I managed to go last week without talking much security – well, it’s catching up with us, as there is a lot to talk about.
Let’s start with the new report Government Accountability Office (GAO), which calls for a government assessment of whether a federal cyber insurance option is needed. Why? The increasing withdrawal of private insurance companies from covering damages from major cyberattacks, which the report says, leaves American businesses facing “catastrophic financial loss” unless another insurance model can be found. In a separate report, GAO told the Pentagon that of 25 IT programs it reviewed, only 15 had department-approved cybersecurity strategy, and just ten had submitted a system security plan for information and communications technology supply chain risk management. You know, clean up your stuff.
CISA warned that there are still hackers using Log4Shell, and system patching is required. The notice was specific to VMWare’s Horizon and Unified Access Gateway server, although it’s solid advice broadly.
In case you didn’t have enough to worry about, Trend Micro’s new report warns that email is still a major vector for attacks, with Malware delivered to email accounts rose 196% in 2021 year on year. Some 74.1% of all threats blocked by Trend Micro in 2021 were email threats versus its products that blocked malware delivered over websites. Wired also had a piece on the theme – business email compromise poised to become the next great scourge of attacks.
Rapid7 looked at double extortion ransomware attacks –specifically, the types of data disclosed. Financial data was leaked most often (63%), followed by customer/patient data (48%).
And two larger trends to look at – first, Protocol with the headline “There are too many security tools.” The trend – with the market hot, there was a creation of a ton of new startups. Now, with the market cooling, there is expected to be some consolidation, which is generally welcomed by customers… as there are too many tools.
The other – is Gartner, with eight predictions for the next four years in cybersecurity. Here are four I picked through the lens of IT services.
By 2023, government regulations requiring organizations to provide consumer privacy rights will cover five billion citizens and more than 70% of global GDP
By 2025, 30% of nation-states will pass legislation regulating ransomware payments, fines, and negotiations, up from less than 1% in 2021.
60% of organizations will embrace zero trust as a starting point for security by 2025. More than half will fail to realize the benefits.
By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts.
Why do we care?
That last prediction – those performance requirements will extend to customer relationships with their providers. Those predictions, however, speak to services companies’ focus areas. It has fewer tools and a lot more regulation and process management. Be the firm that helps navigate privacy regulations, manage the legislation and requirements around security, and ensure that your customers are not in the group who fail to see any benefits from zero trust.
This is all the roadmap for real value in security – it’s not in the tools.