Since last year’s Data Privacy Day, system down times have continued to lengthen. Cyber insurance has continued to grow more expensive. AI remains a double-edged sword. As always, awareness training and security protocols serve the best shields in the ongoing defense against cybersecurity breaches.
Data Privacy Day – or Data Protection Day for EU readers – is a yearly reminder for organizations of the importance of compliance. Data plays such a mission-critical part of an organization’s infrastructure that they must make it their utmost priority to ensure that cybersecurity procedures are in place to safeguard data from getting into the wrong hands.
Ultimately, all stakeholders care that their data is protected – employees, customers, or partners. For organizations to build and maintain that trust, they must embed a culture of compliance with data protection throughout the organization. This culture involves closing knowledge gaps by educating and regularly refreshing data protection or GDPR training with everyone in the business.
It’s been almost two years since the global pandemic started, which along with uncertainty about health and the economy, brought a huge surge in cybersecurity attacks. It’s true that cybercriminals have always been opportunistic and that cyber threats are constantly evolving to take advantage of our online behaviors. Sadly, the COVID-19 pandemic proved no exception to this rule.
2020 and 2021 offered cybercriminals the perfect storm: a mass shift to home-working (for which many organizations were not fully prepared) and a distressed, distracted workforce, with employees worried about themselves, their loved ones and their jobs.
It seems that, as the virus continues to spread around our planet, cybercrime follows in its wake.
In the UK, the National Cyber Security Centre (NCSC) took down more scams in 2020 than in the previous three years combined, with COVID-19 and NHS-themed cybercrime fueling the increase. 2021 data is forthcoming. Across the pond in the US, it’s a similar story, with reported losses from cyberattacks hitting $4.2 billion in 2020. Worryingly, a global cybercrime assessment by INTERPOL also uncovered a significant target shift from individuals and small businesses to major corporations and governments. It seems that, as the virus continues to spread around our planet, cybercrime follows in its wake.
For sure, cybersecurity will continue to be a high priority for IT professionals and compliance experts alike in 2022. Organizations will continue to battle cyber threats for business continuity and reputations. As cyberattacks continue to increase in both velocity and scale, the cost of data breaches also looks to rise exponentially.
Data protection teams can use Data Privacy Day as a means to call attention to growing threats and challenges, such as the following.
The Evolution of Ransomware
Ransomware will likely continue to grow as cybercriminals compete to find new ways to penetrate systems and wreak havoc. One of the end goals here is to cause a lot of damage and make it difficult for IT teams to gain back access and recover their data (after all, the longer this takes, the more data can be stolen and sold on the dark web and the higher the ransom can go). Due to this, affected organizational downtimes are likely to increase in 2022 (the average downtime is now 23 days), causing unimaginable disruption to all types of industries and supply chains.
Additionally, the volume of ransomware attacks is expected to increase across 2022. Indeed, whilst 2022 will see the sophistication of ransomware improve (cybercriminals are deploying more nuanced attack vectors and corrupting data in new ways), it doesn’t require much IT knowledge or hacking experience to send this type of malware. Ransomware can be sent pretty much ‘out of the box’ as it were – and, sadly, the financial rewards for the unscrupulous few can be huge.
It will be imperative to check and double-check software and systems in 2022. Ensuring the latest anti-virus software is installed on PCs and mobile devices, that email gateways are secure, and those system administrations are tested regularly for vulnerabilities.
The Risks and Rewards of Artificial Intelligence
Ever a hot topic beyond Data Privacy Day, the transformative power of artificial intelligence (AI) is widely considered as one of the greatest commercial opportunities of the 21st century. Indeed, it already enhances many of our modern business functions, allowing businesses to do things like automate processes, gain insights through data interrogation, and engage with customers and employees seamlessly.
Of course, AI is also useful for risk management and compliance functions, since both these operations rely on information and analysis by design. They involve collecting, recording, and processing a significant amount of data, and as such, are ideal for deep learning.
Artificial intelligence and machine learning technologies are powerful, but expectations must not exceed reality in this sense. Indeed, across next year, organizations hoping to leverage AI across various functions will need to remain vigilant as to the new types of risks this involves. AI can amplify bias (in hiring practices or consumer advice), breach data privacy or use laws, or pose cybersecurity threats by allowing for faster, better targeted and more destructive attacks to take place. Although, it can counter cybersecurity risks too.
Business leaders, it seems, will ultimately face one fundamental challenge when it comes to AI: finding a way to utilize its benefits without creating unreasonable compliance and risk issues.
The Rising Cost of Cyber Insurance
Cyber insurance covers organizations’ liability in the event a data breach involving personal data (credit card numbers, account numbers, health records, Social Security numbers etc.) occurs. Depending on the type of policy, it can also help offset the costs associated with a cyber-attack, for example, loss of business or the need to bring in IT experts.
With more policyholders and a higher-than-usual frequency of cyber incidents to deal with during the 2020/21 pandemic, it’s no surprise that insurers paid out more in cyber claims during these years than in any year prior. Of course, as the global situation rages on and cybercrime continues to rise exponentially, more and more companies have turned to insurers asking for higher policy limits. Many organizations merely want to help balance the risks of remote working and the new/existing technologies associated with this shift. But, equally, many more are worried about the rise in phishing attacks and related malware/ransomware occurring globally.
Most companies plan to maintain the changes to their technology and working arrangements post-pandemic (hybrid and remote working have proved immensely popular with employees). As a result, insurers are likely to respond by restructuring, widening, and increasing the cost of cyber insurance policies. It also wouldn’t be surprising to see some insurers reduce their pay-out amounts too, particularly for things like phishing, which usually involves an employee error.
In light of this, I recommend that all companies carefully review their cyber insurance policies at the start of 2022 and familiarize themselves with the terms and conditions included within them. Ensure the policy has a wide-enough scope to cover any new working arrangements, whether temporary or permanent fixtures.
The Focus on Cybersecurity Awareness Training
Out of uncertainty often comes change and innovation – and it will be no surprise to see the increased prominence of cybersecurity awareness training in 2022, particularly at the C-suite level. After all, the most significant risk to IT security is often the end-users themselves. By educating employees in cyber hygiene to a high standard, your cyber risk as a business is significantly reduced.
Continuous awareness training is imperative when it comes to battling the sort of errors in judgement cybercriminals hope we’ll make – and this is especially true when we’re working remotely and might feel more relaxed. Hackers count on the fact that it’s far easier to make an error in judgement, e.g., clicking on a malicious link, connecting to evil twin WiFi, or using and reusing weak passwords when working outside the office. This is because, even though we’re all well versed in the dangers of these things (and many of us think we won’t fall for it), without continuous awareness training to keep threats fresh in our mind, it’s all too easy to let complacency creep in. Of course, this threat increases away from the formal working environment and the safety of the organization’s firewalls, IP blocking, and other security software.
Another substantial risk mitigation and cybersecurity tool that will take off in 2022 is the usage of phishing simulators to test and track employees’ vigilance and deploy additional awareness training where it’s needed. There is no substitute for heightened awareness, and refresher learning interventions about cybersecurity best practices should not take long. Microlearning has shown itself to be very effective at keeping learners engaged with core compliance messages.
Risk Mitigation in 2022
Every Data Privacy Day serves as a reminder that bolstering cybersecurity is a continual undertaking for organizations. It’s a serious step in the process to stay abreast of the latest news, industry insights, and up-to-date statistics around cybercrime and data leakage. Cybersecurity statistics have an empirical value for compliance risk owners as they can point to knowledge or training gaps within their organization and alert compliance managers to growing or urgent threats.
The challenge, of course, will be to translate this information into practical and agile risk management strategies and security solutions.