Qualys Lays Out Security Predictions for 2022
Written by Hadi Jaafarawi, managing director – Middle East, Qualys
We can at least hope that 2022 is the year when we put the pandemic behind us. But where the notion of a COVID-free world may at least be possible, the thought of one without cyber threat actors is, sadly, unrealistic. The Internet may have accelerated globalization and economic growth around the world, but it came with some baggage. The Arabian Gulf region will see many changes over the next 12 months as organizations continue the fight to secure their perimeters. What follows are the highlights.
The decline of cyber insurance
A 2020 KPMG survey revealed 73% of UAE businesses to be investing in cybersecurity to some degree as the result of a surge in incidents. There are now strong indicators that some of this investment may go towards insurance, even as the quality of coverage declines. Citing the COVID-19-related surge in cyberattacks across the country, international law firm Norton Rose Fulbright recently predicted a surge in UAE enterprises’ interest in cyber insurance and a corresponding change in policy design, with clauses on cybersecurity making their way into property and liability coverage throughout the following year.
But in 2022, we can expect the customers of cyber-insurance providers to reevaluate the effectiveness of such clauses. Actuaries find it increasingly difficult to construct accurate risk models for cyber insurance, and in some parts of the world, insurers are removing coverage for ransomware attacks altogether. Premiums are rising and coverage is shrinking, even as insurance companies start to demand that customers pass a security health check before agreeing to cover them.
Integration rather than consolidation
Much of the literature on cybersecurity over the years have alluded to the single-dashboard solution — the prevention, detection, mitigation, and elimination tool to beat all others. When CISOs and IT chiefs mention consolidation, many line-of-business executives, particularly finance leaders, assume such a catchall tool (and its associated cost savings) is on the horizon.
When the region rushed towards the cloud in 2020, the complexity of the hybrid environments that followed made “consolidation” even more alluring. The truth is security tools specialize in different areas and comprehensive threat postures mean using multiple solutions. But there is still a need to integrate tools effectively to achieve a level of visibility that allows tight control over the digital environment. As research on this area progresses, we are discovering that the more tools that are deployed, the less effective a security team may become in detecting threats.
In 2022, expect to see a greater emphasis on integration. CISOs will concentrate on the fundamentals by using the right tools to automate basic tasks, such as upgrades and patching while freeing up security professionals for more strategic endeavors. We will see more risk-based approaches used and integration will be used to simplify processes and workflow while increasing visibility. Finance will be able to celebrate some cost reductions as some legacy tools are retired from service.
The unifying of OT and IT security
As complexity continues to be the bane of regional security teams, stakeholders across departments understand that cybersecurity must extend to all technology used by the business. As far along the road as we are in the Fourth Industrial Revolution, it is inevitable that sooner or later we would have to think of OT and IT under a single umbrella.
The risk to physical equipment has been apparent in the region for years. Not only have petrochemical companies here long been the targets of threat actors, but this year’s Colonial Pipeline incident in the US served as a stark lesson to organizations that use any solution that exposes physical machinery to the lawlessness of the public Internet. As such, 2022 will be the year when a single CISO becomes responsible for OT and IT security.
OT security playing catch-up with IT security
The aforementioned merging of OT and IT security cannot come soon enough. OT infrastructure is notoriously behind other software-enabled business functions when it comes to security. Between the less-than-optimal account policies and the slew of unpatched vulnerabilities in OT assets, the new umbrella CISO will have a lot of challenges to overcome to prepare physical infrastructure for the modern threat landscape.
With the region being first to the plate on 5G, IoT solutions will soon be available that were previously inviable. Adopting such solutions will be key to competitive survival in 2022 and beyond, so air-gapping OT environments is not an option. Meanwhile, bad actors plot the exploitation of OT assets as soft targets, so the race is on to secure equipment before it can be compromised. Not only can OT incidents lead to lateral data breaches in the corporate network, but if the C&C systems themselves are compromised, the damage could mean the end of a company.
Strategy, budgeting, investment, consolidation, integration — none of them are worthy substitutes for the care and attention of employees. Let 2022 be the year when each one of us thinks about security in everything that we do — from the CEO and CISO to the factory floors, cash registers, and front desks of every regional business.