A combination of expanded regulations and growing threats are defining the technology security landscape, spurring the need for enhanced collaboration within and outside organisations, according to a new report by Gartner.
The report listed eight cyber security predictions for 2022 through to 2025, including the emergence of dedicated cyber committees at company boards and the rise of weaponised technology.
Greater accountability and co-operation is required among the stakeholders who are responsible for achieving business objectives in such a landscape, said Sam Olyaei, a director at the US-based research company.
“We have to adapt how we look at things. We have to always start with the business goals of our own organisation ... the diversity of opinion [matters] when you make decisions on cyber security in the future," Mr Olyaei said at the Gartner Security and Risk Management Summit.
Data breaches and major IT outages worry companies the most, German financial services company Allianz said in January. Overall, cyber criminal activities were projected to inflict damages worth about $6 trillion globally in 2021, a study by research company Cybersecurity Ventures found.
Within the last decade, security and risk have become boardroom topics, privacy and data protection have gone mainstream, ransomware has become a major burden for enterprises and governments, and cyber security is getting weaponised, experts at the summit said.
"We’re falling into this old habit of trying to treat everything that we do the same [way] that we did in the past … this simply cannot continue. We need to make sure that we are evolving our philosophy, programme and architecture to think about the future of cyber security," Mr Olyaei said.
Expanded privacy laws
By 2023, 75 per cent of the global population will have its personal information covered under modern privacy laws, Gartner said.
Several countries have planned or enforced such laws – a notable one being the EU’s General Data Protection Regulation aimed at protecting users – with more jurisdictions expected to follow soon.
“Customers would like to know what data is being collected and how it is being used,” Mr Olyaei said.
Minimised financial hit from security breaches
As more organisations adopt a mesh architecture – which is flexible and integrates widely-distributed security services – the financial impact of security incidents will reduce by an average of 90 per cent by 2024, according to Gartner.
Mesh architecture is an “effort to optimise your technologies to make sure the tools talk to each other … and you have a holistic view of your cyber security”, Mr Olyaei said.
This would allow improved facilitation of remote work, with security no longer baked into assets, but rather “bolted on”.
Consolidated approach
By 2024, 30 per cent of enterprises will adopt cloud-delivered secure web gateways, cloud access security brokers, zero-trust network access and firewall-as-a-service capabilities from the same vendor.
Organisations would increasingly opt to consolidate vendors providing IT services, a top priority for business leaders, Mr Olyaei said.
“Long term, think about implementing zero-trust network access as the basis for all of your users and applications regardless of where they sit."
Role of cyber risk to grow
Up to 60 per cent of enterprises will use cyber security risk as a primary determinant in conducting third-party transactions and business engagements by 2025.
Cyber risk has long been given importance in other segments, especially in the stock market and by venture capitalists, because of the amount of sensitive data that is used and accessed, Mr Olyaei said.
Transactions in the areas of mergers and acquisitions, vendor contracts and investments, will soon start to focus more on cyber risk.
Ransomware payment legislation
By 2025, 30 per cent of nation states will pass legislation that regulates ransomware payments, fines and negotiations – up from less than 1 per cent in 2021.
Cryptocurrencies are a sticking point; they are usually demanded by attackers, and organisations’ lack of access to this largely unregulated market means it will most definitely disrupt contingency plans in the event of an attack.
Ransomware attacks surged 151 per cent in the first half of 2021, the World Economic Forum said last month.
“Threats have proliferated,” Mr Olyaei said. “You have to work with your legal department … you could break laws by paying ransom.”
director at Gartner
Dedicated cyber security committees
With organisations recognising the importance of cyber security to operations, 40 per cent of boards will have a dedicated cyber security committee overseen by a qualified member by 2025.
This will not be just another team within the organisation – it will be a top and board-level committee composed of individuals who have built a reputation and image in this space, Mr Olyaei said.
Accountability will play a huge factor in ensuring enterprise security; stricter oversight and scrutiny will be witnessed by qualified board members, which in turn will improve the visibility of cyber security risks, he said.
Culture of resilience
By 2025, 70 per cent of chief executives will mandate a culture of organisational resilience to survive coinciding threats from cyber crime, severe weather events, civil unrest and political instabilities.
This implies cyber security teams and leadership will have to formalise relationships between business continuity management and disaster recovery teams.
“As you add more digital transformation initiatives, you’re adding more complexity to your threat landscape,” Mr Olyaei said.
Emergence of weaponised tech
Perhaps the most startling of Gartner’s predictions is its expectation that threat actors will have successfully weaponised operational technology environments to cause human casualties by 2025.
Weaponised OT compromises the integrity of a system with the intent of "causing harm to humans or killing them", according to Gartner.
“This will shift the focus from business disruption to physical harm, with regulatory reaction likely to be placed on chief executives,” Mr Olyaei said.
