Cybersecurity breaches and threats are relentless and according to a new Forrester report, it is only going to get worse.
The report, Top Cybersecurity Threats in 2022 highlights the five most inevitable attacks firm will face from cybersecurity threats this year.
According to the report’s authors, organisations should expect a perceived increase in the number of breaches without an increase in actual breaches.
They said, “This distracts from real problems as CISOs get bombarded with questions such as “Could this happen to our organisation?” and “Does this affect our company?” Actual threats are quieter. They are the implications that stem from strategic and tactical decisions.
“Some of these implications surfaced in 2021, with software exploits as the top cause of external attacks, followed by supply-chain and third-party breaches.”
These threats are: serverless, B2B fraud, cyber insurance, anywhere work model and systemic software vulnerabilities.
Serverless adoption continues to grow, according to Forrester’s 2021 data it showed that 32 percent of developers use serverless architectures, up from 26 percent in 2020.
While developers love serverless because it enables them to build features in hours rather than days, security pros struggle to keep up. In a recent report by Contrast Security, 61 percent of respondents considered a lack of purpose-built serverless security tools as their first or second biggest serverless challenge.
According to the reports’ authors, “The lack of a holistic approach to securing serverless applications invites attackers to not only take advantage of misconfigurations, but also code flaws, broken authentication, and over-privileged functions.”
Forrester estimates that identity theft increased 10 percent to 15 percent in 2021, accelerated by the pandemic and pressures to move customer onboarding to faceless, digital channels.
The report’s authors said while identity theft may be victimless in some cases, such as with use of synthetic identities used to apply for loans and credit, fraud exposes firms to regulators’ penalties, loss of brand image, and increased friction for legitimate customers. As a result, firms experience higher operational costs.
The sharp increase in ransomware attacks in 2019 and the long-tail fallout from multiple software supply chain incidents in 2021 led firms to buy or increase their cyber insurance coverage, according to Forrester.
This also meant it made them a more attractive target for attackers. Reeling from losses, cyber insurance carriers scrambled to improve their underwriting processes and ramp up scrutiny of policy holders and applicants alike.
“This led to a 25 percent average increase in premiums and, for some carriers, the removal of coverage for specific attacks. What security leaders have long known but senior executives and boards are just now learning is that, without a risk mitigation strategy and investment in security program maturity, relying on cyber insurance alone is a threat to the organisation,” the authors’ state.
Anywhere work model
Working from home or a café may have its benefits but the cons are more sinister than bad Wi-Fi. As job opportunities and demand for knowledge workers open up during the great reshuffle, organizations are adapting their working models to hybrid or fully remote as one way to attract and retain talent.
Forrester claims for anywhere work, enterprises often focus on controlling and managing the devices employees use and secure network access to data. That’s only one part of the equation; data security and information governance is the other component.
Organisations need to assess and identify risks to how employees collaborate, create new data and communicate via audio and video calls, to ensure there are no loop holes for an opportunity to create fraudulent activity.
Systemic software vulnerabilities
Dependence on a limited number of vendors and software modules is an ongoing threat, Forrester explained.
As connected software proliferates across smart infrastructure and augmented reality, for instance, a vulnerability in one dependency creates a long list of targets for threat actors.
“The series of vulnerabilities in Log4j uncovered the ubiquity of the module. After the initial vulnerability came to light, researchers began to identify other vulnerabilities in the JNDI API,” the report authors said.
“Ransomware-as-a-service gangs, military and intelligence community experts, and security researchers will all look in parallel to find more. Open source software (OSS) continues to be an overlooked third-party risk — Log4j isn’t the first such vulnerability from OSS, and won’t be the last.”
Read the full report here.