13 Cybersecurity Predictions for 2022

Cybersecurity will continue to be a grave concern in 2022. Malicious and accidental threats from outside and within organizations, coupled with increasingly stringent data regulations, are putting the onus on companies to step up their security and data use precautions. Here, data security leaders share their thoughts on what's ahead in terms of new dangers to data and the ways to thwart them.

1. Record-level security will become a C-suite issue: Record-level data security will become a hot topic and key priority in 2022 after a wave of high-profile data breaches that makes it impossible to ignore. We may even see an entirely new open-standard file format emerge with record-level data security already baked into it. ?Matthew Halliday, Co-Founder and Executive Vice President of Product, Incorta
2. Businesses will have a Sarbanes-Oxley sized wake-up call about federal data privacy and security standards: There is no way to protect data privacy, access, and use without first ensuring that the data is secure?a complex job for governance and security teams that will be made clearer by regulations this year. A big regulatory storm looms on the horizon: a U.S. federal data privacy law on the level of the Sarbanes-Oxley Act of 2002, which would require corporate officers of publicly traded companies to personally certify that the company's data security/protection statements are accurate. I certainly hope that we don’t see scandals as shocking as those of Enron, but if data breaches continue to worsen, we can expect legislation that requires publicly traded companies to have board-level data audit committees documenting how the company is protecting sensitive data, with CEOs and CDOs required to sign accountability statements. —Dave Sikora, CEO of ALTR
3. One of the weak links in 2022 will likely be the business application mesh: The growing network of integrations enable automated business workflows and data exchange. However, this mesh also allows for lateral movement by attackers, and it is largely outside of the purview of the enterprise. In 2022, we should anticipate a number of major breaches stemming from the lack of controls in monitoring these interconnected data paths among SaaS applications. —Sounil Yu, CISO, JupiterOne
4. Cyber insurance will be harder to get: Cyber liability insurance is a type of insurance designed to cover losses and penalties associated with a data breach or other cyberattack. But this kind of insurance will become harder to get. Why? Because for the first time, ransomware has hit a level where the payouts by insurance companies are now exceeding the premiums being paid. That means large insurance providers could limit the amount of business they book and be very selective when it comes to underwriting new cyber policies. Some cyber insurance providers are even excluding ransomware coverage when they renew customers. Businesses will have to up their investments in cyber tools and processes to prove to insurance providers they are a worthwhile risk. —Lyndon Brown, Chief Strategy Officer, Pondurance
5. Cybersecurity insurance premiums will skyrocket: Today’s complex threat landscape means that requirements for affordable cybersecurity coverage will expand and discounts on premiums will increasingly be linked to actions organizations take—or fail to take—to mitigate threats. I predict cybersecurity insurance companies will get more hands-on with security requirements and apply unprecedented scrutiny when reviewing applications and significantly lowering coverage limits. Expect to see more requirements imposed as well as more discounts given for certain policies or technologies in use. There will also be a surge in one-stop-shop cybersecurity platforms to help mid-market companies address security and meet evolving cybersecurity insurance requirements. These automated solutions will enable organizations to adapt to the dynamic threat landscape and alleviate some of the staffing shortage pressure that has plagued companies in recent years. —Mike Wilson, CTO, Enzoic
6. New and unpatched VPN and endpoint vulnerabilities will increasingly be exploited: Patching or upgrading the firmware of your endpoint and VPN appliances can be a tedious process, requiring thorough testing before rolling out patches as well as carefully scheduled maintenance windows. Unfortunately, attackers are well-aware of the resulting vulnerabilities and exposures. According to CISA’s list of vulnerabilities most frequently exploited by attackers in 2020 and 2021, many are related to remote access, with some even dating back as far as 2018. Make 2022 the year you get your VPN and endpoint vulnerabilities under control, potentially by accelerating to cloud-delivered Zero Trust Network Access (ZTNA). —Tsailing Merrem, Director of Product Marketing, Netskope
7. Security vendor consolidation is coming: One trend we will likely see in 2022 is that security leaders will direct their teams to consolidate and simplify their operational systems, rather than adding ever more tools and programs. This theme should be to consolidate, simplify, and get back to the basics. By “the basics,” I mean that best-of-breed solutions are still needed for the most important security operations, but the average large enterprise already has some 50–70 big tool vendors Many teams could consolidate their security vendors down to maybe not the best-of-breed in all cases, but good enough to allow users to have a cohesive view of things, rather than everything being siloed. As a result, we should expect to see the number of security vendors at large organizations reduced by 20%–30%. —Erkang Zheng, CEO, JupiterOne
8. Ransomware will continue to wreak havoc in the enterprise, resulting in a steady wave of payloads to malicious actors: While the U.S. government has strongly advised against organizations paying bad actors when they fall prey to a ransomware attack, the lack of more stringent safeguards and solutions will mean that in many cases, companies will have little choice but to pay ransomware dues. —Eyal Moshe, CEO and Co-Founder, HUB Security
9. AI and machine learning will simplify and speed adoption of fraud prevention: According to a recent report, e-commerce retailers now experience an average of 206,000 web attacks per month, with 42% of businesses saying that digital fraud hampers innovation and expansion into new channels. Yet, despite this, only 34% of companies are investing in fraud prevention and mitigation. With e-commerce booming and no signs of slowing down, machine learning to defend against fraud will be on the rise. This will help online retailers keep up with fraudsters tactics and can spot patterns that might be missed by manual checks and analyze historical data and compare it to current transactions. This will be especially beneficial during the busier peak shopping seasons. ?Jimmy Fong, Chief Commercial Officer, SEON
10. Organizations will build applications that are both reliable and secure ... or risk failure: No company can afford to focus on either observability or security—you must do both. No one is going to use an application that's reliable but not secure, or secure but not reliable. From a developer and enterprise perspective, we’ve got to raise the bar on both observability and security at the same time. We need to hit a common threshold. Every app a customer uses thinks that security and reliability are built in. There’s an assumption that apps are going to work every time a customer needs it and stay secure. If you knew an app wasn’t secure, it’s very likely you’ll never use it again. If it does both (reliability and security), then the app will always be used. It's that simple. ?Erez Barak, Vice President of Product Development, Sumo Logic
11. 2022 will be the year of COVID security cleanup: When COVID-19 forced organizations to transform their business models practically overnight, companies did what they had to do to keep the lights on and their employees connected in a remote world. They deployed a voluminous number of new technologies in a sprint to sustain operations, and, in many cases, moved so quickly that they were unable to properly address security concerns. This has left CISOs stuck mopping up a big mess: plugging all the security holes introduced by organizations’ rush to digitally transform. Even with CISOs focused on COVID security cleanup, they can only move so fast, and we’re likely going to see significant fallout over the coming years (e.g., security incidents caused by cloud misconfigurations, excessive access rights and shadow IT). ?Andrew Maloney, Co-Founder and Chief Operating Officer, Query.AI
12. Security recalculated—understanding risk means understanding the workforce: In 2022, organizations will turn to analytics to recalculate their understanding of cybersecurity risks and to reshape their protection strategies.?When we talk about business risk, it boils down to two fundamentals: do we understand one) what we are protecting, and two) the factors that impact our ability to protect. The last eighteen months has seen a gradual erosion of the “rules” we had in place to manage workforce behaviors, and without an accurate understanding of this behavior, risks can easily be introduced. The “new rules” that govern technology and personnel requirements for the remote and hybrid workforce will drive how we protect our organizations from both internal and external threats. ?Margaret Cunningham, Principal Research Scientist, Forcepoint
13. Organizations will Increasingly Adopt Low-Code Security Automation: In 2022, automation will grow beyond the Security Operations Center (SOC) to serve as a system of record for the entire security organization. As companies struggle to adequately staff security teams—and fallout from “The Great Resignation” adds additional stress across the organization?automation will help employees overcome process and data fatigue. Companies will seek to use low-code automation to harness the collective knowledge of their entire security organization and form a centralized system of record for operational data. ?Cody Cornell, Co-Founder and Chief Strategy Officer, Swimlane