As 2021 draws to a close, technology research firm Gartner’s annual projections for cybersecurity professionals provide some insight into topics that may begin emerging in the coming year. This year’s set of cybersecurity predictions touches on the expected growth of privacy laws and ransomware regulations throughout the world, changes to corporate security structures, and even a warning of the first uses of operational technology to cause human casualties.
The consultancy’s annual predictions are not always 100% on the mark, for example downplaying the prevalence of zero day attacks in its set of predictions for the present day that were published back in 2017. The firm does tend to be on top of general trends, however, anticipating increased interest in things such as automated AI security defenses and cloud visibility tools (along with correctly naming the year in which the first death directly attributable to a cybersecurity failure occurred).
Cybersecurity predictions see major shake-ups to organizational cybersecurity structure
The majority of this year’s cybersecurity predictions concern what organizations will look like going forward given the present trends in the threat landscape.
In addition to threat trends, these changes will be driven by the increasing adoption of data privacy and security regulations around the world. Gartner’s cybersecurity predictions see 75% of the world’s population being covered by privacy laws (either at the national or state/local level) in just two years. Gartner is actually increasing its confidence in this prediction; last year the firm said the same thing about 2023, but called for only 65% of the world to be covered. At present, about 130 legal jurisdictions around the world have data privacy laws. A national-level law in the United States is the one big holdout that remains, but individual states are increasingly filling in this gap by passing their own laws; Virginia and Colorado have recently passed bills that will go into enforcement at the start of 2023.
Another issue that developed fairly recently that will have a big impact on organizational IT structure going forward is the rise of remote work. Gartner’s cybersecurity predictions see businesses and other entities turning to mesh architectures in a big way, with these systems reducing the financial impact of attacks by an average of 90%. These systems focus on device-level security, giving each its own standardized set of defense tools to quickly and reliably secure otherwise unpredictable employee devices being used outside of the office. They are also a key element of the “zero trust architecture” trend, something that even the US government has embraced and expects to have in place for federal agencies by 2024.
The cybersecurity predictions also see organizations trending in the direction of “security as a service,” but looking for all of these various services to be provided by one vendor. Gartner thinks that 30% of enterprises will have adopted a cloud-centered security approach by 2024, looking to trusted vendors that can bundle piles of various tools into one simplified package: Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA) and Firewall As A Service (FWaaS) capabilities among the primary points of interest.
Cybersecurity risk is also going to become a deciding factor in who organizations choose to do business with, at least according to Gartner. The cybersecurity predictions see security posture of a potential partner (or acquisition target) being a deciding factor in this area for 60% of businesses.
C-suites and boards of directors will also be doing things a little differently. By 2025, Gartner sees 40% of boards having a dedicated cybersecurity committee overseen by a qualified board member. Additionally, 70% of CEOs will mandate a culture of organizational resilience to survive coincident threats from cybercrime as well as other major risks of damage (such as natural disaster and civil unrest).
Increased crackdowns on ransomware payments
Though at the moment the position of most world governments is to allow companies to make ransomware payments if they determine it to be in their best interest, this could change quickly over the next four years. By the end of 2025, Gartner’s cybersecurity predictions expect 30% of nations to pass laws tightly regulating ransomware payments; this would be up from less than 1% at the moment. This may be driven in part by an anticipated failure to regulate cryptocurrency, with it remaining as a viable way for criminals to extract payments from victims.
Weaponized operational technology may cause human casualties
The most grim entry in the 2021 cybersecurity predictions is that the first human casualties from a hack of operational technology systems will be seen by 2025. Gartner was accurate in its previous prediction of this nature, which said that the first cybersecurity failure ending in a fatality would happen by 2020; this very thing happened in Germany that year when the compromise of a hospital’s systems led to the death of an emergency patient that had to be redirected to another facility.
This follows a prediction from the US Department of Homeland Security Secretary that “killware” would soon be emerging as a leading cybersecurity threat. This malware would focus on penetrating industrial operations, medical facilities and utilities. Should this become a hacking trend, Gartner sees CEOs and executives being held personally responsible and liable for the damage.
