Annual Predictions Review – Ep 336 

A new year is right around the corner. The good news is 2021 wasn’t as unpredictable as 2020, but 2022 could be tricky to navigate. It’s time for our annual predictions. The time where we review our 2021 predictions and set new ones for 2022. So, let’s get started.

In this episode:

Annual Predictions Review – Ep 336

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The HIPAA Boot Camp Virtual Edition
Feb 22-24, 2022

Sign up NOW!

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

More details coming soon…

Learn about offerings from the
Kardon Club

and
HIPAA for MSPs!

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

Amazon explains the cause behind Tuesday’s massive AWS outage

David’s company utilizes several apps or services that are hosted by the service vendor via AWS, including their ticketing system that they use to communicate with their clients when they have IT issues. The client has a problem, they submit a ticket. But, it’s not David’s company that runs these services on the AWS platform. It’s the vendors he uses for these apps that does. Needless to say, the AWS outage disrupted the flow of business for David.

Luckily for David, he didn’t simply rely on the popular school of thought of “Oh, we’re in the cloud” or “We’re on AWS, we don’t have to worry about everything.” He built redundancy into his workflow. He has an alternative way to function in every aspect of his business in the event his primary workflow is disrupted. Not everyone does this though. Part of business continuity is to have a way to continue to work, care for your patients or clients when a disaster strikes.

Remember, when you’re having discussions about or you’ve already migrated to the cloud, understand that you are shifting control of your infrastructure. You are not outsourcing the risk. You still take the risk. You are also not outsourcing the accountability when bad things happen. So, if the confidentiality, integrity and availability are interrupted, AWS is not the one on hook for this, you are.

By moving to the cloud, you can mitigate some of the risk or limit some of the risk and responsibility from having everything on site. But, by mitigating that risk, you take on different risks that you are still responsible for. Regardless of whether you maintain the infrastructure on site or move it to the cloud, you are going to have risk. This is where doing your own assessment of these options comes into play.

Annual Predictions Review – Top 10 Review

2021 not as bad as 2020

• Security incentives for frameworks like NIST and 405d will drive a new approach to cybersecurity programs. – It hasn’t come to complete fruition, but it’s still in its infancy and it’s growing up quickly.
• SolarWinds details will trickle out and become the driving force for changes in supply chain requirements especially those involved in IT infrastructure. – that has happened. It is continuing to happen. It is ongoing.
• Cyber attacks will continue to become more complex. – yeah, that happened and continues to do so.
• Telehealth and remote work are a permanent part of work and care infrastructure. – yep, check!
• Companies will start to look at cybersecurity as necessary, not a luxury. – they are starting to, but there is a long way to go.
• Virtual meeting platforms will focus more on being a WFH solution, not just remote meetings. – yes, definitely. These apps are doing so many things to help control your environment to help prevent distractions in the background.
• Start seeing cyber fallout from 2020’s sudden shift to a work-from-home workforce including the IoT impacts. – yes, more of the IT folks are seeing this vs the general public, but yes it is happening.
• Rise in targeting home networks as an entryway into companies. – We’re not really seeing that yet because they’re still figuring out the vulnerabilities and how to use them because it is a different path into a company network.
• VPN and RDP attacks will rise due to remote work and all the vulnerabilities that keep showing up. – yes this is definitely happening. Stay away from free vpn apps.
• More cybersecurity regulations will be coming and changing because of all the other things we just mentioned. – we see a lot of them proposed, but we have not seen them passed and implemented yet.

2022 has potential to be one extreme or the other

Any time I think of making predictions, I remember discussing work with a weather forecaster a few years ago. People complain when they don’t get the forecast exactly correct. His point was that what they are really saying is that you did not accurately predict the future. It changed the way I looked at weather forecasting forever. So let’s try it again.

Supply Chain will continue to be a big story for two reasons.

1. Cyberattacks in the supply chain.
2. The inability to get equipment will start to impact our ability to replace hardware elements needed. That means operating with out of date or unstable equipment.

Ransomware will continue to evolve.
[37:32] In fact, we need a new name for it today. What we call ransomware today is so much more than what it was even a few years ago. At least now US law enforcement and military are actively targeting the criminal organizations. The proliferation of organized cybercrime gangs happened in the last few years. The full on attack-back methods employed recently have at least hampered their ability to operate freely. If that hadn’t happened, it would have been so much worse this year. As we have said before. These gangs have their BC/DR plans. Unless they actually catch the ones running it, they will always be back.

More pressure on businesses to do better
[46:01]

• Cyber coverage rates skyrocketing will force many companies to rethink the “I have insurance” approach to cybersecurity.
• Cyber insurance coverage will increasingly depend on the existing level of cybersecurity posture, and organizations will have cybersecurity standards they’re expected to meet.
• SEC penalties for lack of transparency will extend to vulnerabilities and not just incident disclosure.
• New cryptocurrency regulation in several countries will change the nature of ransomware, discouraging any but the bigger gangs who typically target larger organizations.
• Ransomware disclosure laws (proposed by Senator Warren) will get push back for private companies. Still, the list of “terrorist organizations” that can’t be paid ransom will increase greatly to make up for it.
• State privacy and fraud regulations that can be used as they were in recent NJ cases.
• How will regulations affect businesses? (carrot or stick)

HIPAA Specific – Recognized Security Practices Adoption and Privacy Rule NPRM
[54:17]

• Changes are past due for Privacy. The NPRM for the Privacy Rule changes that’s been sitting out there over a year. There are a lot of good things in it, so hopefully there will be headway made on it.
• RecSec can be done now, but needs specific implementation guidelines from OCR.

Vulnerable software will continue to be discovered regularly including the zero days.
[56:33]

• VPN, RDP, IoT, IoMT, OT along with servers – The Internet is Held Together With Spit & Baling Wire
• Log4j patch – Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk
• Home networks routers

(Honorable Mention) Deep Fakes
[1:03:42] There hasn’t been much mention of deep fakes yet, but it’s likely not far away from being used as an attack vector. The software to do this with is easy to get and is dirt cheap. When people like us are putting content out on the internet with our voices and videos, creating a deep fake is relatively easy. Can that then be used against your clients or your staff? Who knows. It’s not to say that you should stop putting audio and video content out there. It’s to say that you just need to know where the vulnerabilities are and what you are going to do to make sure you mitigate them.

That is our review of 2021 and what we think the year is going to hold in 2022. And, of course, this time next year we will do another annual review. Until then…

Happy New Year, Everyone!

There are so many attack surfaces in the wild. Do your assessments, evaluate your risks and vulnerabilities, mitigate them as much as possible, build in redundancies where you can, create your DR/BC plans and test them. Then, you have a fighting chance to stave off a real disaster.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.