2021 saw the widespread digital transformation and productivity enhancements across many sectors and regions worldwide, with remote and remote-hybrid workplace dynamics leading to new cultural and technological norms. It’s also meant more opportunity for increasingly complex cyber threats to impact a record number of organizations.
As cyber security trends and the resulting threats evolve, awareness training efforts must shift to accommodate those changes. These alterations will ensure employees are mindful of current warning signs that their information may be vulnerable and how to go about avoiding cyber attacks if they become a target.
Here’s a rundown of some major cyber security awareness trends every CISO and security leader should keep an eye on in 2022:
As rises to prominence go, no cyber threat category had one more meteoric in 2021 than ransomware. According to the U.S. Treasury’s Financial Crimes Enforcement Network, roughly $2.2 million were handed over to cyber criminals in ransomware transactions every day. And that figure’s not expected to decrease this decade either – damage-related costs could surpass $265 billion by 2031.
These statistics should prove, once and for all, that technological safeguards alone can’t keep ransomware and other malware attacks from compromising an organization’s sensitive data. Through informative training courses and real-world phishing simulations, security awareness training programs must prioritize these threats as part of their education menu in the coming year.
One of the by-products of the global shift towards remote and remote-hybrid workplace models was an uptick in the number of malware attacks on mobile devices instead of desktop computers or laptops. A 2021 McAfee sample database identified over 4,000 mobile threat variants, complicating an already fraught cyber threat landscape.
The importance of smartphones and tablets in everyone’s lives has only grown since the beginning of 2020 too. From the explosion of mobile wallet usage to the ubiquity of Q.R. code scanning (over a third of individuals living in the U.K. and Europe scan one at least once per week), all employees should be on high alert. Security awareness training content must include guidance on mobile-centric scams as well.
Ransomware was a popular method for cyber criminals to extract funds from victimized organizations in 2021. Because of this, cryptocurrency payouts skyrocketed. The operators of the Colonial Pipeline were arguably the most public scapegoats of one such scheme, paying hackers a crypto ransom of $4.4 million. Worse still, only part of the total amount was later recovered by the Department of Justice.
But cryptocurrency is becoming synonymous with cyber attacks in more ways than one. New types of attacks, such as this Discord malware, directly targeted crypto and NFT enthusiasts with a sophisticated payload that bypassed traditional antivirus architecture. The solution, at least in part? Ensure that all end users understand the warning signs of a malware threat, as well as what they should do when faced with a possibly malicious message or link directing them to the file.
Let’s stay on the subject of the initial message of any cyber attack for a moment. These typically leverage well-known phishing and social engineering techniques to trick victims into compromising sensitive information. However, phishing emails are becoming even more challenging to detect, even for employees familiar with the methods hackers may employ.
Many phishing messages now seem to direct recipients to links marked as “HTTPS,” which engenders a false sense of trust in the content. The spoofing considerations, such as well-known brand logos and branding, can make the red flags harder to spot. The proof is, in part, in this year’s Gone Phishing Tournament results, where one in every five participating end users clicked on the phishing email link.
The takeaway is simple: Your security awareness training program must include real-world phishing simulation templates that reflect examples of emails and landing pages employees may encounter out in the wild. Otherwise, they may be unable to differentiate the safe from the harmful.
Finally, there’s the subject that ties cyber security to long-term business growth: the potential cost of navigating a data breach. Though this amount will vary based on an organization’s industry, size, and operating region(s), one constant transcends these differentiators, which is that the dollar figure associated with this possibility has gone up considerably in the past year.
Take the example of CNA Financial Corp., one of the largest insurance companies in the U.S. In late March, they paid $40 million to cyber criminals following a ransomware attack that seized control of their network. Despite the company’s alleged adherence to “all laws, regulations, and published guidance,” this amount was touted by experts as an unprecedented high.
With this new public disclosure, bet on cyber criminals using this amount as a yardstick by which ransoms will be measured in 2022.
The realities of cyber security awareness and how crucial it is to the protection of sensitive information can feel daunting at times, especially in the face of continually accelerated digital transformation. However, there is a silver lining in all this – a robust security awareness training program, one that’s focused on changing end user behaviors for the better – can make a difference for your organization.
By clearly communicating its importance to executives and end users alike, boosting training campaign engagement and completion rates isn’t far away. Leveraging high-quality content bolstered by hands-on practical exercises, such as phishing simulations or immersive, gamified modules, will also go a long way to safeguarding your organization’s sensitive data in 2022 and beyond.
