As the dark nights draw in and the year nears its end, it’s time to reflect on the past 12 months in cybersecurity and analyse what organisations got right, what went wrong and where we must improve.
One thing that can be said about 2021 is that it certainly didn’t disappoint when it came to threat activity. Attacks or Colonial Pipelines, JBS and the Irish Health Service Executive actually made it one of the most memorable years to date. But what were the key lessons learned and what do organisations need to think about when building out their cybersecurity programs and defences for the future?
Here are Ouvert’s predictions on what could be set in store for the cybersecurity industry in 2022, and how organisations should prioritise their security to succeed in the year ahead.
Fail to prepare, prepare to fail
If 2021 taught us anything, it’s the importance of planning for incidents. When organisations don’t prepare for cyberattacks, they stand to lose everything – whether it be money, data or customer trust. On the other hand, when organisations prepare, they can successfully navigate attacks quickly with little to no damage, sometimes even coming out stronger in the wake.
Incident response and crisis communications planning will no longer be seen as an excess of zeal in the year ahead, instead they will become a necessity.
When it comes to getting incident response planning in place, start by thinking about your organisation’s absolute worst-case scenario and practice your response to understand where you excel, but most importantly where you fail.
Keep rehearsing the incident until your organisation’s losses are down to an absolute minimum. This means when your worst nightmare becomes a reality, teams will know their roles, responsibilities and response plan – minimising panic and allowing everyone to jump straight into action.
Organisations should practice incident response against all the various cyberattacks that could impact them, focusing on the most severe first.
By preparing for incidents, no one will be taken by surprise when they actually happen. Instead, everyone will know how to respond, minimising disruptions, losses of money and data, and irreparable damage to customer trust and brand.
Board executives will face heavy scrutiny for poor security
As security becomes an even more prominent topic in the media, board executives are going to come under increasing scrutiny when their organisation suffers an attack.
Media and customers will want to understand why they were attacked, what security protections were in place, how attackers got in and what data was impacted. They will come down like a firing squad on any CEO or board executive that is not adequately protecting the data of their customers, while those that can’t answer questions about the security posture of their organisation will also suffer a mighty fall.
As a result, prepping board members regularly on security and keeping them up to date on risks and resilience is critical in the year ahead.
Organisations should also prepare CEOs and board members about attacks in advance of them actually happening, so they understand the types of information media, customers and stakeholders will want to know. This means media training for CEOs and board executives, so they can communicate effectively on incidents and provide valuable information, will become a critical priority for any organisation looking to get serious about security in the year ahead.
Consumers will boycott brands that gamble with their security
This is not something new, but as more cyber stories make the headlines, consumers are becoming savvier about the security and privacy of their data. They are also demanding that the organisations they do business with employ strict security and privacy controls.
In the year ahead we are likely to see mass boycotts of brands that gamble with security and privacy.
Security and privacy today are no longer a luxury, they are a necessity and competitive advantage. Organisations need to invest in the security of their infrastructure if they want to win the race.
But remember, security is not just a technology issue – it covers the whole business and its primarily about people and processes.
This mean educating staff on security and attacker techniques, implementing processes where security is routinely embedded and striving to build a security conscious culture. Boards must also understand cyber risks and invest adequately to protect their organisation against threats.