As you build your cybersecurity resilience planning, priorities and roadmap for the year ahead, security and risk experts offer the following cybersecurity predictions for 2023.
1. Demand for cyber insurance is going to increase, but it's going to become harder to get, by Jon France, CISO at (ISC)²
“Cybersecurity awareness has its benefits and drawbacks…one of those drawbacks is higher premiums for cyber insurance. In Q1 2022 alone, premiums for cyber insurance rose nearly 28% compared with Q4 2021. This is largely due to heightened awareness of the financial and reputational risks of cyber incidents such as ransomware attacks, data breaches, vulnerability exploitation and more. At the same time, underwriters are also making requirements for obtaining cyber insurance much more strict, requiring things like two-factor authentication and the adoption of specific technologies like EDR, XDR and more. In fact, these documents used to be two-page questionnaires…now they're full audits and 12+ pages long. So, increasing cyber insurance premiums and stricter requirements to obtain insurance will be interesting hurdles to watch in 2023.
On the flip side, we will likely also see an increase in demand stemming from the rising incidence of supply chain issues. Because of these issues, companies will likely start requiring more and more that any vendor or third party they work with must-have cyber insurance. As we're already starting to see, with geopolitical issues spilling out across borders, in addition to the cyber threats companies are constantly facing, companies are going to prioritize protecting their most critical assets (including their reputation). In 2023, demand for cyber insurance will continue to increase, as will prices and requirements for obtaining these policies.”
2. The recession will cause a reduction in spending on training programs
“Despite the idea that cybersecurity may be a recession-proof industry, it's likely that personnel and quality will take a hit during the economic downturn. We're not seeing core budgets for cybersecurity being cut as of now, but the more 'discretionary' areas, such as training budgets, are likely to see scalebacks. This goes for both security awareness training at companies of all sizes and training cybersecurity professionals on how to adequately protect their critical assets. The industry is already facing a skills shortage, and unfortunately, we're likely to see that skills shortage worsen as the recession takes hold in 2023 due to the increased demand for skilled cybersecurity workers.”
3. 2023 will be a tumultuous year as competing privacy regulations are passed at the state and local level, by Drew Perry, VP of Information Security & CISO at Serta Simmons Bedding
“Information privacy will continue to grow in visibility and execution, but the charge will be led by various regional regulations that don’t always align with each other. CISOs will play an even greater advisory role to organizational risk as they are asked to help navigate often competing privacy rules to enable businesses to operate as close to historical norms as possible. Wise organizations won’t pull any punches when it comes to protecting the bottom line, so CISOs should expect to be brought into conversations that previously didn’t look for their input. The CISOs comfortable in walking those paths will be sought after for the next several years.”
4. Security leaders will increase their focus on cyber resilience, by Michael Adams, CISO, Zoom:
“While protecting organizations against cyber threats will always be a core focus area for security programs, we can expect an increased focus on cyber resilience, which expands beyond protection to include recovery and continuity in the event of a cyber incident. It's not only investing resources in protecting against cyber threats; it's investing in the people, processes, and technology to mitigate the impact and continue operations in the event of a cyber incident.”
5. Automation & Security Operations, by Michael Mumcuoglu, CEO and co-founder at CardinalOps:
“In 2023, we'll see automation move into the few remaining areas of Security Operations that are still dependent on manual processes. These areas include threat exposure management, which helps holistically address questions such as “How prepared are we to detect and respond to the adversaries most likely to target our organization?” Another area that will become more automated is detection engineering, which is still highly dependent on specialized expertise and tribal knowledge. Automation will not only reduce the risk for these organizations, it will also free SOC personnel from mundane tasks so they can focus on more interesting challenges that truly require human creativity and innovation, such as threat hunting and understanding new and novel attack behaviors.”
6. A rise in cloud native breaches, by Shira Shamban, CEO at Solvo:
“Not only will we see a rise in security incidents overall, but specifically, a rise in cloud native breaches. According to 2022 research, nearly half of all data breaches occurred in the cloud. As companies continue to migrate parts or entire infrastructures to the cloud, we will see an increase in the amount of data and crown jewels stored in the cloud, leading to more opportunities for cloud-native security incidents. Applications must be built in a way where third parties can be trusted. Because this supply chain isn’t secure, hacking in the cloud holds a lot of growing value in the eyes of cyber attackers.”
7. Quantum Decryption, by Bryan Cunningham, Advisory Council Member at Theon Technology:
“Every organization will be wrestling with quantum decryption capabilities by the end of 2023. While awareness of the future (no one knows when) threat of quantum decryption has increased in 2022, by the end of 2023, all organizations will become aware that they will have to confront this threat."
8. Cybersecurity training, by Mika Aalto, Co-Founder and CEO at Hoxhunt:
“In 2023, we will see continued advances in cybersecurity training. Humans didn’t evolve to spot dangers in the digital world. The school system doesn’t teach them defense against the dark arts of cyber-attack. It’s on us. Human risk is an organizational problem. Equipping our people with the skills to stay safe from phishing attacks is our responsibility.
Automation, adaptive learning, and artificial intelligence/machine learning can help deliver personalized training at scale. Why is that important? Because people need to participate frequently with relevant training that stays at the edge of their skill level in order to improve and stay engaged. A long, dry video followed by a punishment-based phishing simulation has been proven not to work. Fixating on failure leads to failure. Rewarding people as they acquire skills in a dynamic learning environment confers measurable improvement. This approach broadly describes gamification, whose demonstrated success is grounded in established principles of behavioral science and business and will be key to protecting organizations of all sizes in the year ahead.”
9. The Professionalization of Bad Actors, by Ratan Tipirneni, President & CEO at Tigera:
“The increasing availability of Ransomware-as-a-Service, a model which offers bad actors sophisticated vulnerability distribution while simultaneously isolating them from the risks of the trade, will lead to a worsening security situation for unprepared enterprises. The combined effect of readily available threats and poorly secured deployments will surely lead to high-profile breaches. In an ideal world, these breaches will finally get enterprises to go beyond the baseline regulations and make security a foundational effort.”
10. The Cyber Basics – Cyber Hygiene and Awareness, by Joseph Carson, chief security scientist and Advisory CISO at Delinea:
“The need to become a cybersecurity society will see an increase in getting the basics right. This means that cyber hygiene and awareness will be a top priority in 2023. With more organizations looking to obtain cyber insurance as a financial safety net to protect their businesses from serious financial exposure resulting from data breaches and ransomware attacks, the need to get a solid cyber strategy in place will be mandated to get insurance. The days of “cheap and easy” are over.
This means getting back to the basics in 2023 to level up cybersecurity baselines. Ongoing remote work and cloud transformation mean that a strong access management strategy will be needed to be supported by multifactor authentication, password management and continuous verification to reduce the risks.
In addition to implementing better access security controls, employers will need to empower workers with better cybersecurity awareness. This means ongoing training and education to ensure that as threats evolve, employees are informed and ready to be strong defenders in cyber strategies.”
11. Mobile Workplace Trends Will Create New Blind Spots for Enterprises, by Patrick Harr, CEO at SlashNext:
“Personal communication channels (gaming, LinkedIn, WhatsApp, Signal, Snapchat, etc.) will play a much bigger role in the attack paths that bad actors engineer to target businesses. Once an individual user is compromised, the bad guys can move laterally to get to the business. And because email has at least some protections in place today, cybercriminals are turning more attention to these other communications channels instead and seeing much higher success rates.
The biggest gaps in security postures come from the personal data of employees in the newly hybrid workforce. These blind spots are becoming more readily apparent as organizations adopt new channels for personal messaging, communications, and collaboration. Attackers are targeting employees through less protected personal communication channels, like WhatsApp, Signal, Gmail, and Facebook Messenger to perpetrate an attack. Then it just becomes a matter of penetrating laterally through the organization from their external foothold.
Also, more people are working on the same device for their business tasks and their personal life at the same time now, which is a significant blind spot. I only see that trend accelerating in this coming year. It all comes back to: how do I validate that you really are the person whom I am communicating with? Or is this the trusted file or corporate website link that I assumed it was?
The single biggest threat to any company is not machine security anymore – it is truly the human security factor. That is why these attacks on humans will continue to increase because humans are fallible and they get distracted, and many threats are not easily identified as malicious.”
12. Connected Devices Will Require More Robust Security, by Darren Guccione, CEO and Co-Founder at Keeper Security:
“The number of connected IoT devices has been rising for years, with no signs of slowing down. In the past three years, the number of IoT devices increased exponentially, due to accelerated digital transformation from COVID-19 and the proliferation of cloud-based computing. In 2022, the market for IoT is expected to grow by 18% to 14.4 billion active connections. As more consumers and businesses rely on connected devices, these connected solutions become more vulnerable to cyberattacks. With this, the billions of devices shipped by original equipment manufacturers (OEMs) will require greater out-of-the-box security to mitigate the risk of malware intrusions and their contribution to Distributed Denial of Service (DDoS) attacks. To prevent and mitigate devastating attacks, manufacturers, and suppliers of OEMs must design security within the devices, embedding it in every layer of a connected device.”
13. Data visibility & Compliance, by Dan Benjamin, CEO and co-founder at Dig Security:
“In 2023, CISOs will prioritize adopting solutions that provide visibility into the data their organization holds, where it lives, and the risks imposed by that data. This visibility is critical for security leaders as they build programs to meet compliance requirements in a highly regulated world, and secure data in an increasingly challenging threat landscape.”
14. Supply Chain Security, by Caitlin Johanson, Vice President, Coalfire:
“In 2022, the U.S. in particular faced risks and vulnerabilities from B2B and B2C technologies that are created, developed and run from countries abroad – the perfect example being TikTok, a Chinese cloud software. It started to raise many questions surrounding where code and applications are coming from, what data is being put into these applications and what is the sovereignty of this data. In 2023, we will begin to see more scrutiny around where developers are and where code is coming from and more organizations focusing on software composition analysis and secure code development (application security). Basically, questioning each component of our nation’s supply chain. Covid brought into question where our supply chain is in general, and this year, we will start to see more of a focus on the security risks associated with our supply chain feeding into software development from abroad.”
15. The ICS/OT Skills Gap will Widen Due to Unprecedented Demand, by Edward Liebig, Global Director of Cyber-Ecosystem at Hexagon Asset Lifecycle Intelligence
“Research has shown that the vast majority of electricity, oil and gas, and manufacturing firms have experienced cyber attacks over the past year and a half or so. Research has also shown that the cybersecurity workforce gap is growing due to high demand for skilled professionals. In addition to the intense threats against critical infrastructure systems that’s been prevalent for years, the Biden Administration’s new 100-day sprints across sectors and more regulations are released, more specialized professionals are needed to keep up. Additionally, many organizations currently lack staff with the ability to successfully integrate security practices and rigor across IT and OT departments, which is gaining significance and importance with the rise of industry 4.0 in 2023.”
16. The metaverse could be the next big thing, but let’s be realistic, by Rick McElroy, Principal Cyber Security Strategist, VMware
“The metaverse has a relatively unknown future given its adoption is still in its infancy, but enterprises are still rushing it to market faster than the security community is comfortable with. We’re already seeing instances of identity theft and deepfake attacks in the current version of our digital world, in which bad actors prey on executives to make wire transfers of hundreds of thousands of dollars outside of a company. What’s not to say there won’t be an uptick in similar scams inside of the metaverse virtual reality? As we start to look ahead to 2023, businesses will need to be careful and considered in their approach to delivering this nascent technology. Dragging passwords into the metaverse is a recipe for breaches. But if we’re thoughtful about the controls put in place to identify users and deploy continual authentication – leveraging different factors such as biometrics and closely monitoring user behavior – it’ll help to alleviate those security concerns around the metaverse.”
17. Cyber risk management will be a top priority for business leaders, by Karen Worstell, Senior Cybersecurity Strategist, VMware
“When it comes to the governance and oversight of cyber risk, our system is broken. It’s no longer what it used to be fifteen years ago - we are dealing with higher stakes and fragile corporate reputations. As a result of this, in 2023, we will see companies double down on cyber risk management. Boards will need to have a much clearer role and responsibility when it comes to the process of ensuring adequate controls and reporting cyberattacks. Cyber risk governance is not just the domain of the CISO it is now clearly a Director and Officer level concern. When it comes to cyber, plausible deniability is dead.”
18. In 2023, sophisticated firmware attacks will become more widespread, and cybercriminals will continue to invest in attacks that leverage physical access to endpoint devices, by Boris Balacheff, Chief Technologist for System Security Research and Innovation, HP Inc.
“In 2023, organizations should take control of firmware security. Once, firmware attacks were only used by sophisticated APT (Advanced Persistent Threat) groups and nation states. But over the last year, we’ve seen signs of increased development and trading of capabilities in the cybercrime community – from tools to hack BIOS passwords, to rootkits and trojans targeting device BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface). We now see firmware rootkits advertised for a few thousand dollars on cybercrime marketplaces.
Affordable prices for sophisticated attack capabilities go hand in hand with growing demand. We should expect to see more listings of this kind on sale in the cybercrime underground, and in turn more firmware attacks.
Access to the firmware level enables attackers to gain persistent control and hide below the device Operating System, making them very hard to detect – let alone remove and take back control. Organizations should ensure they understand industry best practice and standards in device hardware and firmware security. They should also understand and evaluate the state of the art technology that is available to protect, detect, and recover from such attacks.”
Read security leaders' predictions for physical security in 2023 here.