Firms Will Struggle to Secure Extended Attack Surface in 2022
Companies are relying more heavily on third parties, remote employees, and partners, expanding their attack surface area beyond traditional boundaries.
November 10, 2021
FORRESTER SECURITY & RISK CONFERENCE — In 2022, much of cybersecurity will boil down to managing the security of relationships, as companies adapt to the post-pandemic remote workforce and the increased use of third-party providers, a panel of analysts stated at the Forrester Research Security & Risk 2021 Conference.
Among five predictions for the coming year, the analysts argued that companies' attempts to manage remote employees would stray into intrusive territory, causing workers to push back and hampering security-focused monitoring, such as that for insider threats. Other predictions maintain that 60% of security incidents in the next year will come from issues with third parties, while the cybersecurity workforce will suffer from burnout and join what's been called the "Great Resignation," the recent trend of workers leaving the workforce.
Relationships are at the center of these trends, Sandy Carielli, principal analyst with Forrester Research, said at the conference. While the uncertainty of the last 18 months has made workers, managers, and partners more reliant on each other, security in 2022 will rely on ensuring a business's relationships are secure.
"To be effective in this environment, we [companies] had to change the way we interact with colleagues, and accelerate and automate our relationships with partners, with vendors, and with customers," she said. "We have gotten pretty good at collaborating, but security needs to catch up. This year, every prediction we made came back to a single theme: 2020 will be all about securing relationships."
In 2021, with the pandemic still disrupting economies worldwide, businesses had hoped to settle on a "new normal," yet the day-to-day operations faced today continue to lack a stable status quo. Employees moved to remote work and the majority want to keep working outside the office part of the time. Pushed to adapt, companies have adopted new services and technologies but with a different focus.
Businesses had relied on a "just-in-time" strategy that prioritized efficiency, but supply chain disruptions have forced companies to refocus their strategy on a "just-in-case" strategy that prioritizes resilience, Alla Valente, senior analyst with Forrester Research, said during the panel discussion.
That makes third parties, especially those with the right product or skills, immensely valuable, but using third parties comes with risk and those new relationships must be secured, she said.
"Third-party risk isn't a new risk, but what is different this year is the proliferation of how quickly the third-party ecosystem is growing," Valente said. "Firms are finally realizing that it's far easier to leverage the technology and innovation of third parties than taking the time to build it or develop it themselves internally."
Most medium and large companies have used cyber insurance to offset the risk of a cyberattack, but the market has become destabilized by the large payouts caused by operations disruptions due to ransomware, with some insurers arguing that state-sponsored attacks fall under "act of war" exemptions or have excluded ransomware attacks from their policies.
Forrester Research predicts that one-fifth of firms will require cyber-insurance policies in their third-party contracts. If a partner wants to continue to do business, they will have to improve their security so they can comply with cyber-insurance requirements, Jess Burn, a senior analyst with Forrester, said during the presentation.
"This is a relationship altering move for third-party partners," Burn said. "It is best to be sparing with this tactic and should only be used when the risk is high."
Forrester also predicts that companies adopting software to better manage remote workers could run into problem if they don't consider employee privacy. Forrester has found that 43% of employees in the United States are worried that too much personal data is being collected by companies. Almost three-quarters (74%) of those employees do not want their data being used for workforce analytics, said Enza Iannopollo, principal analyst at Forrester.
If companies push intrusive technologies that demonstrate that managers don't trust workers and are not clear about policies around what data is collected, such moves will likely lead to attrition, she said.
"This clearly will have a negative impact on the employee morale, engagement, and experience," Iannopollo said. "The backlash around employee monitoring, and the growing concern around the executive ... will have a negative affect on other forms of employee monitoring, such as insider threat defenses."
Clients should use workforce analytics approaches that are not excessively intrusive and communicate clearly with employees about what information is collected, Forrester recommends. The analyst firm forecasts that cybersecurity professionals will not be immune to the trend in workers leaving the workforce, which has happened over the past 18 months—what some have called the "Great Resignation." Demand for cybersecurity professionals continues to be strong, with an estimated 2.7 million gap between demand and supply.
Forrester further forecasts at least one security vendor meltdown, driven by overpromised and underperforming products and the inability to adapt to the disruptions in the market.
About the Author
You May Also Like