I recently attended a webinar presentation about cybersecurity trends in 2022 and predictions for 2023¹ as part of my continuing education in my role as a security professional. The trends and predictions discussed, while not surprising, are a strong reminder to level up our New Year’s Resolutions for cybersecurity.
More of the Same in 2022
This past year we saw an increase in not only hacktivism and targeted cyberattacks, but also in laws, regulations, and cyber insurance as a result of the increased activity.
Also known as the use of computer-based techniques in the form of hacking to create civil disobedience and promote a political agenda or social change – hacktivism significantly increased in cyberattacks with criminal organizations using digital disruption to protest socio-political issues.
Social media became a frequent attack vector with compromised brands and celebrity data at the root of many successful fraud campaigns.
Targeted attacks such as ransomware, double extortion attacks, supply chain attacks, mobile/IoT attacks, AI supported cybercrime, and phishing attacks increased by 40%. DDoS attacks increased by 203%. The underlying trend is a lack of encryption on internally stored data that becomes compromised and ransomed back to the organization. The most impersonated brand in social engineering attacks this past year was DHL with FedEx coming in third.
Laws and Regulations
As cybersecurity became the talk of lawmakers and business organizations alike, over 40 state-level cybersecurity bills were adopted in 2022 in addition to new laws such as SACA, CIRCIA, DORA, improved cybercrime metrics act, and an emerging focus on “local” cybersecurity.
This past year, cyber insurance premiums increased by almost 80% with added difficulties finding coverage and more stringent requirements to qualify. As we head into 2023, we can expect cyber insurance to be a part of every security discussion –, particularly around organizational resilience and business continuity management.
What’s in store for 2023?
- Hacktivism and Geo-Political Landscape
2023 will bring continued conflict in the fifth domain. U.S. military operations are divided into “domains,” with cyberspace considered the fifth domain, followed by land, sea, air, and (outer) space.
The economic downturn we’re experiencing is expected to fuel an increased scope and nature of attacks based on emotional circumstances of current events like government assistance programs, loans and lending, and job recruitment tied to layoffs.
In addition, cybercrime increases during recessions. For example, as organizations cut security corners to curb spending during the great recession – internet fraud escalated by 33%. By the same token, we saw expanded operationalized information sharing, as well as responses from the public and private collaboration, begin to improve.
- Expanded Attack Targets
By 2025, 45% of organizations worldwide will have experienced a cyber-attack.
Ransomware will continue to be used with more IoT targets, response-based phishing, and complex vishing. Other platforms like social media, SMS messaging, and search engine ads will be used to carry out cyberattacks in addition to email.
Exploits compromising Multi-Factor Authentication (MFA) integrity include SIM swapping and impersonation attacks against MFA – just when we thought MFA was the end-all solution for protecting your institution against authentication-related breaches.
Additionally, financial sector attacks are moving downstream to crypto companies, insurance providers, and regional/small businesses. And while security hardening and defenses are good, people are still the soft targets.
With expanded attack targets on the rise, social engineering awareness is imperative and should continue to be refreshed. So, what can you do? Improved attack responses include:
- Hardened security controls
- Additional funds to implement security solutions like managed services, vulnerability scanning, and penetration testing
- Following through on your vulnerability scans and penetration tests
- More comprehensive vendor evaluations
- Taking offensive security precautions such as anticipating breaches by finding and responding to security weaknesses before serious impact is felt
- Ongoing education and training to improve employee vigilance
- Taking a data-centric approach by focusing on managing, monitoring, and protecting critical data and using the data you gather to reduce your risk
- Testing your business continuity, incident response, and disaster recovery plans frequently
3. Legal and Regulatory
A more complicated regulatory landscape creates the potential for regulation confusion.
Violations will continue to increase as greater interaction in the digital space makes room for even more mistakes. Negligent loss has steadily increased 20% each year, causing 75% of the world’s population to be under privacy regulations in 2023 (Gartner).
Furthermore, cybersecurity will remain a top priority, with more global laws and guidance than ever before – including data privacy, ransomware payments, long-term preparation, and more. The CISA also published their Strategic Plan for 2023-25² addressing “ambitious goals” including protecting cyberspace, strengthening the resilience of our critical infrastructure, and strengthening national collaboration and information sharing.
Additionally, the DoD released its Zero Trust Strategy and Roadmap,³ which addresses the need to protect against cyber threats and attacks and offers insight into their Data Protection Review Court4 in October for GDPR cases.
What should you do? Respond to the most stringent regulations first. “Pick the ugliest regulation and you will most likely comply with the rest.” Furthermore, you should establish solid business partnerships, outsource compliance management where necessary, and increase vendor vetting.
4. Cyber Insurance
This is the fastest-growing insurance segment.
Because of the competitive advantage that comes with having cyber insurance, there will be an increased expectation from consumers to have a policy. This increased risk may mean fewer carriers, reduced payouts, more disputes, and a highly difficult pre-audit and renewal process.
Insurers are also expected to offer cybersecurity services such as buying MDR and MSPs with some cyber insurance policy questionnaires already asking if specific security technologies (brands) are in place.
It's Time to Level Up
What should you do? Cybersecurity threats will always persist, but the new year is full of exciting opportunities. Take advantage of these important resources to help you level up in 2023:
- Effective cybersecurity allies (BoD members and third-party trusted advisors)
- Reasonable maturity models
- Balance of proactive and reactive tools
- Advanced solutions
- Better standards and best practices
- Prioritization of cybersecurity initiatives
- Increased awareness and visibility
How should you fight back? Your response will depend on the type of attack, so it’s important to anticipate the attack and prepare to respond and recover in a timely manner. Furthermore, you can best equip yourself to fight back through partnerships with peers or intelligence sharing organizations, managed service providers, and first responders.
How do you balance spending with risk reduction? Take a “crawl, walk, run” approach to security. Use everything you buy and buy everything you will use. Have a roadmap and stick to it. Get the biggest bang for your dollar, be pragmatic, and incorporate your risk appetite and assessment results into your strategic planning.
How do you start to protect your environment? Perform a risk assessment with data discovery and IT (talk to the business) and look at your business practices and processes. Understand your options, do thorough research, and talk to your partners. When all else fails – take a data-centric approach. Start with access controls and build from there.