2021. What an interesting year. With the world turned upside down by a pandemic that seemingly had its sights set on...
A Year in Review: Top 9 Cybersecurity Lessons of 2022
With the most recent NonStop TBC and BITUG Little SIG behind us, it became apparent again that security issues are at the top of the agenda. Although HPE NonStop systems are better protected than other platforms, it doesn’t release those responsible for data and applications’ security from taking action regarding cybersecurity. In this article, we are looking back at the top 9 cybersecurity lessons of 2022.
The comforte team wishes you all a very Happy and Festive Holiday and a great start to 2023.
This time of the year is always a good moment to pause and take stock of what has gone before. For IT and security leaders, there’s been plenty to digest, from new data protection compliance requirements to escalating breach volumes. Several Australian companies were most recently on the receiving end of attacks, although the truth is that no organisations worldwide are safe from threat actors today.
The following nine stories should provide some valuable lessons learned that enterprises can use to draft their cybersecurity and privacy strategies for 2023 and beyond:
- PCI DSS compliance remains critical: The PCI Security Standards Council (SSC) released the long-awaited version 4.0 of its Data Security Standard (PCI DSS) in March 2022. Behind it are some laudable aims: to promote security as a continuous process rather than a check-box exercise and to encourage a security-by-design culture in organisations. As organisations look to meet the standard’s requirements, they’ll once again note that data encryption or tokenisation of card data can reduce PCI DSS compliance costs and risk exposure.
- The regulatory landscape is increasingly fragmented: Where once there was just the GDPR, now there are dozens of lookalike regulations governing data security and privacy. These include the MENA region, where Saudi Arabia and the UAE introduced personal data protection laws this year. However, compliance officers should note that there are many regional differences. In Saudi Arabia, for example, breaches must be notified “immediately”, and serious infractions could result in jail time for execs. Applying protection directly and continuously to customer data has never been more critical.
- Healthcare continues to be a primary target for attacks: Ransomware actors caused yet more misery for healthcare providers across the globe this year, stealing sensitive data and interrupting potentially life-saving services. Organisations are also exposed by their technology partners. One attack on an NHS software supplier earlier this year continues to cause problems for the health service’s critical NHS 111 service.
- Double extortion made data protection a critical control: Today, ransomware actors don’t just deploy a ransomware payload to scramble data; they steal it first in an attempt to force payment. This year’s research found that 66% of organisations had suffered a compromise over the previous 12 months. With double extortion now the norm, organisations regularly run backups with strong data encryption to mitigate the impact of both ransomware and data theft.
- Financial services are a massive draw for threat actors: Healthcare wasn’t the only sector on the hit list for threat actors this year. One report warned that financial services firms would face ransomware, supply chain attacks, and zero-day vulnerability exploits this year. Once again, the key for organisations in the vertical is to apply protection directly to the data and ensure it happens across all environments, including the cloud.
- The insider threat is more significant than ever: Employees are often described as the weakest link in cybersecurity, and research this year seemed to support this judgement. It revealed that 40% believe following security best practices is not their responsibility. With the risk of something going wrong heightened by home working, organisations should rethink their security controls. Adding encryption to the mix can mitigate the risk of accidental leakage or a breach resulting from poor IT hygiene.
- Data breaches are more expensive than ever: IBM’s annual report revealed surging costs globally associated with the average data breach: nearly $4.4m per organisation. However, there was some good news lurking within the study. The report claimed that if organisations deploy data-centric security as part of “mature cloud security practices” such as data classification schema, organisations could save as much as $720,000 per average breach.
- NIS 2 is coming: The compliance work is never done for organisations. The latest set of regulations to rear their head this year related to the EU’ssecond directive on the security of network and information systems (NIS 2). It’s larger in scope than its predecessor, taking in a new set of sectors and organisation types, and could levy non-compliance fines of up to 2% of annual turnover, or €10m, whichever is higher. Strong encryption is now part of a NIS 2-mandated set of enhanced security requirements.
- Cyber is the number one business risk of 2022: This year’s Allianz Risk Barometer was only the third in its 11-year history that “business interruption” has not topped the list of business risks. Instead, it was cyber incidents. Data-centric security should form part of any organisation’s efforts to mitigate such risks by ensuring that even if customer information or trade secrets and IP are stolen, they will be rendered useless to attackers.
Don’t become a statistic.
Breaches are virtually inevitable. Your best bet is to protect sensitive data at the moment of collection and only expose it when absolutely necessary so that no sensitive data is exposed, even in the event of a breach.
Check out our data-centric security solution brief to learn more: