Brent Johnson, Chief Information Security Officer (CISO) at Bluefin, sits down with Security magazine to discuss how data breaches will evolve in 2022 and beyond, and how organizations can update their cybersecurity practices.
Security: What is your background? Can you describe your current role and responsibilities?
Johnson: I earned my Bachelor’s degree in Computer Science and the majority of my professional career was spent traveling the country and the world providing information security consulting within the energy and financial sectors. Specifically, critical infrastructure protection (CIP) standards and various PCI program standards (PCI-DSS, PA-DSS, PCI P2PE).
Currently, I’m the CISO for Bluefin Payment Systems and responsible for information security across the enterprise. I also lead our PCI-DSS and PCI P2PE compliance programs.
Security: With the value of data increasing and hybrid work here to stay, how can companies and their security leaders update their security strategy in 2022 to prevent data compromise?
Johnson: With the shift to hybrid and fully remote workforces, we’re seeing more reliance on cloud service providers for endpoint security, identity management, infrastructure and hosting applications. While many companies still rely on VPNs for a company-hosted environment, the convenience and capabilities for cloud services to provide work applications, as well as monitor and secure endpoints from anywhere, are difficult to ignore.
In order to develop a successful strategy in 2022 to prevent data compromise, or really anytime before that, companies must understand where their sensitive data resides and ensure commensurate access controls are in place to prevent a compromise from taking place. It may sound simple, but that’s not always the case. As mentioned above, the reliance on cloud service providers may add convenience, but many cloud applications are accessible from anywhere and on any device. A company may lock down the workstations provided to employees, but what about employees’ personal phones, tablets, or computers? Can they access cloud services or sensitive data from these devices? How would you prevent it? What would a compromise of the cloud service provider mean for your company?
Whether an employee is in the office, at home or on the road, companies have a responsibility to not only secure the systems and data their employees are working with but also provide employees the training they need to do so effectively.
Security: What are your predictions for how the cyber threat landscape will evolve this year? What types of attacks should be top-of-mind for organizations when developing their security strategy?
Johnson: Following the significant shift to a remote workforce, we’ll likely continue to see a rise in attacks on home systems and networks being used as a vector to business systems and data. Home networks and systems are inherently less monitored and secure than office environments and present additional security challenges.
With federal policy being drafted trying to address ransomware, these extortion-based attacks are proving very effective and aren’t going anywhere anytime soon. I also predict the coming year will see a shift from Bitcoin to a more privacy-based cryptocurrency for ransom payments, making it much more difficult for law enforcement to track.
Lastly, with the heavy reliance on cloud and third parties being utilized by businesses in 2022, we’ll likely see an increase in attacks on cloud infrastructure and supply chain attacks. These attacks are usually more complex but can affect hundreds to thousands of businesses in a single attack.
Companies should be performing formal risk assessments in order to understand where their risk lies, and what measures are in place to mitigate that risk. Obviously, prevention is the goal, but if an attack does occur, there must be a solid documented, tested incident response and recovery plans in place to address the various scenarios which might occur.
Security: Which industries do you think will be targeted most by hackers this year? How can companies and their security leaders stay ahead of these attacks?
Johnson: As the saying goes, follow the money. Identity theft is still on the rise, so healthcare and educational institutions will continue to be prime targets with data being sold on the dark web.
Unfortunately, any business that relies on stored data to provide business services will be a prime target for ransomware attacks as well.
For both of the above, institutions must have sound (and more than one) backup strategies and should never be storing data in cleartext. Sensitive data should always be encrypted or tokenized at rest and should only be converted to cleartext as needed within minimally accessible and locked-down environments.
Security: With the current geopolitical landscape, what do organizations need to be aware of, from a cybersecurity standpoint?
Johnson: This is a tough one. Attacks in this sphere tend to be state-sponsored and can be very sophisticated incidents that affect many businesses. One could point to energy or governmental sectors as prime targets, but I think the best advice is to always be ready. Again, reliance on third parties is a main threat vector here. Is there third-party software or services being used within your organization that, if compromised, could threaten your company’s operations? What is your backup and recovery plan? Businesses must have answers to these questions.