Top Cybersecurity & Third-Party Risk Management Trends to Follow in 2022

The aftershocks of the disruption created by the coronavirus will be felt for years to come. Almost overnight, we’ve had to completely change the way we do business. The increased focus on third-party risk management (TPRM) arguably represents one of the most significant shifts brought on by this disruption. 

As we stand at the beginning of the new year, we expect the focus on third-party risk to not only continue but amplify. With that in mind, here’s our prediction for the top 5 cybersecurity and third-party risk management trends set to dominate 2022 and beyond.

Top Third-Party Risk Management Trends to Follow

1. Vendor Breaches will Continue to Rise

Forrester estimates that 60% of security incidents in 2022 will stem from third parties. Gartner has further predicted that 60% of all organizations will leverage TPRM assessments as a key factor in everything from partnerships to vendor contracts. We saw a 300% increase in supply chain attacks last year, and there is no indication that this trend will cease in 2022, with vendor breaches continuing to rise. 

It’s not just the frequency of vendor-targeted attacks that have increased. We’ve also witnessed a troubling increase in their sophistication. Case in point, last year Microsoft estimated that the SolarWinds attack was so advanced it likely took upwards of a thousand engineers to pull off

Granted, it was later revealed that the hackers likely needn’t have resorted to such intricate tactics. However, the fact remains that attacks with such a high level of complexity are now more common than they’ve ever been. SolarWinds, in other words, was merely the beginning.

We will see additional large-scale vendor attacks, more incidents where sophisticated threat actors target supply chains instead of businesses themselves. Moving forward companies will need to thoroughly vet who they do business with. And as we see more and more real-life cases where breaches impact valuations and business relationships, we will see the emergence of a landscape where cybersecurity becomes non-negotiable in all business transactions. 

2. Vendor Risk and Internal Risk will Become One

Ultimately, what all of this means is that vendor risk and internal risk can no longer be treated as different processes. The lines between an organization’s internal and external ecosystem were already starting to blur in 2019. Since then, they have vanished altogether. 

In a modern context, there is no functional difference between your internal systems, your vendors, and your supply chain. Vendor risk management needs to be an integral part of your internal risk and compliance program. It is also highly advisable that you take a holistic approach to third-party risk, consolidating your TPRM tools with whatever platform you leverage to manage internal risk. 

By keeping all risk data and threat intelligence in a single place, you’ll have a far better idea of where your organization and its vendors stand at any given time. More importantly, it will provide you with greater visibility than a third-party risk management questionnaire, though such surveys will retain their importance.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

3. Assessing Vendors Against ESG will Become Standard 

2022: A world where environmental, social, and corporate governance (ESG) evaluations will become standard practice. A growing global commitment to environmental and human rights is increasing as is the importance of assessing vendors you work with and their compliance with ESG matters. Due diligence will become critical as compliance surrounding ESG becomes mainstream.

4. Privacy Laws will Take Center Stage

Governments and regulatory bodies have long been aware of the volatile threat landscape facing modern organizations. Yet legislative action tends to move at a glacial pace. That will change in 2022. This will be the year that the law begins to catch up with technology. 

Expect a veritable tsunami of regulatory and legislative changes. National infrastructure is increasingly becoming a target for criminals, and privacy and security have become political topics. As a result, it is likely that many regions will experience a period of overcorrection and overregulation. 

Ultimately, Gartner estimates that by next year, 75% of the world will be covered by at least one set of privacy regulations. It’s imperative that you begin laying the groundwork to adapt to that new climate now, starting with a third-party risk management framework. 

5. The Rise of the Zero-Day

As criminals continue to expand their tactics, zero-day attacks are expected to increase exponentially. We already saw shades of this in 2021, as zero-day vulnerabilities stood shoulder-to-shoulder with supply chain attacks as the most popular attack vector for ransomware

Adjusting to this trend requires businesses to rethink how they operate, wrapping security and resilience into their very foundations. For the most part, decision-makers appear to be aware of this. In 2022, 52% of businesses plan to either research or pilot zero trust technology

Alongside the adoption of zero trust, we also expect to see a greater focus on secure software development and lifecycle management. Developers will by necessity begin to consider risk at the outset of each new project. This will also contribute to the adoption of an API-first approach with a security-by-design focus, as businesses seek to eliminate sprawl and reduce complexity across their ecosystem. 

A couple of bonus points worth mentioning that are hugely affecting the year ahead:

Threat Surfaces to Grow Exponentially Larger

Internet of Things (IoT) devices will continue their rapid growth, with one forecast placing the total number of connected devices at 125 billion by 2030. Given the fact that most connected endpoints are effectively “swiss cheese” from a security standpoint, businesses are looking at a larger threat landscape than they have ever faced. Even those organizations that don’t leverage IoT internally may still be put at risk by distributed work, as employees work from home on networks laden with unsecured smart devices. 

This is hardly a new trend. IoT has been growing at a meteoric pace for several years now. And it will continue to gain pace as more businesses and customers accept the convenience offered by hyperconnectivity.

The increased threat surface created by IoT is far from the only concern. Already, we’ve seen colossal IoT botnets like Mirai, capable of executing DDoS attacks devastating to knock entire regions offline. Unfortunately, until the IoT sector has widely established and accepted standards in place, this problem will only become worse, and we will likely see at least one botnet of nearly inconceivable size this year. 

Technology Ecosystems That Span the Supply Chain

As endpoints continue to proliferate and supply chains continue to expand, businesses will need an effective means of managing ecosystem distribution, security, and risk. This will eventually culminate in the rise of highly integrated ecosystems. Just as internal risk management gradually transformed into a business-wide initiative last year, so too will integrated risk management become the standard in 2022. 

A Promising Road Ahead

Some of the trends emerging in the New Year are troubling. Most, however, point to the fact that we are moving inexorably towards better, more resilient risk management practices, and more automation, integration and cutting-edge tools and platforms to see us achieve it.

By the end of the year, we will see better regulation, improved development practices, and business leadership treating risk management with the care and respect it deserves.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days