If there’s one thing we can say unequivocally about 2021—we learned a lot of lessons about cybersecurity and just how vulnerable every business has become. On the flip side, we can grow from these events—and set ourselves up for a safer 2022.
Here’s a look at what happened in 2021, what we can expect in 2022, and strategies to develop a comprehensive cybersecurity program this year.
2021: Third-Party Risk and Technology Supply Chain Issues Erupt
The only way to keep up with these ever-evolving threats is to assess past risk and move forward with a layered, continuous improvement cybersecurity program. While no plan can be expected to be 100% effective, when your people, processes, and technology are in sync, and everyone understands the former and newer threats, mitigating risk comes easier.
Looking back at 2021, third-party and technology supply chain risk was a central, recurring theme.
In late December, a significant new threat called Log4j emerged. This widely used internet software is one of the latest vulnerability trends to migrate into 2022, and it’s a dangerous one that could affect hundreds of millions of devices.
According to the Cybersecurity & Infrastructure Security Agency (CISA), Log4j is very broadly used in various consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance. An unauthenticated, remote actor could exploit this vulnerability to take control of an affected system.
Log4j has repeatedly been called “the most serious vulnerability.” One of the biggest concerns with Log4j is that threat actors have gained access and are maintaining continued access to your environment.
Other Examples From 2021
Other notable examples of breaches and attacks from 2021 include SolarWinds, Kaseya, and Accellion.
The SolarWinds breach occurred in late 2020 and into 2021 and was one of the first cyber incidents to present a cascading effect from one vendor to other companies. SolarWinds develops software for companies to manage their networks, systems, and IT infrastructure. In this digital supply chain attack, hackers inserted malicious code into trusted third-party software, potentially infecting all of the hacked company’s customers. Attackers compromised customers who included Microsoft, government agencies, and others—reportedly impacting an estimated 18,000 organizations around the world.
The attack on US-based software provider Kaseya by Russia-linked ransomware group REvil in July 2021 was estimated to have affected as many as 2,000 organizations globally. REvil targeted a vulnerability in a Kaseya remote computer management tool VSA, the Virtual System/Server Administrator, software used by Kaseya customers to monitor and manage their infrastructures.
Some of these companies did a great job in breach detection and response (BDR), and others did not, because of blind spots in their cybersecurity processes. In the example of Kaseya, their response team detected the incident and quickly advised all on-premises customers to shut down their VSA servers while also shutting down their SaaS servers as a precautionary measure. The company fared well, considering the potential for massive, widespread attack. Kaseya said only a few on-premises Kaseya customers (40) were affected.
In the Accellion data breach example, the list of affected customers continued to grow to as many as 300 even six months after the attack, including high-profile investor Morgan Stanley, the University of Colorado, Shell, and grocery giant Kroger. The private cloud solution company’s 20-year-old file-sharing product was the source of the infiltration.
When a third-party is involved, you may not know who is “compromised,” which can create a critical number of potential vulnerabilities. What happens when your customers find out? More and more potential clients will only choose a partner who can ensure their company and customer data is kept safe.
Armed with information from our experiences in 2021, it’s clear we need to maintain the utmost awareness of current cyber threats. Here’s a precursor of what’s expected this year:
- Log4j/Log4Shell will continue to affect IT professionals globally. As cyber targets continue to be disclosed, organizations must actively run vulnerability scans.
- Managed detection and response (BDR) will be essential for organizations to have enhanced context and visibility for better protection.
- Companies will begin asking for an updated accounting (third-party assessments) of what underlying technologies are in products you and your third-party vendors, like a software bill of materials. For example, hundreds of thousands of customers use Slack, but it is unclear what components Slack uses that might be vulnerable.
More on Managed Detection and Response
Managed detection and response technology through BDR helps reduce risks associated with Shadow IT (users deploying technology solutions without the knowledge or approval of IT). Example: Grammarly announces a zero-day, but this is not an approved service at your organization, so you don’t think you are affected. However, one of your employees has installed a Grammarly browser extension to proofread and correct emails. No IT knowledge or control means the software may remain unpatched or misconfigured.
How Do You Minimize Risk When Working with a Third-Party?
There is no such thing as being 100% protected from cyberattacks, so organizations need to have continuous monitoring and a comprehensive response plan. Take an “assume breach” mentality based on the principle that you will eventually be breached and need to have people, process, and technology in place to limit damage from a cyberattack and recover quickly.
As new threat vectors develop, companies will ask for increased accountability, including a third-party assessment for both you and your vendors. It’s not difficult to keep up, but it does take a thoughtful process and isn’t a one-time project.
- Use a third-party risk assessment in the vetting process to ensure vendors can protect your data as a part of a third-party risk management strategy.
- Put in place other safeguards, including Health Checkups, BDR, and Vulnerability Scanning.
Defendify Covers the Bases in a Comprehensive Solution
Defendify’s modules work together to help protect against attacks that we witnessed in 2021, along with what we may expect in 2022. Our modules specifically address third-party risk and technology supply, ransomware/double extortion; social engineering/phishing; and new requirements for cybersecurity insurance, including risk assessments by your company and its vendors.
Ready to deploy and easy to scale for any organization without an in-house IT team, Defendify’s all-in-one solution is not a stack of single-point solutions that require workforce and expertise to manage effectively.
Enter 2022 with a robust cybersecurity program that is scalable and promotes ongoing improvement. Defendify has the cybersecurity expertise, guidance, and tools for protection for every business throughout the New Year.
Blog: Log4j Vulnerability Explained
Cybersecurity Assessment Tool: Understand your cybersecurity health to mitigate your organization’s risk
Resources & insights
Protect and defend with multiple layers of cybersecurity
Faster. Smarter. Stronger.