As malicious bot activity increases and attacks surge against APIs, MFA will become more of a mandate and the CISO will take on a greater role, predicts Ping Identity CEO and founder Andre Durand.
The dramatic rise in ransomware and other cyberattacks over the past year has finally driven home the point that cybersecurity needs to be taken much more seriously. Amid initiatives by the U.S. government and other parties, there's a growing global awareness of the need to focus on security to combat attacks that threaten vital areas of society. How might this renewed focus on security start to play out in 2022? Ping Identity CEO and founder Andre Durand offers his take with nine cybersecurity predictions for the new year.
SEE: Security incident response policy (TechRepublic Premium)
Cybersecurity will become an ESG issue
ESG (environment, social and governance) is a method used by investors and other people to evaluate businesses based on more socially conscious standards. With greater investments in security needed to protect society, cybersecurity will become the fourth responsibility of ESG for corporations, according to Durand.
"The digital economy has been really important for years, but the pandemic has shifted even bigger parts of our economy to the digital world," Durand says. "We must have appropriate digital identity safeguards in place, or we will have online chaos and fraud running rampant, greatly inhibiting our economic prosperity. Governments need to emphasize and elevate digital security laws and enforcement to the same degree as physical laws and safety are handled today."
MFA will become a global mandate
To better secure logins and protect sensitive data, multi-factor authentication (MFA) will be required not just in the U.S. but around the world, Duran says. As only one of several steps required to improve security, MFA needs to start with key sectors such as government, healthcare, utilities, banking, and education. But consumers will also begin to demand measures like MFA to secure their information and will increasingly desert businesses that fail to take security seriously.
Bad bot tsunami
Malicious bots that impersonate human beings are a threat to customer-facing systems, according to Durand. These types of automated attacks can lead to credential stuffing, account takeovers and account fraud. Sneaker bots can buy up limited inventory of a hot product and then resell them at inflated prices.
Traditional security solutions no longer cut it when combating bots, as scammers have learned how to thwart them. Instead, artificial intelligence and machine learning are needed to better distinguish a bot from a human being. And such tools are already here, Durand says. This technology looks for bots by analyzing such factors as how fast a user types, how a user navigates a website or an app and how hard a user presses on a touchscreen.
Focus will shift to Zero Trust authorization
To make sure only the right people have access to the right data, authentication will increasingly shift to authorization, as seen with Zero Trust.
"While it's been trending this way for many years, the corporate network perimeter became a thing of the past during COVID, making Zero Trust authorization more important than ever," Durand says. "While ais mandating Zero Trust for government entities, we will start to see private enterprises mandate that certain cybersecurity measures are in place in order to do business together."
Rise of digital wallets
People will increasingly store verified data about themselves on their phones, Durand says. As just one example, their real identity will be saved in government-issued IDs through digital wallets provided by Apple and Google. But other types of identity data will be shared with the user for better privacy and control.
There are pros and cons to digital wallets and IDs. On the plus side, they can ensure the identity of the user in business or financial transactions, reduce fraud and identity theft, and shrink the cost and overhead for organizations that typically create physical methods of authentication. On the minus side, a person can be at risk if their mobile device is lost or stolen, a device without power due to an exhausted battery is of little use when trying to present your digital IT, and any digital verification that requires connectivity will fail if there's no cellular or Wi-Fi available.
Attacks on zombie and shadow APIs
Shadow or zombie APIs pose a security risk, as they're typically hidden, unknown and unprotected by traditional security measures. More than 90% of attacks in 2022 will focus on APIs, according to Durand. And for organizations without the right type of API controls and security practices, these shadow APIs will become the weak link.
Convergence of IT and OT
Information technology and operational (physical) technology will collide as IT teams assume responsibility for the security of physical devices. This trend will require interoperability between IT and OT, leading to a convergence of technology to determine who can physically get in a building and who can access key applications. As such, organizations will need universal security requirements of all vendors who are part of the process.
Identity focus shifts to user experience
Amid security changes, user experience must still be considered and prioritized. Customers don't really care about the technical process that occurs behind the scenes, Durand says. Instead, they want a seamless digital experience so they can easily access their accounts and make purchases. Consumer-facing companies that don't offer a smooth user experience will be ditched for companies that do.
Rise of the CISO
As corporate boards increasingly focus on cybersecurity, more people will report directly to the CISO, and the CISO will report to the board, according to Durand. More boards will also set up a dedicated cybersecurity committee by 2025, according to a Gartner forecast.
"CISOs can clearly define tangible risks to the business and present solutions to reduce or completely remove risks to the business that could cause monetary or brand reputation issues," Durand says. "The office of the CISO helps to educate and keep employees fluent and aware of security risks to the business and to themselves. Having the CISO at the right level inside of the company can ensure high and critical security risks are being addressed in a timely manner."
- Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
- Expert: Intel sharing is key to preventing more infrastructure cyberattacks (TechRepublic)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Security threats on the horizon: What IT pro's need to know (free PDF) (TechRepublic)
- Checklist: Securing digital information (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)