The amount and sophistication of cybersecurity attacks is increasing. As a result, stricter legislation is accelerated, aiming to protect consumers while governing organizations to prioritize security at the forefront of business decisions.
For 2022 and beyond, we expect more regulation, decentralization, and safety implications. To succeed and avoid strategic, operational, reputational, and financial consequences, businesses need to implement security in their strategic thinking. The trends and predictions shared in this article should be applied to business decision making roadmaps.
A quick summary of 2021
The main driver of the increased attacks during the COVID-pandemic is the accelerated shift to remote working and consumers’ reliance on online and mobile banking. As companies scurried to adopt and implement new technologies that would enable both their workforce and customers to have their processes online, cybercriminals have taken full advantage with additional attacks. Research showed that 81% of global organizations experienced a form of cyber threat, and the financial sector specifically experienced 6.4% (a total of 16 million malicious detections) of all pandemic related attacks.
Fortunately, many organizations are aware and adapted to the sophisticated nature of cybercriminal attacks by implementing relevant technologies, training, and services to enable higher security for their customers. However, this may have been enough for the moment in time, but to remain secure and thwart oncoming attacks in the future, organizations need to evolve their approach.
The main focus point for businesses as they enter the new year is to become proactive rather than reactive in their cybersecurity approach. Cases of cybersecurity attacks often result in organizations failing to pre-empt threats, as they refrain from upgrading their security systems and processes unless a breach or attack happens. The old logic of thinking is that if they have not been attacked yet, then the security system must be good enough. Such thinking is no longer acceptable, as the number of account takeover attacks rises as attackers get smarter with machine learning bots, resulting in customers having their credentials stolen. At the same time, organizations carry not only the monetary costs, but also a lost reputation, as customers prefer competitors with higher security. To succeed in the next few years, organizations must consistently and proactively measure their security and upgrade accordingly.
4 Top Cybersecurity Predictions for 2022
Below the top trends we see are categorized into customer needs, legislation, and security.
More complex customer profiles and needs
Trend #1: Authentication becomes more sophisticated in response to customer demands
The trend is driven by two evolving factors. On the one hand, increased remote work and the shift to online has organizations scrambling to implement new hardware and software solutions quickly to ensure continuity of business operations. The rapid shift sometimes comes at the cost of sufficiently integrating into existing security systems. On the other hand, with more people online than ever before, there are more varied types of users with differentiated usability. As more customers work online in different ways with varied demands, organizations must also meet these needs of customer experience on top of implementing new hardware and software. As a result, a complex need for security solutions drives authentication vendors to innovate and adapt their offering while keeping up the highest grade of security level to stay ahead of the ever-evolving cyber attackers. Where increased security technology is compulsory, authentication solutions must also be flexible, combinable, and scalable to seamlessly secure customers and their privacy.
Recommended response: Implementing a flexible security solution becomes important to support a variety of technologies in different places.
The list of authentication solutions, their structures and the needs they address become plentiful, and a sea of vendors rises on the market. Organizations will need to identify internally the needs and user behavior of their customers, and their existing technologies, to design together with their vendor the most optimal and seamless solution. Organizations must implement a cybersecurity mesh architecture that can address all the security needs while increasing customer experience. Security experts predict that by 2024, organizations which adopt this mesh method can reduce the financial impact of security incidents by about 90%. As a result, organizations can address security risk, customer experience, and financial impact at the same time.
Trend #2: Continuous adaptive trust and adaptive authentication will rise on the market
Three main factors are commonly the driver for organizations to change, adapt, or upgrade their cyber security systems. These tend to go in the order of regulation (such as the SCA, GDPR, PSD2, and more), customer experience (improving the customer journey) and financial impact (costs resulting from fraud, loss of customers, ransomware, and other cyber-related attacks).
Although multi-factor authentication is a solid solution that often meets all the three trends, including regulator or auditor requirements, cyber attacks, particularly in account takeover (ATO), are becoming increasingly advanced. As a result, multi-factor authentication may not always sufficiently reduce ATO, eroding the customer experience. In such cases, using risks and recognition signals in a risk-based approach can shape a more advanced and effective authentication flow. Adaptive authentication, or even more advanced continuous adaptive trust (CAT), authenticates the customer in real-time based on context and signals. Common in the banking industry, the solution not only advances the security of the customer’s session, but also promotes more frictionless user experience.
Multi-factor authentication (MFA) is already demanded by auditors and regulators. It solves a great problem for most security and authentication situations as passwords are no longer sufficient solutions for security. However, based on the risk profile and customer flow of various use cases, MFA can erode customer experience depending on how often customers are prompted to use MFA. What becomes important moving forward is understanding how credentials can be combined with recognition and affirmation signals to provide sufficient trust for authentication.
Recommended response: Making a risk-appropriate choice for authentication is more important for security, customer experience, and costs, rather than purely checking boxes on compliance. User authentication must bring ATO risk within risk tolerance.
Gartner predicts that organizations that adopt continuous or adaptive authentication will have reduced ATO by 30% by 2025, while improving the customer experience by a factor of 20. Organizations should broaden and deepen risk-based authentication in their systems through the context of adaptive authentication. It becomes important that the authentication solution focuses not only on meeting the demands of regulatory pressures, but particularly to bring account takeover (ATO), or other risks, down to the organization’s risk tolerance level. Mapping out this risk tolerance for every use case, every customer group, and every set of technologies will ensure that organizations take proactive steps to increase security while addressing customer experience.
Tightening legislation and security regulations
Trend #3: Modern privacy laws and regulations will increase worldwide
Gartner predicts that by 2023, modern privacy laws will protect the personal information of 75% of the world’s population. With increasing regulations across the world, organizations are forced to comply with multiple data protection policies from various jurisdictions. Examples include the General Data Protection Regulation (GDPR) that was followed closely by Brazil’s General Personal Data Protection law (LGPD) and the California Consumer Privacy Act (CCPA).
Recommended response: Taking GDPR as the standard security operations base can help to further adjust for individual jurisdictions.
Customers will want to be informed about how their personal data is processed, meaning organizations are tasked with automating privacy management systems. By setting a strong standard from the beginning, it becomes easier to adapt any regulatory cases to new jurisdictions.
Trend #4: Nation states will continue to pass legislation to regulate ransomware payments, fines, and negotiations
Security experts anticipate a higher focus by regulatory institutions on payments beyond the broader focus on ransomware. Based on Gartner reports, 30% of nation states will have passed legislation by 2025, compared to 1% in 2021. Furthermore, the unregulated cryptocurrency market is driving questions regarding paying ransoms, and considering their impact in terms of ethical, legal, and moral implications.
Recommended response: Making cybersecurity a choice and a business decision is the best proactive step a company can take.
Strengthening the security on business processes by investing in cybersecurity solutions will always be less costly than paying the ransom for an uncertain outcome. The level of security systems at organizations will become increasingly important, not only for customers worried about their security but also investors that support and back business opportunities. Cybersecurity will almost inevitably become a principal determinant for handling business engagement and third-party transactions. These security programs may come through as questionnaires or security ratings. Where cybersecurity is predominantly perceived as a business risk rather than an IT risk, CISOs and CIOs rather than business representatives are often held responsible. As such, the role of cybersecurity experts in the boardroom will become more prominent.
You can always talk to one of our experts to see how you can improve security and user experience for your users, or read more about potential methods. If you have questions or feedback, please let us know.