Most people start the New Year thinking about ways to make the year come better. Maybe you aim to go for more walks or spend more time meditating. Most of us don’t want to start the year thinking about ways to avoid cyber catastrophes. And yet, as we embrace 2022, one of the smartest resolutions you can make is to be on guard for phishing and ransomware scams.
Phishing in 2022: What to Expect
2021 included a lot of phishing. According to a Dark Reading report, it was the most common cause of data breaches last year. And Tessian data found that employees receive an average of 14 phishing emails each every year—a number that jumps up to 49 for retail employees. The costs of all this are staggering. Phishing attacks cost large organizations around $15 million each year, which comes out to about $1500 per employee.
As big as phishing was in 2021, we have every reason to expect it will be bigger in 2022. The plain and simple reason why: it works.
In 2022, pretty much everyone has an email address, most people have more than one. And we all use them constantly. For work, for personal communications, to get information from the local school or any community organizations we’re a part of—we’re all, collectively, more reliant on email than ever. That makes the attack surface for phishing massive.
Cybercriminals know they can reach everyone over email. Last year, around two million malicious emails made it past legacy security systems to get to people’s email inboxes. And once the email reaches a human, it’s just a matter of catching someone when they’re distracted or appealing to their emotions.
This year, as a large portion of the workforce continues to work from home, COVID concerns still drive the need for digital communication, and emotions remain high—phishing is more of a risk than ever.
Ransomware in 2022: What to Expect
Ransomware isn’t going anywhere, because it just keeps getting more profitable. As long as cybercriminals trust that ransomware attacks will result in a big payday, they have every reason to repeat the methods of attack that work.
Ransomware in 2022 will only get more sophisticated. Organizations can’t assume today’s attacks are coming from a lone hacker with impressive skills. Instead, we’re increasingly seeing cyber gangs work together. The orchestration of multiple cyber groups with different goals and skills brings complexity to the process that’s hard to fight.
One gang can use their skills to infiltrate a company and get a foothold in, then pass the torch to other groups that take advantage of the access they’ve provided to start encrypting files or stealing data. As long as there’s enough money at play, they’re happy to share information with each other and all take a share of the profits. They all win; you lose.
And while most ransomware attacks are financially motivated, and that’s likely to stay true through 2022, we now see a growing threat of attacks that aren’t about money. They’re about a desire for destruction. Whether it’s about politics, activism, or general nihilism, a certain portion of the cybercriminal contingent is out to cause problems, without a care for whether or not they get paid for the trouble.
Being Cyber Safe in 2022
The cyber threats we face are only getting stronger and savvier. That just means we have to get stronger and savvier too.
Be prepared for the worst.
Assume you’re breached already. Unfortunately, as common as cybercrime is, for many organizations, it’s not a matter of if, it’s a matter of when. Move forward with the assumption that you will probably encounter phishing and ransomware attacks this year.
From that perspective, how do you make sure you’re prepared to handle them? Set up tabletops with the appropriate stakeholders—from legal, HR, and corporate communications, along with your TPRM professionals—and walk through what everyone needs to know and do when the worst happens.
But also invest in preventative controls to avoid the worst.
While you should be prepared for the worst, you should still do everything in your power to avoid having to put your best-laid plans into practice. Do a review of your preventative controls to make sure they’re up to your standards. Make sure you’re well aware of all your third-party relationships, the relative risk that comes with each one, and the controls you have in place to reduce those risks. Hire ethical hackers to find any weaknesses in your current security systems, so you can patch them up before any unethical hackers find them.
Make yourself a difficult target. If getting to you is hard work, many hackers will move along.
Know your priorities.
Make sure you know the most important parts of your business to defend. Tabletops can help with this, when you have to talk through a worst-case scenario with the organization’s stakeholders present, it becomes easier to identify what matters most to the business.
Having your priorities in order means you can move to take the most important steps first and reduce the overall impact of any attacks you encounter.
Conclusion
Cyber attacks are an inevitability this year. But the organizations that know to be prepared and work to protect themselves will have an edge in dealing with the threats that loom. Make sure you put as many protections in place as possible but have a plan for what to do if those protections aren’t enough.
