DigiCert 2022 Security Predictions
November 2021 by DigiCert
As our year winds to a close, many of the uncertainties that shaped 2021 remain. The cybersecurity challenges that accompanied the pandemic have persisted, as hybrid remote workspaces have become a way of life. And through it all, the threat landscape continues to evolve, as innovations in cloud computing and other arenas open up new threats — some in unexpected areas.
To take stock of where we’re at and what lies on the horizon, we’ve once again gathered our team of cybersecurity experts, including Jeremy Rowley, Avesta Hojjati, Mike Nelson, Jason Sabin, Dean Coclin, Stephen Davidson, Tim Hollebeek and Brian Trzupek. Let’s take a closer look at what they observed in the crystal ball for 2022:
Prediction: Supply chain, ransomware and cyberterrorism attacks will continue to escalate
The fallout from audacious attacks like the SolarWinds episode and the Colonial Pipeline breach was all over the headlines in 2021. The successful attacks shined a spotlight on three critical cybersecurity battlegrounds — and likely emboldened hackers. Some threats that are likely to thrive in the coming year include:
• Supply chain complexity and vulnerabilities grow. The SolarWinds breach was based on malware in a software update that had gone undetected. However, securing software isn’t easy in fast-paced DevOps-driven organizations. That’s because most workflows are all about pushing deliverables out fast, rather than security by design. As development processes and supply chain for devices become more complex, the attack surface will only grow. The good news is best practices like code signing can help companies bake security into each stage of the development process. They can take control of development and confirm the integrity of code before it moves further along in the development cycle and out to production environments and customers. Awareness of the dangers of key sharing and inspecting code along each step of the development cycle, as well as preventing tampering after signing, will go a long way to secure code. Setting up a software bill of materials (SWBOM) can also provide visibility into code sourcing, tracking all the components that make up a software app.
• Cyberterrorism will embolden bad actors. Cyberterrorists demonstrated their potential to paralyze infrastructure in events like the attacks on the Colonial Pipeline and the Oldsmar water treatment facility in Florida. The Florida incident could have had serious consequences, as the attacker was attempting to poison the city’s water supply. New opportunities are emerging all the time, limited only by attackers’ imaginations, and high-profile technology environments such as private space launches and elections could prove inviting targets. Public and private organizations that are vulnerable to spectacular cyberattacks will need to redouble their focus on a zero-trust approach to security.
• Ransomware will continue to expand its reach. Ransomware attacks impacted a diverse array of industries in 2021, including healthcare organizations, technology companies, automotive manufacturers and even the NBA. Like cyberterrorist events, ransomware attacks often attract heavy press coverage, which can further encourage bad actors seeking publicity. We predict that ransomware attacks will continue to escalate, especially as the use of cryptocurrency expands — and makes ransom payments harder to trace outside the banking system.
Prediction: Trust and identity step up in business processes
Companies in every industry have been embracing digital transformation for years, and the trend is accelerating. Research shows that the global digital transformation market is expected to grow at a compound annual growth rate (CAGR) of 24% from 2021 to 2028. As complex technology becomes a deeper part of every organization’s most critical processes, we predict that the use of digital signatures will increase — and will require a stronger level of trust and identity.
• Stakes are growing for digital signatures. We predict that more workflows will be associated with digital signatures, in industries like financial services, real estate, healthcare and education. Digital signatures are also helpful for organizations with hybrid work, to onboard or support remote employees. The stakes are growing as digital signatures become more widely accepted, and a recent lawsuit in Austria/Switzerland actually invalidated a €3 billion agreement because it utilized the wrong digital signature.
Long a leader in deploying electronic signatures, Europe is updating its eIDAS Regulation, learning the lessons of the COVID-19 pandemic to enable high-quality remote validation of signers’ identity by Qualified Trust Service Providers. In addition, new proposals will dramatically expand the use of government-issued eID to facilitate cross-border interactions. These changes are part of an ongoing trend to restoring control of identity to citizens, rather than private companies.
• Identity and trust power the IoT and more. For data-driven use cases like the IoT, trust is more important than ever. Devices like healthcare monitors, industrial control devices, home security systems and vehicle sensors all depend on the integrity of their real-time data to support processes and decisions. As the adoption of 5G technology accelerates, we’ll see an increasing convergence in IoT and 5G applications — which could invite more attacks. PKI remains a robust, proven method to assure trust in IoT environments. Prediction: The post-COVID threats will persist and evolve Last year’s predictions included a variety of security threats that were directly tied to the COVID-19 pandemic. As the pandemic slowly recedes, we predict that those threats will continue to remain. We are seeing increasing use of contact-less technologies in airports, retail environments, restaurants and other public spaces — all of which are vulnerable to cyberattacks. Digital ID schemes such as drivers’ licenses and healthcare records are becoming more widely used — and also remain possible points that can be hacked. Prediction: Post-quantum computing will challenge the security status quo A DigiCert survey found that 71% of IT decision-makers believe quantum computers will be able to break existing cryptographic algorithms by 2025. That means security organizations will need to rethink security for a post-quantum world. Post-quantum cryptography (PQC) can strengthen cryptography, decreasing the possibility of security breaches. But many companies lack a clear understanding of the crypto they deploy, so they will want to take proactive steps to locate all the exposed servers and devices and rapidly update them when a fresh vulnerability comes to light.
We predict some major developments in the PQC world in 2022, as NIST is expected to announce the winner of their effort to replace current versions of RSA and ECC encryption algorithms.
Prediction: Automation will power cybersecurity improvements
As organizations work to keep the lights on and scrutinize the bottom line, there will be a resulting push for efficiency in security technologies. Security teams will be asked to do more with even fewer resources. 2022 will bring an emphasis on technologies that allow organizations to do more with less, and automation will play a significant role in terms of security innovation in the New Year. A recent DigiCert survey showed that 91% of enterprises are at least discussing automating the management of PKI certificates. AI and ML technologies will continue to play an essential role in powering this automation. Prediction: Cloud sovereignty will create new security demands In an increasingly multi-cloud world, traditional perimeter-based security approaches have become obsolete. We predict that cybersecurity challenges will become even more demanding as cloud services become more granular. Organizations are deploying cloud solutions that are increasingly subject to local jurisdiction and regulations. Cloud sovereignty controls are focused on protecting sensitive, private data, and ensuring that data stays under owners’ control.
For example, T-Systems and Google Cloud recently announced that they will build and deliver sovereign cloud services for enterprises, public sector and healthcare organizations in Germany. As more of these sovereign cloud initiatives emerge, we predict organizations will require an increasing awareness of regional security requirements.
Prediction: VMC trust and identity will change the face of email marketing
It’s not easy to stand out in a busy marketing environment, but new technologies are emerging that can help marketers make a lasting impression. According to a study by Wpromote, 31% of B2B marketers were making brand awareness their top priority for 2020. We predict that organizations will increasingly adopt Verified Mark Certificates (VMCs) to build their brand equity and strengthen trust.
Part of a cooperative initiative with the Brand Indicator Message Identification (BIMI) initiative, VMCs certify the authenticity to display a logo to email recipients right in their inbox, before a message is opened. They are enforced by Domain Based Message Authentication Reporting (DMARC) security.
By using VMCs secured by DMARC, marketers not only reinforce their branding and improve open rates by up to 10%, they also show customers that they care about their privacy and IT security, and are taking proactive steps to help minimize risk.
Prediction: Organizations prioritizing strategy/culture of security
Finally, we anticipate organizations working harder to strengthen a culture of cybersecurity, led from the top. We’re hearing more about employee education using phishing tests, mandatory online training and cyber simulation exercises taking place at the board level, to help C-level participants test their communication strategies and decision-making in the event of a major cybersecurity crisis. It’s clear that cyber attackers will continue to innovate and create more complex, insidious threats. Mitigating tomorrow’s threats will require a commitment from leadership and good communication across every organization.