Nearly 59% of businesses have accelerated their journey to digitalization while public cloud spending is seeing record growth and adoption in organizations worldwide. There is also a seismic shift in customer expectations when it comes to digital. Yet the business environment continues to remain fluid and uncertain. Decisions made for short-term gains are bound to inflict longer-term pain because such choices, made at speed, often tend to bite back. According to recent research, almost three-quarters of cyberattacks in the last 12 months can be attributed to technologies adopted during the pandemic.
The Information Security Forum (ISF) now believes that the technologies to manage customer and employee expectations that organizations have rapidly adopted to accelerate their digital transformation could slowly result in a dead end. By 2024, businesses will encounter three major cyber threats resulting from today's hasty technology decisions.
Threat 1: The Cloud Risk Bubble Bursts
The benefits bestowed by moving more and more operational and business infrastructure to the cloud will be seen to have a hidden and rising cost as this strategy begins to stifle the flexibility that organizations need to innovate and respond to incidents.
Organizations will find that their technology choices are stunted and their options for switching suppliers are limited by their reliance on particular cloud platforms and their partners. Further, several unforeseen issues surrounding trust such as governance, compliance, security, predictable pricing, performance, and resiliency might emerge.
As privacy regulations tighten around the world, data sovereignty is a major topic of concern. Businesses that fail to comply with local regulations will face lawsuits, investigations, penalties, and risk losing competitive edge, reputation, customer trust and confidence. Additionally, cloud mismanagement and misconfigurations (probably due to a widening cloud talent shortage) will continue to be a huge threat to organizations — an estimated 63% of security incidents are said to be caused by cloud misconfigurations.
Threat 2: Activists Pivot to Cyberspace
While social movements sparked from social media aren't new, ISF predicts that in the coming years traditional activists will increasingly leverage established cybercriminal attack patterns to score political points and halt what they regard as unethical or unnecessary corporate or government behavior. The Ukraine-Russia crisis is a great example of this where global hacktivists are coming to Ukraine's aid by collaborating on online forums and targeting Russian infrastructure, websites and key individuals with malicious software and crippling cyberattacks.
Activists can be motivated by moral, religious, or political beliefs; they can also serve as puppets of rogue nations or political regimes trying to gain competitive advantage or influence over foreign policy. As factories, plants, and other industrial installations leverage the power of edge computing, 5G, and IoT, online activism will enter a new era where these so-called "hacktivists" will increasingly target and sabotage critical infrastructure.
Threat 3: Misplaced Confidence Disguises Low-Code Risks
Resource constraints and the shortage in supply of software developers is giving rise to no-code, low-code technologies — platforms that nondevelopers use to create or modify applications. Per Gartner, 70% of new applications will be developed using low-code and no-code technologies by 2025.
However, low-code/no-code technologies present some serious risks. As these tools permeate organizations, the challenging work of ensuring that developers follow secure guidelines when creating apps and code will be undermined. Enthusiastic users keen to get their projects running will turn to these tools beyond the oversight of the IT teams, creating shadow development communities that are ignorant of compliance demands, security standards, and data-protection requirements. According to recent research, governance, trust, application security, visibility, and knowledge/awareness are some of the major concerns cited by security experts surrounding low-code/no-code tools.
What Can Organizations Do to Protect Themselves?
ISF outlines best practices that can help mitigate above-mentioned risks:
- Organizations must seek clarity internally regarding cloud strategy and ensure that it meets desired business outcomes. In the short term, organizations should enumerate their cloud footprint to determine current levels of integration and highlight any potential lock-ins. Next, they must establish appropriate governance around cloud orchestration to ensure understanding of the overall footprint, and control of its sprawl. In the longer run, businesses must maintain dedicated in-house or perhaps third-party teams to oversee the development of the cloud both from a supplier management standpoint and from a technical architecture and operations perspective. They must identify and understand single points of failure and mitigate against those points of failure by building in redundancy and parallel processing.
- Security practitioners must take a broad view of how their organization works and assess the likelihood of them being targeted. Ethical and geopolitical motivations should be considered when drawing up a list of potential adversaries. They must also engage with threat-intelligence teams to identify early indicators of compromise, conduct purple team exercises on remote installations to determine whether they can withstand attacks, and monitor access to mission-critical information assets to deter insiders keen on harming the organization. It's also important that they develop relationships with other departments to combat multivector attacks.
- Investigations must be set up to uncover applications that are being produced by no-code/low-code tools. This starts with defining policies and procedures and then assessing their organization's use of no-code/low-code tools and discovering which applications have been created with them. Some employees may not be aware that they are using them or might even fail to declare their existence. So, this comes back to things like training, awareness, and monitoring. It is also recommended that security teams investigate data use by application, to see if business data and information is being accessed by these tools or resulting programs. This is a large task and shouldn't be underestimated.
The reality is that technology evolves so fast that it's nearly impossible to factor in all security risks. What businesses need is proactive risk management. This means regular assessment of where your organization is, regular assessment of where your vulnerabilities lie, regular assessment of your security priorities, and regular security training for your employees and extended partner ecosystem.