With the Omicron variant now sweeping through the population at pace and booster jabs well underway, we are expecting 2022 to cement the hybrid working we put in place this year by continuing to work remotely as well as in the office. This emphasizes, rather than changes, the focus for cybersecurity in 2022 – but that’s not to say it will be ‘just like last year.’
The similarities are likely to be a continued targeting of the supply chain and ransomware still prevalent, with cyber an enabler for conventional crime. It is likely, however, that operational technology (for example, in the critical national infrastructure) and internet of things (IoT) (the soft underbelly of our ‘convenience software’) will be more of a target as the software they run on is often old and unpatched. We may also see a significant SaaS compromise, either through attacks or accidents, as cloud proliferates and there is a mismatch between provider and consumer security expectations.
There are some critical areas we have begun to make inroads in 2021 that we need to build on in 2022:
- Secure by design
COVID-19 has highlighted the need for resilience and the role of government and business in providing it. The ability for organizations to grow in the digital world and take advantage of new technology and routes to market is underpinned by good cybersecurity – both of the organization itself and its supply chain.
In 2022, the idea of being resilient throughout the supply chain and continuing to operate in the digital space regardless of the physical will become more of a focus. The optimism that we will get back to normal is replaced by realizing that this is the new normal and that organizations have to design their systems and processes to make the most of it.
Secure by Design
The increasing interconnectivity between – and across – the UK infrastructure and information means that an expectation that systems are “secure-by-design” has to become a reality. This is as much the responsibility of the manufacturers and users as it is of the government. The government needs to set the standards, but the industry should design security in whether they are asked to. In parallel, consumers should be using the systems as they were intended and valuing their own data security.
Electric vehicles, for example, can now be updated remotely and are reliant on a charging network that also carries financial information. This rapidly becomes a significant target unless security is designed in, along with the mindset that it is more than just a fueling and maintenance facility – the implications of access to all a vehicle’s data and systems are far greater than that. Similarly, with IoT, a country-wide consumer device breakdown would be inconvenient if it’s your fridge, uncomfortable if it’s the central heating, but potentially life-threatening if it’s your medical device or only form of communication.
The skills gap is certainly not new for 2022. Globally we have been short of cyber skills by about 40% for several years (according to the Department of Digital, Culture, Media and Sport and others). This indicates that we are looking at a ‘lagging’ skills market and will always be short of scarce skills as the demand for digital and cyber skills grows. So, we need to look in non-traditional pools and train people to generate scarce cyber skills in 2022.
Alternative routes to cyber skills have looked at aptitude, curiosity, persistence and natural interest in cyber and digital. The results were astounding; drawing from a wide pool of people who hadn’t worked in cyber or STEM before – ranging from firefighters to chefs to beauticians – several hundred candidates were considered for 29 places, leading to 25 still in technical cyber jobs three years later.
Getting this technical cadre in will help. As will de-mystifying cyber and making it more relevant and accessible to the workforce as a whole. 2022 needs to be the year of using remote working to make cybersecurity a pivotal enabler to organizations meeting their business objectives.
There are many tech trends that will impact 2022, but the key ones to call out are: AI, Cloud and Quantum.
- AI – the discussion will move even more to the ethics and governance of artificial intelligence (AI) and how we protect the datasets upon which it bases decisions. AI is as biased as the world in which it operates, so we need to design in the ability for it to question and be skeptical of the datasets it ingests and ask for advice to keep it on the straight and narrow.
- Cloud – The cloud is still someone else’s server, and there has to be a mutual understanding of what your data needs and the security your cloud provider offers. We are likely to see more complex multi-cloud environments to enable data to be physically located within countries where required. This will add to the complexity of cyber monitoring and security.
- Quantum – While not yet widely available, a quantum capability is coming. There is a potential for rogue actors to capture encrypted information (IP, government data and so on) now in the anticipation that quantum will enable its decryption in a few years.
So while there is likely to be a continued increase in reliance on digital and data and a commensurate increase in attacks, we need to take various actions to embed cybersecurity in our systems, processes and mindset. Doing these well will mean we can seize the opportunities offered by new technologies to grow safely in the digital world.