At the outset of 2022, there is more reason to worry about cybersecurity threats than usual. Not only are threat actors evolving, but the post-pandemic economy has ushered in new trends that are changing the cyber landscape for the worse.
In the long term, the global cost of cybercrime is projected to reach $10.5 trillion by 2025. Not only will this be a massive transfer of wealth, but the cost will ultimately fall on consumers and private individuals who depend on businesses to protect their data and financial information.
In the short term, there are many lessons to be learned from the cybersecurity oversights of 2021. The three biggest cyber misses in 2021 are software supply chain, ransomware and phishing attacks and mobile security and remote devices.
The first miss occurred at the beginning of 2021 when numerous federal agencies and private businesses were affected by the hack that involved SolarWinds and other organizations. This brought much-needed attention to software supply chain vulnerabilities.
For the past two years, global ransomware incidents have steadily climbed from quarter to quarter, increasing by 151% in the first six months of 2021. On average, businesses shelled out $102.3 million in ransomware fees per month last year, impacting industries from healthcare to energy and finance. Throughout 2021, phishers adopted sophisticated tactics to screen their victims in advance—a trend that will likely continue in 2022.
Finally, according to a Gartner forecast, 51% of knowledge workers and 32% of the global workforce now work remotely. Attackers have shifted their attention to mobile devices, and many businesses are not prepared for the additional cyber burden. While mobile phishing attacks increased by 161% throughout 2021 within the energy industry alone, a disconcerting number of employees admit to using their work devices for personal tasks or sharing them with others.
The Biggest Miss: Content Is Cyber
The overarching lesson from the top cybersecurity misses in 2021 is that overlooked threat vectors are always the most devastating. Before the end of 2020, few organizations were concerned about their software supply chain. Heading into 2022, most businesses are ignoring a risk of equal or greater magnitude: the cyber impact of web and mobile content—everything including news, social media, gaming, researching and shopping.
For years, the web has been mostly ignored as a channel for phishing and ransomware attacks, which are blamed on more traditional channels like email. However, consumers and employees spend vastly more time today on the web than they spend reading emails—and, unlike email, most organizations have not made the efforts required to secure their online domains.
In 2022, I believe this oversight will catch up with businesses; up to 98% of websites possess third-party vulnerabilities, which make them susceptible to client-side attacks. Meanwhile, the potential threat from these vulnerabilities continues to expand in alarming ways.
An Overlooked Risk
As time progresses, websites become more dangerous due to increased reliance on third-party code. The security risks of third-party code are often considered in other contexts, such as app development, but are conspicuously overlooked when it comes to the web. Such risks include:
- Consumer safety. Web-based attacks can be used to compromise visitors’ IP addresses, credit card numbers, locations, personal identities and more. Out of more than 14 million malicious URLs identified in 2021, 51% were credential stealing, a number that will likely rise.
- Business impact. As a channel for phishing attacks and installing backdoors, compromised web content is used to target organizations and employees on an individual level. Compromised content, downloads and attacks from third-party code on websites and apps lead to ransomware, data leakage, spyware and other malicious attacks.
- Data privacy. Malicious or compromised third parties are often in flagrant violation of emerging data privacy legislation such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the U.S. These violations can lead to fines and lawsuits.
- National security. With microtargeted and location-based messaging, compromised apps and websites can be used to access lawmakers, politicians and intelligence officials. Abuse of personalization features is also used by foreign actors to spread misinformation and divisive messaging ahead of democratic elections.
As businesses across every industry increasingly rely on the web to facilitate transactions and connect with customers, these risks can no longer be ignored. Addressing them should be a cyber priority for every organization in the coming year.
The Year of Digital Safety
Cybersecurity risks do not exist in a vacuum; consequently, the biggest cyber oversights of 2021 are all connected to each other. Insecure web and mobile surfaces exacerbate the risk from ransomware and phishing incidents, mobile attacks and more.
The web and mobile web ecosystem is our biggest cybersecurity gap. Here are a few ways that businesses can address these shortfalls in 2022.
- Implement a risk governance program with comprehensive digital attack surface mapping in order to control what’s allowed to execute in your digital environments.
- Identify and document all code executing across your digital asset third-party supply chain, with vendor attribution, domains and more
- Implement AI and adversarial neural networks to thwart tactics such as code obfuscation, URL/IP filtering, domain jumping and more.
- Analyze and classify third-party code for relevance and contribution to web and mobile web functionality
- Stop depending on ad blockers and consent management platforms (CMPs) and look for ways to detect and block bad code in real time, without impacting legitimate business functions.
In short, you need to know who is targeting your company via websites and apps. In 2022, organizations that care about protecting their revenue and customers will start to address this long-ignored problem in earnest: They will stop depending on band-aid solutions and prioritize digital trust and safety.