Many companies will not see the benefits of their zero trust efforts in the coming years, as legislation to pay off ransomware gangs will expand and attacks on operational technology could have real consequences, according to a series of cybersecurity forecasts.
The list comes from tech analyst Gartnerwho said business leaders should incorporate these strategic planning assumptions into their security strategies over the next two years.
“We can’t fall into old habits and try to treat everything the same way we did in the past,” said Gartner senior director analyst Richard Addiscott. “Most security and risk leaders now recognize that a major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
1. Consumer privacy rights are extended
Privacy regulations continue to expand, and the tech analyst predicts it will extend to five billion people and over 70% of global GDP. It said organizations should track metrics on subject rights requests, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.
2. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and access to private applications
Garter said that with the emergence of hybrid work, vendors are offering integrated edge security services for securing web and cloud applications. The benefit of this is tighter integration, fewer consoles to use, and fewer locations where data needs to be decrypted, inspected, and re-encrypted.
3. Many organizations don’t embrace trust, but don’t realize the benefits
The tech analyst predicts that by 2025, 60% of organizations will attempt to adopt zero trust security, a concept that assumes there is no traditional ‘perimeter’ to the corporate network, requiring regular reauthentication of all devices and users . But it said more than half will not realize the benefits.
Replacing implicit trust with identity — and context-based, risk-aligned trust — is extremely powerful, Gartner said, but requires a cultural shift and clear communication that connects it to business outcomes to reap the benefits. And not all companies that try will be successful.
4. Cybersecurity becomes the key to choosing business partners
Gartner predicts that by 2025, 60% of organizations will use cybersecurity risk as a “primary determinant” when conducting third-party transactions and business arrangements. According to Gartner data, only 23% of organizations monitor third parties for cybersecurity exposure in real time. But due to pressure from customers and regulators, it believes organizations will push for the measurement of cybersecurity risks, ranging from simple monitoring of a critical technology provider to complex due diligence for mergers and acquisitions.
5. Ransomware Payment Legislation Is Going Up
At the moment there is little legislation about when companies can and cannot comply with ransomware requirements. That would be about to change; Gartner predicts that one in three countries will introduce such laws soon. The decision whether or not to pay the ransom is a company-level decision, not a security decision. Gartner recommends engaging a professional incident response team, law enforcement and regulatory agency before negotiating.
6. Hackers will weaponize operational technology environments to cause human casualties
Attacks on OT — hardware and software that monitor or control equipment, assets and processes and are often the brains behind industrial systems in factories or power grids — are becoming more common and disruptive more, Gartner said, warning that by 2025, threat actors will have “armed” operational technology environments to cause human casualties. “In operational environments, security and risk management leaders should be more concerned with real-world threats to people and the environment, rather than information theft,” the analyst firm said.
7. Resilience is about more than just cybersecurity
By 2025, 70% of CEOs will foster a culture of organizational resilience to face threats from cybercrime, as well as severe weather, civil unrest and political instability, Gartner said. “With lingering disruptions likely, Gartner recommends that risk leaders recognize organizational resilience as a strategic imperative.”
8. Cybersecurity is important for the CEO’s bonus
By 2026, 50% of C-level executives will have risk-related performance requirements built into their employment contracts, Gartner said. As boards now increasingly view cybersecurity as a business risk rather than just a technical one, responsibility for cyber risk will shift from the security leader to senior business leaders, it said.