In 2021, cybercriminals took aim at critical infrastructure with ransomware attacks on Colonial Pipeline, JBS and others. They also continued to find new ways to exploit employees working remotely, those seeking information on COVID-19 vaccines, and improperly secured APIs.
In addition to releasing our 2022 cybersecurity industry predictions, we looked back at our 2021 cybersecurity predictions to see what we got right. For reference, you can read our full 2021 cybersecurity predictions here.
Let’s dive in:
1. Prediction: We’ll see the consequences of employees letting their guard down as work-from-home extends.
Many employees will continue to work remotely in 2021 to slow the spread of COVID-19 until a vaccine can be reliably distributed. Consequently, bad actors are no longer following these employees “through the door” when looking to steal data. Instead, they will seek to take advantage of workers who have been remote since the start of the pandemic, as they may be more likely to let down their guard when it comes to following security protocols. This relaxation on security protocol — combined with threats that already exist in a rushed remote work environment — will result in data loss rates exceeding what we saw in 2020.
In April, a report from FireEye highlighted how hackers with suspected ties to China exploited Pulse Secure’s VPN to gain access to dozens of government organizations and companies in the U.S. and Europe amid continued remote work. The cost of data breaches rose to a 17-year high this year, according to IBM’s annual “Cost of a Data Breach” report. The average cost was just over $1 million higher in incidents where remote work was a factor in causing the breach, compared to those where remote work was not a factor.
2. Prediction: Attackers will use the COVID-19 vaccine to conduct the largest phishing effort of the year.
In 2020 we saw hackers leverage COVID-19 to distribute a plethora of phishing scams to unsuspecting victims. The number of legitimate emails sent on the topic allowed phishing emails to hide in plain sight. As the race to secure and distribute a vaccine continues, the public will once again seek information on new developments. Attackers will purchase domains and craft emails with this in mind. The amount of content, combined with the thirst for knowledge, will set the stage for a further increase in phishing attacks.
In March, the Department of Justice issued a warning about fake post-vaccine survey scams designed to steal consumers’ personal information. As the Delta variant began to rise in the summer, a survey from Proofpointrevealed COVID-19 phishing campaigns, including attempts to steal Microsoft and O365 credentials, were ramping up. In June alone, phishing attempts rose 33% compared to earlier in the year. As phishing methods changed throughout the year, the FTC issued a vaccine scam update in August that warned of a national vaccine certificate scam.
3. Prediction: We will see a rise in internet policing as misinformation reaches new heights following the U.S. elections.
Our lives have taken place online more so this year than ever before. In the wake of rampant misinformation efforts across social media platforms and news agencies during the 2020 U.S. election, fear of further escalation will lead to a call for tighter regulations on the internet. Large-scale spear phishing and watering hole attacks will add to the mounting pressure on Congress to introduce and pass legislation that forces tech giants and media organizations alike to have better safeguards in place. 2021 will be a year of holding these organizations accountable using regulation versus allowing them to “self-police.”
In October, Facebook whistleblower Frances Haugen leaked internal documents that showed how the company’s algorithm magnifies the reach of misinformation and has been exploited by nation-states looking to influence the American people. Her testimony before Congress reignited calls for legislation to regulate social media companies, particularly as it relates to data collected from children and teens. The White House shared that President Joe Biden is in favor of substantial modifications to Section 230, a piece of internet regulations that exempts social media companies from being legally liable for the content produced by their users.
4. Prediction: There will be a reckoning within the growing API security market as API data breaches rise.
Earlier this year, Facebook pledged to improve its security as it worked to resolve a lawsuit blaming the company for a 2018 data breach where bad actors leveraged Facebook’s developer APIs to obtain sensitive user information. This is not a threat that is unique to Facebook or any one industry.
In fact, this is a rising threat, as APIs are one of the largest attack surfaces for organizations. More and more businesses across industries are building out microservices that leverage APIs, but very few companies know how to build them securely, and the growing API security market is beginning to falter. This will result in a high-level breach and data loss that will be directly traced back to unsecured APIs.
In April, credit bureau, Experian, fixed a flaw in one of its API tools after researchers sounded the alarm that the credit scores of almost every American were exposed. It was discovered that the API tool lacked basic cybersecurity protocols, making it possible for anyone to look up scores for millions just by using a name and publicly available address. The rise in breaches was highlighted by Gartner, which expects API attacks will become the most-frequent attack vector by 2022. Additionally, in September IBM released its 2021 Security X-Force report, which found that misconfigured APIs now cause two-thirds of all cloud breaches.
Looking Ahead to 2022
The cyberattacks we have seen across industries in the last year are a marked escalation to what was already a major threat for businesses. Interested in learning more about what we predict for 2022? Check out our predictions here.