-quantum cryptography (PQC) is aimed at developing cryptographic systems that can be secure in both classic and quantum and computers. The speeds at which problems will be solved will increase by many orders of magnitude. But in order to do that, new cryptography standards must be established.
The National Institute of Standards and Technology (NIST) has been focused on doing just that since 2016, when it launched a call for proposals about PQC to start the standardization process. The competition, which is focused on public-key encryption and digital signature algorithms, is now in the final phase of review with seven remaining finalists. When the winning algorithms are announced next year, NIST plans to use them to establish one or more quantum-resistant public-key cryptographic algorithms and build PQC standards before 2025. Following that, companies can finally begin to implement technologies based on the new algorithm, ushering in a whole new era of security products.
Industries where we'll see the where will see post quantum technologies adopted fairly quickly include IT, financial services, and automotive.
In IT, PQC will continue to be used for software verification or classification of unstructured data.
In the financial sector, you can expect quantum computing used to forecast and predict market trends or to make trading strategies by the likes of Goldman Sachs and Citigroup.
We’ll also see more partnerships like Volkswagen’s work with Google for developing traffic management programs.
- Read our blog, "What is Quantum Computing? A Quick Guide"
- Read the Forbes article, "Don’t Get Fooled by Post-Quantum Snake Oil: We are Still Years Away from Being ‘Quantum-Proof’"
- Download the eBook, "Planning for the Unknown: Why IT Leaders Should Focus on Cementing Their Cybersecurity Infrastructure Now, Not Later"
eIDAS and qualified certificates will see even greater adoption in 2022
As world around us becomes more digital, more processes will be streamlined and become paperless. Because of that, the trust and integrity in documents will become even more important. We will see more adoption of digital seals and signatures as a result of this. Also, eIDAS Qualified level certificates will see increased adoption in the EU, along with advancement in eIDAS schemes. This will lead to faster creation of Qualified certs and its application via remote signing service providers. eIDAS will also serve as a benchmark for many more countries in non-EU regions. As a result, we will see these countries reconsidering their current frameworks on electronic form of signatures and records, pushing them to be in line with global practices led by eIDAS, leading to the openness towards global standards and mutual acceptance of trust lists.
2022 will be the year eIDAS finally takes off
While with the eIDAS (electronic IDentification, Authentication and trust Services) regulation was established in 2014, the adoption of it was quite slow.
The framework built around it was missing the market players to provide the technology for big scale adoption which left the companies with not enough options to actually implement it.
Over the years we have seen many innovative solutions hitting the market which has driven competition and increased automation while lowering the costs. Hosted signing services have been required to provide a high throughput, scalable and API-based solution. The implementation of these services for Digital Archiving, Document Management System (DMS) and Customer Relationship Management (CRM) Providers to meet the needs of their customer for eArchiving and eInvoicing became essential.
GlobalSign saw this need and answered with the Digital Signing Service and offered with it a cloud-based solution taking the hardware burden away while adding the flexibility to sign against a company identity adding employee or department names.
With COVID-19 hitting Europe in early beginning of 2020 and impacting every aspect of our lives, it accelerated at not only companies, but entire industries, to digitalize their processes and workflows. The time for eIDAS has finally arrived given all the sweeping changes that have taken place due to the pandemic.
If we look at the challenges of Digital Transformation, we can see that most of them are related to adding trust and authenticity to a formally analog workflow. Audit trails needed to be well documented, signers of contracts or work orders need to be identified and all additional “data in transit” needed to be secured.
We see the effect mostly with current service provider and customer projects related to Document Management. Customers are increasingly demanding at a minimum Advanced Electronic Seals, looking to provide trust and integrity to their outgoing communications to prevent fraud and phishing while complying with eInvoicing and eArchiving regulations under the eIDAS framework.
With all this in mind, my prediction for 2022 is that we will see these foundations as established standards for digital transactions and processes while setting Advanced Electronic Signatures as the minimum standard applied for digital documents.
What’s ahead for the SMB marketplace in 2022
It’s inevitable that, when speaking about predictions, the pandemic has influenced how we deal with progress and technology today and has accelerated future progress! We live in a dynamic world, which is continuously and rapidly changing. The digital transformation movement has brought the capacity to easily communicate with every other person, and to access myriad forms of information and knowledge without any concerns. Also, as a result of significant advances in artificial intelligence (AI), today’s digital technologies are becoming increasingly smart and personalized. The interaction of almost every human experience is mediated through a sophisticated shell connected to big data. Here’s my take on what I see happening in the SMB market next year:
- Ways of working - Remote work is here to stay and how we function in today’s world has dramatically changed. More importantly, the impact of these “work from anywhere” models is so much more than the location change. The pandemic showed us that maintaining strong privacy protections and cybersecurity measures for remote workers is an even bigger challenge and more important than ever! Technologies such as S/MIME for secure email, SSL for website security and authentication will be necessary to protect SMBs from cyber attacks.
- Collaboration in the post-pandemic age - Having to respond to what could be the fastest social change in modern times, companies worldwide enabled remote workforces nearly overnight. Small business owners need to get business done faster, securely and a digital signature streamlines their ability to submit documentation from wherever they are, whether it’s an engineer submitting their drawing or a principal sending a proposal from his/her home office – the digital signature acts as a form of “digital ID card” and can verify the identity of the signer and also ensure a document’s contents haven’t been tampered with both domestically in the US and now available internationally due to a clever regulation called eIDAS. Digital Signing is definitely an SMB game changer!
- AI - The challenge for SMBs has been to adopt the conveniences of AI (artificial intelligence) to everyday operations. SMBs need to continue to do so and evolve implementing a strong authentication strategy will help secure all aspects of their business model.
- Customer Service – finally consider that the pandemic inspired SMBs to renew their focus on customer service. What this boils down to is that it’s critical for SMBs to know how to communicate with their customers, while still delivering excellence. But don’t lose sight that delivering that premier experience must be done while remaining secure. Which is why it’s important to choose the right vendors to help your small or medium business reach its goals while maintaining a secure experience for your customers.
Broad enterprise adaption of Cloud and zero trust increasing account and authorization risks
As enterprises are now at large scale moving away from on-premises file storage, there will be an increase in attacks oriented at compromising employees’ SSO (Single Sign-On) credentials to obtain access to all their cloud services including personal and departmental file storages. A lot of security barriers that prevented access to traditional on-premises file storage (LAN access, VPN credentials …) do not exist within the Cloud realm and breaches during the last year have pointed out the criticality of implementing MFA and proper monitoring for cloud SSO account access. Increased cloud adoption also brings a different set of challenges towards employees taking copies of company confidential information on unmanaged devices. Whereas in the old days data would only reside on corporate laptops and infrastructure, a cloud environment supported by insufficient authorization and monitoring control can lead to unknown/uncontrolled copies of data which are at risk of being leaked when (ex-)employees grow malicious or a device carrying an unknown copy is compromised.
EU key management needs will grow
The recent news of ‘EU Digital Covid certificates’ private keys circulating on messaging apps, like Telegram, gives us a bitter foretaste of what we may expect in 2022.
With an ever-increasing demand for digital identities (and therefore PKI) from governments and issuing bodies - but limited time - resources and skilled people can address these requirements.
When such ‘dramatic’ key compromise occurs, which can have an impact on thousands of users, we – as identity providers – reiterate the vital need for proper key agility and key rotation. This forms the base of any healthy key management practice.
Cryptographic agility acts as a safety measure or an incident response mechanism when a cryptographic primitive of a system is discovered to be vulnerable.
Rotating keys on the other hand help meet industry standards and cryptographic best practices.
PKI is ‘as strong as its weakest link’; so even with the best intentions and the greatest precaution, one misstep can make the house of cards fall apart. But the important thing is not the fall, because the fall is inevitable nowadays. The important thing is to know how to get up and restore your ecosystem/structure.
Don’t take risks, outsource your PKI to those that build their expertise around it; or end up with forged certificates in the name of Adolf Hitler, Mickey Mouse, or Sponge Bob.
- Check out our infographic, "Best Practices for Key Management"
- Learn how Auto Enrollment Gateway can help you manage encryption keys across your entire organization
Hybrid work environments will open many businesses up to breaches and cyber attacks
Over the course of the last two years many organizations have been forced to rush through a digital transformation just to keep the lights on and the doors open, so to speak. This is typically not a process that’s undertaken under duress, much less on such an expedited timeline. Now as we begin a gradual return to the office – balancing remote and on-site work arrangements – the trend we’re seeing is a disturbingly high number of companies that have inadvertently created vulnerable hybrid work environments. And while the natural tendency may be to focus on ensuring the transition back into the office goes safely and smoothly, it’s important to also continue taking steps to ensure your company’s digital workplace is safe, too. 2022 will see an uptick in attacks and breaches that leverage these newly opened attack vectors. With an ever-growing number of connections from devices and machines, both within your network and outside, it’s never been more important to secure access, manage identities and understand the risks associated with our new-fangled mid- and (hopefully, eventually) post-pandemic work arrangements. Now if there was just someone, a trust partner, that you could call for help. . .
Biometrics and digital IDs in Africa may lead to new problems around data privacy and surveillance
The African continent has now fully embraced biometrics technology and turned itself into a technological hotbed for developed countries in search for greenfield opportunities in this subject.
Thanks to large investments of organizations like the World Bank, several Western and Central African countries have been able to drive their digital growth at a higher pace and reverse some of the socio-economic inequalities in the region.
In parallel, large nations like China or Brazil have sought their chances to make early investments in a region where a real revolution is about to happen.
For (African) governments, the attraction of biometric identification is self-explanatory; more control, more taxes, more revenue, more development. It’s almost a no-brainer for them.
For enterprises, it can also lead to a more robust identity management and a more secure network protection.
Even for the citizens, this digitalization can lead to more wealth and more access to various services if the biometrics are integrated into robust service delivery programs.
So, it’s a win-win situation for everyone.
But this holistically built identity management ecosystem seems to face the same challenges as we do in the Northern hemisphere.
Implementation plans running ahead of legislation and reaching complete inclusivity amongst its population and talent retention in the public sector are some of the challenges faced by these freshly digitalized governments.
And I’m not even mentioning the data privacy concerns surrounding the level of protection of sensitive personal data; or the illegal digital surveillance of some African governments on their citizens, despite privacy rights being well protected on paper.
Are we all making the same errors again? Or is identity management subject to flaws and misuse by design?
Businesses will be forced to reckon with the cookie conundrum, and a possible “Brexit Plus” in the UK
The world changed dramatically in 2020 and continued throughout 2021, but the pandemic was only one of the events taking place. Data Protection saw some of the biggest financial penalties imposed to date in such cases as Google and Amazon taking top spots with that near $1 billion fine levied against the latter.
So, what are we in store for in the next year?
There are 2 hot topics bubbling away in the industry that will come to the fore.
Firstly, the subject of cookies. These seemingly harmless little files on your computer are portrayed as the way to make the web a faster experience, but that comes at a cost – your privacy. Your average person on the street is now much more aware of their privacy and how companies are using cookies to track their every move. Super cookies, making use of local storage caches, only compel the issue. In the next year, browser providers will be forced to address this issue. Google and Mozilla have already committed, but they’re not the only ones. Could those already combating it bring their schedules forward? The public momentum will only grow and with companies such as Meta hitting the headlines frequently for data privacy violations, even your casual web visitor will be informed and empowered to act.
We’ve all been bombarded with cookie walls and banners when we go to websites and this brings me onto the second hot topic coming up in 2022. The UK Government, along with regulators, have decided that these intrusions are not conducive to a positive web experience and so are talking about deviating from the EU GDPR framework to ‘go it alone’. Although details are sketchy just now, one thing is for certain – the UK can’t stray too far if they want to keep relationships and data traffic routes open for businesses to continue operating efficiently. Of course, this is all borne from the lack of correct cookie management by website publishers. Should the law be changed and risk our global data abilities – or should we simply educate privacy practitioners, web developers, and other stakeholders on doing things better? 2022 might well see the UK operate a ‘Brexit Plus’ and who knows where that will lead.
Security standards will change across industries
- Here's what I see happening in 2022:
- - Shorter live certs will be required in more industries
- - Government will adopt better security
- - Remote work for more companies as a must- more remote services – but also more individual attacks to employees
- - Sign documents with biometrics