How CISOs can stay one step ahead of 2023’s risks, threats and attacks
Image via Pixabay
Most hackers need five hours or less to break into an enterprise environment once they identify a weakness.
It has been reported that about 25% of all data breaches involve phishing and 82% of breaches involve a human element.
And let’s not forget the 13% increase in ransomware breaches in 2022 — more than in the last five years combined.
What will the threat landscape look like in 2023? Will we see more fraudulent SMS, phishing emails, ransomware attempts, breaches and DDoS attacks? Or will we see an increase in nation-state activity or cyberattacks aimed at critical infrastructure systems? And, most importantly, how can organizations bolster their cybersecurity hygiene efforts to stay one step ahead of the hackers, cybercriminals, and bad actors? Here’s what chief information security officers (CISOs) can expect in the coming year.
1. Hackers will get creative to exploit the human element.
Hackers always look for the weakest link. During the past year, we have seen more unique attacks focused on bypassing the weakest link within standardized security controls: the human element. Many of these security incidents were related to multi-factor authentication (MFA) spamming, in which MFA requests were repeatedly sent to people until a link was clicked. Meanwhile, cybercriminals have unleashed social engineering attacks aimed at major Fortune 500 companies. During these attacks, an individual impersonates a customer and calls the company’s support desk. In the process, the attacker obtains account access. The organization’s lack of organizational-level security controls served as the attacker’s entry point, allowing them to gain a foothold in these environments.
We will continue to see attackers get more creative in their pursuits. Many of the security controls security leaders put in place earlier are at risk of being bypassed due to human error. How do we secure the security controls? For one, basic IT hygiene is a must. Beyond that, it’s basic hygiene at a people, process and procedural level. Work to build a proactive cybersecurity culture in which you document all ongoing processes — basically, all the validation steps that ensure you properly identify and authenticate a person’s identity, information and account ownership.
2. It will be business as usual as attackers keep up their phishing, ransomware and fake SMS attempts. Meanwhile, the risk of infrastructure attacks remains.
Organizations should continue to identify and prioritize risks related to fraudulent SMS, phishing emails, ransomware attempts, breaches, distributed denial-of-service (DDoS) attacks, and fake landing pages. Financially motivated cybercriminals will concentrate on corporate entities, where they will try to derive personal identifiable information (PII) or customer payment card information.
As for potential nation-state activity, we may see fewer attacks geared toward monetary incentives and more attempts to disrupt specific services or networks — and these include DDoS attacks. Attackers could aim potential "strategic viability" attacks against critical infrastructure systems. Think oil pipelines, power generation, rail systems, electricity production or industrial manufacturing. There is still the possibility that key government or corporate services could be targeted — something tied to global tensions.
3. Organizations that continually update their risk register will win — as will those that achieve basic IT hygiene.
An organization’s risk register should serve as a "what if" manual that outlines current and potential security risks and how they could impact the organization. In the coming year, organizational risk registers should zero in on standardized implementation of security controls across all assets. Major breaches can occur due to a lack of basic process around identity and access management or inadequate implementation of detection and response capabilities (be it a server, end point or machine from an end user).
Smart organizations will double down on best practices, perform “gap analyses” and continue to populate their risk register. Basically, the more coverage (and fewer cracks) an organization has, the less probability of negative outcomes. This involves maintaining a running asset inventory across your organization and mapping this inventory against security controls. Meanwhile, build out project plans to have a continuous rollout to fulfill some of the gaps. Think patch management, standardized configurations across servers, and a rigorous process for building, deploying and maintaining new software. Remember that basic IT hygiene is 99% of the game.
On the topic of regulations, compliance initiatives, frameworks and mandates (GDPR, FIPS, ISO 27001, SOC, FedRAMP, and more), the ever-changing global data protection landscape includes country-, region-, and state-specific mandates, such as the California Consumer Privacy Act (CCPA) and Brazil's General Data Protection Law. Look for the highest common compliance denominator across various regulations and align data privacy efforts to that.
4. CISOs now have a seat at the C-level table — and they will stay there.
When it comes to cybersecurity, executive-level engagement is a must. That means the CISOs must take a seat at the C-level table (if they haven’t already) and stay there. Recently, with the Joseph Sullivan/Uber case, we saw the first criminal conviction of a CISO/CSO for failure to effectively disclose a breach. To prevent miscommunication and promote total transparency, any CISO who does not report directly into the CEO should demand that they do — immediately. To set themselves up for success, they should also ensure that the general counsel at their organization is in their “peer set.”
At the C-level table, the CISO can also (continuously) champion the risk register to ensure they receive needed resources to remediate and reduce risk on an ongoing basis. Not to mention executive buy-in for the appropriate resources to resolve high-priority items. Keep in mind that new threats, risks and updates will always populate your risk register. It is critical to actively work to remediate against this list; this prevents risks from escalating and becoming more complicated.
5. Organizations will tear down the wall between IT and cybersecurity.
Traditionally, IT and cybersecurity teams within an organization pursued their own agendas. Cybersecurity secured the company and its users, while IT ensured that the organization’s technology worked as it should. We will soon see more security and IT teams working more closely together, reducing the gap between identifying and addressing issues.
We are already starting to see IT admins joining the security team, as today’s global, decentralized workplace has broadened IT’s responsibilities within the enterprise. IT admins have become a key part of the security organization, with 34% of Fortune 500 companies rolling the IT department into the CISO’s purview in 2021. This percentage was close to 80% in startups and emerging technology companies. As more enterprise companies follow the lead of modern SaaS and technology organizations, the next task will be creating (and using) the best tooling to bridge the gap between these two core competencies.
6. Zero trust is a must — but it will take organizations a few years to get there.
Security teams have been talking about the zero-trust cybersecurity approach for a few years. It used to be "trust, but verify." The new zero trust — in a workplace filled with multiple teams, multiple devices and multiple locations — is "check, check again, then trust in order to verify." Basically, organizations must validate every single device, every single transaction, every single time — at all times.
Only 6% of enterprise organizations have fully implemented zero trust, according to a 2022 Forrester Research study. The complex and disparate workplace environments that are so common now make it difficult to adopt zero trust — at least all at once. This does not mean organizations are not slowly rolling out zero trust across their environments and assets. As we all continue to embark on the zero trust journey, we will see new solutions for complex problems companies are experiencing on premise and in public and private clouds.
As we enter 2023, organizations will still play a cat-and-mouse game with hackers, attackers and bad actors. But if you master basic IT (and security) hygiene, update and communicate your risk register, and work steadily toward a zero-trust security model, you’ll be one step ahead of most other organizations — and hopefully two steps ahead of the hackers!
