2021 was a tumultuous time for security, marking both massive breaches — a trend that sped up during the pandemic — and widespread action for trying to fix the problem.
On May 7, 2021, the Colonial Pipeline, an American oil pipeline system, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline.
In response, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity that includes sweeping measures on how cybersecurity in the federal government is handled.
The order requires contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems. The government plans to take “decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties.”
However, security initiatives at organizations will still need to evolve to gain wholesale developer support.
According to the VMware-commissioned Forrester survey called Bridging the Developer and Security Divide, over half of the developers feel that current security policies stifle innovation.
“Organizations expect developers to be more involved with security tasks in the future, particularly among cloud and workload tasks. However, developers currently aren’t very involved in security strategy planning or execution,” the report stated.
The best way around these bottlenecks, according to Forrester, is to make sure security is no longer a specialization at an organization and that security tasks should be embedded across people, teams processes, and technologies like in DevSecOps.
As employees left their companies throughout the year’s “Great Resignation”, they oftentimes — intentionally or otherwise — took valuable source code, patent applications, and customer lists with them, resulting in data leakage.
Code42, an insider risk detection and response company, unveiled these findings from its Incydr software solution, reporting that insider data leaks and theft contribute to losses up to 20% of revenue annually and due to widespread job exits, this problem might get worse before it gets better.
From April-June of 2021 there were 61% more data exposure events than the previous quarter, and that same time frame accounts for 86% of all exposure events experienced by organizations throughout the first half of the year, according to Code42.
The best way to prevent these types of leaks is for organizations to give employees thorough training on their data and handling policies so that everyone knows what guidelines they are expected to follow, and also, new cloud-based insider risk management technologies can verify whether people are working within those guidelines, according to Joe Payne, CEO of Code42.
Another shift in the security landscape are the vulnerabilities that now pose the biggest threat. The latest edition of the OWASP Top 10 showed that all of the highest-priority vulnerabilities since 2017 have shifted and new ones have been introduced.
Broken Access Control has dethroned Injection as the top vulnerability, whereas it previously held fifth place.
Also, new categories of top 10 vulnerabilities this year included Insecure Design, Software and Data Integrity Failures, and Server-Side Request Forgery.
Mobile usage skyrocketed throughout the pandemic and as a result, created a larger attack surface.
Android recognized the additional security needs required for the medium and with the release of Android 12 in October 2021, the company introduced more security features and services for enterprise customers, including improving password complexity controls.
The features make it easier to protect company data and disable USB signaling on company-owned devices to limit USB-based attacks.
Android also launched the Enterprise Vulnerability Rewards Program with the offer of up to $250,000 for a full exploit on a Pixel device running Android Enterprise.
Read our other Year in Review stories here.