Updated 12.23.22. It's the last month of 2022, and so we’ve rounded up expert predictions and commentary on the trends the cybersecurity sector may expect next year. Sit back and enjoy the long read.
Cybersecurity predictions for 2023.
Experts anticipate that 2023 will bring more evolved ransomware, a push toward stronger cybersecurity within organizations, and many other trends, some extrapolated, others novel.
Geopolitics will continue to play a part in cyberattacks.
MIT Technology Review believes that cyber operations against Ukraine from Russian government-affiliated hacker groups will continue. Russia has attacked Ukrainian targets at least six times with wiper malware this year. Forbes reports that they believe that businesses unaffiliated with the government may become targets of state-sponsored attackers. Cyberattacks on infrastructure are expected to be seen, and disinformation campaigns are anticipated, as over 70 countries are due to hold elections next year.
Miles Hutchinson, Jumio CISO, says that he believes that more foreign governments will bring third-party hackers into their employment to target other nations:
“Following the start of the Russia-Ukraine war, we’ve seen a significant rise in hacktivism, and it’s likely these attacks will further evolve in 2023. Researchers found that out of a total of 57,116 DDoS attacks discovered in Q3 2022, the majority seemed to be politically motivated. In the coming year, we can expect to see military groups around the world increasingly rely on expert hackers to attack other nations’ critical infrastructure and private business operations. To defend themselves against politically motivated cyberattacks, both government agencies and private sector organizations will need to deploy robust network defense tools that can detect suspicious activity and vulnerabilities.”
David Mahdi, CSO and CISO Advisor at Sectigo, says that geopolitical conflict will still be prominent in 2023:
“With geo-political unrest in some of the most powerful cyber nations today, cybersecurity infrastructure is at stake. Nation-state-backed actors are threatening critical national infrastructure and cyber disruption. Given this situation and the ongoing war in Ukraine, these kinds of tactics are to be expected. The “saber-rattling” of nation-states will continue in 2023 at the detriment of governments’ and enterprises’ cybersecurity resilience.
“The next few months will be indicative of what the threat landscape will look like in 2023. Currently, we are still in the position that nation-states, if they wish to, have the capabilities to take down massive critical national infrastructure, such as the NHS. However, given the optics of this, it is unlikely that they would ever launch such a high-profile attack themselves. Instead, it is more likely that a state would sponsor threat actor groups to conduct illicit activities on their behalf. This is what we have witnessed this year with the mass emergence of hacking gangs launching attacks on national critical infrastructure on behalf of a nation-state. It is likely this pattern will continue in the coming months, a trend that will only accelerate in 2023.”
Asaf Kochan, Co-Founder of Sentra, believes that cyberattacks will focus on economic disruption:
“We’re entering 2023 during a period of tremendous global tension and economic uncertainty. If the past few years have been defined by ransomware attacks from organized hacking groups, we are now entering an era in which an increasing number of threats will come from state- sponsored actors seeking to disarm global economies. This poses a direct threat to specific sectors, including energy, shipping, financial services and chip manufacturing. These attacks won’t stop at stealing IP or asking for ransom. Instead, they will focus on proper disruption — compromising or shutting down critical operations on a national scale.”
Laurence Pitt, Director of Product at Searchlight Security, says we may observe more ransomware gangs moving to cybercriminal-friendly nations, such as Russia:
“Russian ransomware gangs already include some of the biggest and most active names and in 2023 we might see more groups move there, attracted by the protection perceived to be on offer in Russia.
"It's an attractive location for cybercriminal gangs of all types because local law enforcement tend to turn a blind eye to any activities and will not cooperate with international investigations, as long as they do not target Russian businesses or the government. Russian gangs are also positioned well for launching disruptive attacks, for example, around an election.
"This freedom will be attractive to groups who see their Russian counterparts more ably promote their activities. However, migration is more likely driven by increased coordinated law enforcement efforts in Europe and the U.S., making it riskier for ransomware operators to live in “friendly” nations.
"More groups within Russia’s borders will create a competitive and potentially aggressive market for ransomware, but more worryingly, it will also allow gangs to hide away deeper and make themselves harder to find.”
Fred Rivain, CTO of Dashlane, predicts that geopolitics will drive cybersecurity to become a key policy objective for governments:
"Amid geopolitical uncertainty and the impact of the impending economic crisis, cybercriminals are seeing ripe opportunities to prey on the public’s stress, fear, and concern. As climate change becomes more of a reality and policymakers’ agendas expand, cybersecurity cannot be a risk that the public sphere ignores. Policymakers around the world have gained increased interest in securing the software supply chain following high-profile attacks like SolarWinds, LAPSUS$, and Log4Shell, as evidenced by the Biden administration’s Executive Order 14028 and the Securing Open Source Software Act, as well as France’s investment around Cyber Campuses. As governments recognize the need to enhance their own security competencies, I predict we’ll see a larger focus on cybersecurity in the public sector."
Chris Gray, AVP, Security Strategy at Deepwatch, predicts increases in nation-state cyber conflict:
"Nation state cyber warfare will become more openly prevalent. The Russia-Ukraine conflict has taken away much of the 'cloak and dagger' aspects of this area, and, in doing so, has also broadened the scope of available targets. Financial impact and the ability to increase the levels of chaos due to service interruption will increasingly grow over former levels."
Alex Iftimie, of the Morrison Foerster Privacy + Data Security team, predicts continued Russian-based cyberattacks in the next year:
"I expect to see a resurgence in Russian-based cyber-attacks in 2023. As Russia continues to take losses on the battlefield, they will increasingly rely on nontraditional tactics like cyber-attacks, including against Western countries. These attacks will also come from nonstate actors who are reeling from Western sanctions and who continue to view Russia as a permissive environment for their activities."
Patrick Harr, CEO of Slashnext, says that cyberattacks from nation-states are accelerating and adding a dangerous new element to the security landscape:
"We see a growing concern from Russian state actors as they become more desperate in their ongoing war against Ukraine. They will likely try to inflict greater pain, so the best security strategy is to reinforce the protection of the most critical infrastructure against attacks.
"However, the biggest U.S. nation-state cyberattack threat comes from China, which has set a goal to dominate 20 major global industries. The fastest way to achieve that goal is through cyber espionage to gain access to intellectual property, chip designs, healthcare information, and more. That is absolutely something we must pay attention to."
Matthew Fulmer, Manager of Cyber Intelligence Engineering at Deep Instinct, predicts that the Russia/Ukraine cyber war will breed more protestware:
"Not surprisingly, the cyber war between Russia and Ukraine is going to continue to escalate. However, the tactics, techniques, and procedures (TTPs) used in these attacks are unlikely to change, rather they’ll just grow in frequency. One prime example of this trend is the increase of protestware, such as the node-ipc wiper, a popular NPM package. Defined as self-sabotaging one’s software and weaponizing it with malware capabilities in an effort to harm all or some of its users, the sheer amount of protestware has already seen a huge surge during this cyber war and it’ll only continue to grow."
Fleming Shi, CTO at Barracuda, predicts that wiperware stemming from geopolitical tensions will spill into other countries:
"Russia’s invasion of Ukraine this year revealed the modern digital battlefield. Most notably, we have witnessed an increased use of wiperware, a form of destructive malware against Ukrainian organizations and critical infrastructure. The frequency has dramatically increased as we saw WhisperGate, Caddy Wiper, HermeticWiper, and others hitting the news since the war broke out. Unlike the financial motivations and decryption potential of ransomware, wiperware is typically deployed by nation-state actors with the sole intent to damage and destroy an adversary’s systems beyond recovery. In addition, in 2023, wiperware emanating from Russia will likely spill over into other countries as geopolitical tensions continue; and hacktivism by non-state actors seeking additional measures to exploit victims. To ensure business continuity despite an attack, it’s imperative for organizations to focus on full-system recovery that provides operability of the entire system instead of just data. For example, a speedy restore of the virtual version of a targeted physical system will dramatically improve the resiliency of your business against wiperware or other destructive malware attacks."
Ransomware will continue to be an issue.
Ransomware attacks peaked this year, with the trend anticipated to continue into 2023, says Allan Liska, an intelligence analyst at Recorded Future, MIT Technology Review reports. Liska, however, also notes that there are signs that Ransomware-as-a-Service (RaaS) may be diminishing, given what has happened to gangs that have gotten too big; REvil, DarkSide/BlackMatter, Conti, and LockBit have all seen something bad happen to them. Forbes reports that an Accenture study said threat actors are using more aggressive, high-pressure tactics, even using double and triple extortion tactics. Insurance Business Mag reports that Sophos' 2023 Threat Report believes otherwise, anticipating increased RaaS offerings, as well as other as-a-service offerings.
Tony Jarvis, Director of Enterprise Security, APJ, Darktrace, says that ransomware may be seen targeting third-party cloud providers, Security Brief Australia reports. "These third-party supply chains offer those with criminal intent more places to hide and targeting cloud providers instead of a single organisation gives attackers more bang for their buck," says Jarvis. "Attackers may even get creative by threatening third-party cloud providers."
Andrew Hollister, CISO at LogRhythm, says that he believes that ransomware operators will primarily move to file corruption instead of encryption:
“Ransomware has been an attack vector in continual development over the years and is perhaps the one common threat that keeps all CISOs awake at night. In 2023, we’ll see ransomware attacks focusing on corrupting data rather than encrypting it. Data corruption is faster than full encryption and the code is immensely easier to write since you don’t need to deal with complex public-private key handling as well as delivering complex decryption code to reverse the damage once the victim pays up. Since almost all ransomware operators already engage in double extortion, meaning they exfiltrate the data before encrypting it, the option of corrupting the data rather than going to the effort of encryption has many attractions. If the data is corrupted and the organization has no backup, it puts the ransomware operators in a stronger position because then the organization must either pay up or lose the data. Therefore, the importance of backing up critical business data has never been higher.”
Josh Bartolomie, Vice President of Global Threat Services at Cofense, believes that Russian threat actors will focus on ransomware efforts against Ukraine:
“As the conflict between Russia and Ukraine continues, we will see Russian threat actors double down on ransomware efforts as physical, on-the-ground tactics see little return. To make an even greater impact, threat actors will target countries that support Ukraine to ‘punish’ their allegiance to the country, targeting critical infrastructure like healthcare and energy.”
Claire Tills, senior research engineer at Tenable, says that extortion will be an issue in 2023:
“Extortion will be an increasingly disruptive force to enterprises in all industries in 2023. In the past year, we’ve seen threat actors of all motivations moving to extortion-only attacks and forgoing the more complex tactics like data-encrypting malware (ransomware). The notoriety and success of extortion groups like Lapsus$ means that other groups will continue to mimic their tactics.”
Mike Wiacek, CEO at Stairwell, says that the flashiest activity shouldn’t be the focus, but the real risk that ransomware and attacks exploit:
“Cybersecurity teams need to focus not on the flashiest ransomware activity, but on the real risk likelihood from issues that ransomware and other attacks exploit. Attackers will continue to find novel approaches for infiltrating organizations – and malware may not always be what it appears to be. (What looks like ransomware may actually be designed for data destruction, for example). To combat any potential risk, teams should be aware of adversaries, their TTPs, their weaknesses, and how the adversaries could be planning to take advantage of them. Security teams need to see around corners and have supplementary knowledge about activity within their systems to identify and correct weaknesses in real time.”
Mario Espinoza, CPO of Illumio, says that small and mid-sized businesses will be a bigger target in the coming year:
"Wishful thinking won’t slow ransomware down or protect against it – in fact, it will continue to grow in frequency and severity in 2023. Large organizations frequently have the resources and manpower to mitigate simple and sophisticated attacks. Small and mid-sized enterprises often operate with fewer security resources, and attackers know that. In the coming year, we’ll see more targeted ransomware gangs go after smaller enterprises that have vulnerabilities they can easily exploit."
W. Curtis Preston, Chief Technical Evangelist at Druva, believes that ransomware will continue to be the primary issue at hand for IT teams:
"Ransomware won’t go away in 2023; if anything, it will only get worse. To prepare, IT teams will need backup solutions that not only protect their data, but provide centralized and actionable insights on their organization’s security posture across distributed backup data and systems. Out-of-the-box capabilities that allow IT and security teams to easily understand their data security posture, observe backup changes without analyst time or new integrations, and drill into the dashboards and alerts unique to their deployments will be a key area of focus. By simplifying both access and the use of posture and observability data, IT and SecOps teams will be able to achieve better preparedness, faster incident investigation and response, and better root cause analysis. In order to prepare for threats, functionalities such as automatically detecting and reporting on unusual activity like bulk deletions, and allowing self-service roll-back to clean data will be key over the next decade."
Jon Check, Executive Director of Cyber Protection Solutions at Raytheon Intelligence & Space, believes that more diverse thinkers are needed to effectively combat ransomware in the coming year:
"Ransomware attacks have become more complex – and will only continue on this path in 2023. Unfortunately, any penalties for such attacks will have little to no effect as the next attacker will only become smarter and harder to catch, especially now that these attacks have become commoditized and attackers are able to put money into researching and developing more sophisticated threats. We must combat this by bringing our best diverse thinking to the table, while welcoming and inviting unique and diversified talent not always thought to be connected to the cybersecurity industry. The best ideas and most impactful solutions will come from taking a new path shown to us by an unexpected guide."
Chris Gray, AVP of Security Strategy at Deepwatch, believes that legislation and restrictions will increase around responses to ransomware:
"Ransomware attacks continue to progress, and defensive tactics linger behind where they are needed. Much of the 'new' has worn off here, and simply paying for the resolution has become far more of a commonplace accepted answer. Increasing legislation and cyber insurance restrictions, however, may limit an organization’s ability to respond in this fashion, however, and this will add further difficulties in resolution."
Christopher Warner, Senior Security Consultant at GuidePoint Security, believes ransomware operators may shift their focus to data integrity, rather than encryption:
"Ransomware attacks will not slow down, as a matter of fact we will see different types of ransomware attacks such as manipulating data. In 2023, we’ll see ransomware attacks vectors targeting data integrity rather than encrypting it. This type of attack can be performed faster than a typical ransomware attack which performs full disk encryption. Even if the victim organization pays, the data could be corrupted, having the victim going back to the attacker and possibly paying more ransom. Data integrity is extremely important on OT/ICS/SCADA systems."
Andrew Pendergast, EVP of Product at ThreatConnect, believes Malware-as-a-Service will see more activity, which could in turn lead to an increase in ransomware attacks:
"As is well understood, MaaS operators act like a business, because they are a business - just an illegal one. Their goals are to make as much money as possible selling their product & services. This entails making it as accessible, trustable, reliable, and easy to use as possible to their “market.” So, beyond just making sure their malware is effective, we can expect MaaS providers to continue to evolve their support and services to accommodate a broader set of customers and affiliates. This may involve innovations to grow the confidence in continued anonymity and reliability of payment transactions between them, even if the provider is compromised by law enforcement like leveraging blockchain based smart contracts is one means that has been researched. Regardless of the specific innovations, the net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks."
Brian Dunagan, Vice President of Engineering at Retrospect, believes additional measures should be taken in cybersecurity, as ransomware continues to maintain itself as a threat:
"Ransomware will remain a huge and relentlessly growing global threat, to high profile targets and to smaller SMBs and individuals as well. There are likely a few reasons for this continuing trend. Certainly, one is that today’s ransomware is attacking widely, rapidly, aggressively, and randomly – especially with ransomware as a service (RaaS) becoming increasingly prevalent, looking for any possible weakness in defense. The second is that SMBs do not typically have the technology or manpower budget as their enterprise counterparts.
"While a strong security defense is indispensable, we will see that next year security leaders will ensure additional measures are taken. Their next step will be enabling the ability to detect anomalies as early as possible in order to remediate affected resources. Large enterprises, SMBs and individuals alike will need a backup target that allows them to lock backups for a designated time period. Many of the major cloud providers now support object locking, also referred to as Write-Once-Read-Many (WORM) storage or immutable storage. Users will leverage the ability to mark objects as locked for a designated period of time, and in doing so prevent them from being deleted or altered by any user - internal or external.”
Surya Varanasi, CTO at StorCentric, predicts increased aggression in ransomware activity:
“The ransomware threat will continue to grow and become increasingly aggressive – not just from a commercial standpoint, but from a nation-state warfare perspective as well. Verizon’s 2022 Data Breach Investigations Report, reminded us how this past year illustrated, “... how one key supply chain incident can lead to wide ranging consequences. Compromising the right partner is a force multiplier for threat actors. Unlike a financially motivated actor, nation-state threat actors may skip the breach altogether, and opt to simply keep the access to leverage at a later time.” For this reason, channel solutions providers and end users will prioritize data storage solutions that can deliver the most reliable, real-world proven protection and security. Features such as lockdown mode, file fingerprinting, asset serialization, metadata authentication, private blockchain and robust data verification algorithms, will transition from nice-to-have, to must-have, while immutability will become a ubiquitous data storage feature. Solutions that do not offer these attributes and more won’t come even close to making it onto any organization’s short-list."
The Securonix Threat Labs team predicts more devastating ransomware attacks targeting the cloud, containers, and other attack surfaces for bigger impact:
"Ransomware attacks will continue to grow in volume and take advantage of the expanding attack surface. “Blended” attacks will increasingly move from on-premises to cloud environments due to the higher density of sensitive victim data, creating more opportunities for attackers to extort their victims and gain leverage as part of the ransom negotiations. Older ransomware families such as Lockbit, Revil, Blackbyte, and Conti will return with new TTPs and IOCs. New threat actors will either leverage existing infrastructure or use their own means to target essential service providers. These include healthcare organizations, medical establishments, governments, financial services, and other industries that are critical to the supply chain."
Matthew Fulmer, Manager of Cyber Intelligence Engineering at Deep Instinct, predicts more actors humping on the RaaS bandwagon:
"Even though ransomware has become an extremely lucrative business in recent years, ransomware-as-a-service (RaaS) has reached its final form. It initially started as an annoyance, and now after years of successful evolution, these gangs operate with more efficiency than many Fortune 500 companies even though they’re supposed to be the bad guys. They’re learner, meaner, more agile, and we’re going to see even more jump on this bandwagon even if they’re not as advanced as their partners-in-crime."
Vincent D’Agostino, Head of Digital Forensics And Incident Response at BlueVoyant, predicts that ransomware groups will increase and diversify in 2023:
"When it comes to ransomware in 2023, the divide between ransomware groups operating ostensibly for profit (such as Lockbit and PYSA) and groups with apparent, or overt, political motivations (such as Prestig an, RansomBoggs) will continue to deepen. In 2022, many large groups collapsed, including the largest, Conti. This group collapsed under the weight of its own public relations nightmare, which sparked internal strife after Conti’s leadership pledged allegiance to Russia following the invasion of Ukraine. Conti was forced to shut down and rebrand as a result.
"After the collapses, new and rebranded groups emerged. This is expected to continue as leadership and senior affiliates strike out on their own, retire, or seek to distance themselves from prior reputations. The fracturing of Conti and multiple rebrandings of Darkside into their current incarnations has demonstrated the effectiveness of regular rebranding in shedding unwanted attention. Should this approach continue to gain popularity, the apparent number of new groups announcing themselves will increase dramatically when in fact many are fragments or composites of old groups.
"In 2023, attacks are likely to get simpler in nature and target smaller companies as they are considered softer targets, less likely to draw media attention. This also provides fertile and forgiving proving ground for young hackers learning to get into what has become the big business that is ransomware. A good example of this is groups like Karakurt that skip the complexities of an encryptor deployment entirely and regress to single extortion attacks where data is merely exfiltrated and not encrypted — something we haven’t seen much of since 2015."
Tal Dery, co-founder and CTO of Red Access, predicts that ransomware will remain public enemy #1:
"As of 2022, roughly 68% of all global organizations have fallen victim to at least one ransomware infection. Sadly, that figure will continue to rise in 2023, as ransomware grows even more widespread. The commodification of offensive hacking tools (sold primarily on the dark web) has dramatically reduced the barriers to entry into the ransomware business, and the promise of million-dollar paydays has encouraged new entrants in droves. In 2023, watch out for the continued growth of “double-extortion” tactics, in which threat actors both encrypt and exfiltrate sensitive data, which they then sell for a second payday."
Fleming Shi, CTO, at Barracuda, predicts that ransomware gangs will become smaller and smarter:
"Throughout 2022, the major ransomware gangs—LockBit, Conti, and Lapus$—were behind blockbuster attacks, keeping them in the headlines. But in 2023, with the ransomware-as-a-service business model taking off and the recent build leak of LockBit 3.0, a new generation of smaller and smarter gangs will steal their limelight. During the year, organizations will experience an increased frequency of ransomware attacks with new tactics, and those that aren’t prepared will make headlines that devastate their business and reputation."
Cryptocurrency and the blockchain.
MIT Technology Review notes how mainstream crypto hacks have become in 2022, with “more than 100 large-scale victims in the world of crypto.” However, advancements in cybersecurity for the cryptocurrency industry are expected to continue. Co-founder of blockchain security company Zellic, Stephen Tong, anticipates a “big new wave” of cybersecurity experts into the industry, while CTO of crypto wallet app ZenGo, Tal Be’ery, says that “building blocks” are in place for cybersecurity advancements.
OasisLabs Co-Founder & CEO and UC Berkeley Professor Dawn Song, believes that there will be a shift toward prioritization of blockchain privacy:
"Blockchain is open and transparent, but the inability of most blockchains to support confidentiality where it is needed is a serious limitation. We can expect to see a substantial increase in an effort towards creating the ability to keep web3 transparent while also protecting user privacy.
"Since most public blockchains do not offer on-chain confidentiality, users have no options to protect their information. In the coming year, we will see an institutional shift towards expanded options for user protection."
Michael Burshteyn of Morrison Foerster Privacy + Data Security team predicts more regulatory attention for crypto adoption:
"This past year saw tens of billions of dollars in cryptocurrency and digital assets lost. These losses stemmed from smart contract exploits, insider and external attacks, and collapses of centralized exchanges and decentralized protocols. At the same time, developers have continued to adopt web3 technologies and builders are continuing to develop innovative applications of blockchain, crypto, and related technologies. In response, 2023 is likely to see sharpened regulatory attention in an attempt to create predictable conditions for more mainstream adoption. A surge in litigation related to cryptocurrency token disputes and losses is on the horizon as well."
A focus on artificial intelligence and machine learning.
Artificial intelligence and machine learning are anticipated to become models of automation in cybersecurity, Forbes reports, but they do have the potential to be abused by threat actors for malicious means. Polymorphic code, or code that constantly morphs to evade detection, has been seen in use in varying types of malware, and could be enabled by machine learning and AI. Fortinet says that they believe that the existence of machine learning will provide a boost to money laundering threat actors via automation of recruitment. The demand for AI cybersecurity products is anticipated to be valued at close to $139 billion in 2030, Forbes reports. DigiCert predicts that adversaries will shift toward targeting zero trust infrastructure, and may deploy AI and adversarial machine learning to find zero trust weaknesses.
Torq Co-founder and CTO, Leonid Belkind, says that security automation will continue its expansion:
“Rather than focusing on retroactively building workflows and processes based on historic attacks, security automation deployments will shift to a proactive approach to help prevent attacks before they happen. Part of this involves security teams harnessing early threat intelligence signals and building defenses against them into their workflows and processes. The result will be a comprehensive new offensive-capacity framework that combines the entirety of the security stack into the most powerful protection approach to date.”
Mathieu Gorge, CEO of VigiTrust, believes that AI will become more prominent in the coming year:
"We're going to see a lot of focus around AI. It's going to continue to be a buzzword next year. Regulators will be coming in like we're already seeing in the EU. NIST is looking into it. I think we'll also see the US government publish about 5G and cybersecurity early next year."
Donnie Scott, CEO of IDEMIA, says that advocating for regulations and protections in the AI space is vital:
"Naysayers will continue to advocate for significant limitations or prohibitions of the use of AI as the ‘rise of the machines’ could threaten humanity. In the end, society, through our elected officials, needs a framework that allows for the protection of human rights, privacy and security to keep pace with the advancements in technology. Progress will be incremental in this framework advancement in 2023 but discussions need to increase in international and national governing bodies or local governments will step in and create a patchwork of laws that impede both society and the technology. We’ve seen this in the biometrics space and identity space where there is no current national framework and only a patchwork of local regulation."
Miriam Wugmeister of the Morrison Foerster Privacy + Data Security team, predicts continued use of responsible AI and ethical tech:
"Responsible AI and ethical tech will continue to be a trend and only become more important and interesting as the economy slows and organizations looks for new ways to monetize the data that they have and to enhance their products and services in new and creative ways."
Lokke Moerel of Morrison Foerster, emphasizes the EU's impending AI Act as something to remember in AI development:
"While the EU’s AI Act may still be in draft form, EU data protection authorities are already applying similar principles assessing, developing, and applying AI under GDPR. As a result, 2023 may give you time less time to anticipate requirements under the AI Act. Further, once in force, the AI Act will apply also to AI products that were developed before the AI Act went into effect."
The Securonix Threat Labs team predicts increased use of adversarial machine learning:
"The broad adoption of AI and statistical methods in defensive security use has forced threat actors to adapt and will usher in a new era of adversarial machine learning in 2023 and beyond. Attackers will increasingly deploy techniques to inject bad training data into online defensive learning systems, allowing for new attack techniques that avoid detection. Threat actors will also begin automating multi-step attack processes, such as account and service enumeration followed by lateral movement, to increase attack speed. This will begin with hardcoded logic and evolve into attack code that learns from the environment to make dynamic decisions autonomously. Organizations will increase their adversarial machine learning research budgets to counter this emerging threat, looking to build defensive AI that can thwart these methods."
Increase in bot attacks.
Forbes predicts an increase in bot activity in the coming year. Botnets are able to automate and expand cyberattacks as technology advances.
Tony Lauro, Director of Technology Security & Strategy at Akamai, says that bots will be addressed by leaders in 2023 due to the damage they can cause:
“Bots aren’t going on vacation. In 2023, it’s very likely we’ll see attackers “renting out” IP addresses as part of a bot proxy system, making it extremely hard to track them. Think of it like short-term vacation rentals, but for IP addresses. Because IP addresses are more commonly “home user” addresses, it makes it incredibly difficult to detect and differentiate between a “good” home user and a bot. Since bots cause so much harm and lost revenue in the long run, we’ll see more security leaders addressing this in 2023.”
Expanding attack surfaces, and expansion of IoT.
It is anticipated that there will be over 30 billion IoT connections in 2025, with an average of 4 applicable devices per person, according to Forbes. Increasing threat vectors, and the spread of the Metaverse, create opportunities for malicious activity, says KnowBe4 in a PR Newswire report.
Ryan Slaney, Threat Researcher at SecurityScorecard, says that he believes that people will demand a better security posture for their IoT devices:
“Connected devices have been historically known for their poor security posture. From vulnerabilities within baby monitors to critical bugs in home security systems, it’s just a matter of time before a malicious actor takes full control of a user’s smart home device. To protect the privacy and security of consumers and their homes, the U.S. government has confirmed plans for a cyber labeling program, set to launch in the spring of 2023. The initiative will help consumers make informed cybersecurity decisions about their IoT devices with easily recognized labels. With new regulations placing increased scrutiny on IoT device manufacturers in 2023, they will be compelled to significantly enhance security across their products.”
Wendy Frank, Deloitte’s US Cyber IoT leader, says that connected device visibility and security will be a major focus for many enterprises:
“IoT-connected devices have been deployed by most organizations over the years, but often without adequate security governance. As the number of IoT-, OT-, ICS- and IIoT-connected devices grows, the attack surface for the networks and ecosystems to which they’re connected grows as well, creating exponentially more security, data, and privacy risks. Leading organizations will focus in the year ahead on connected device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, , monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”
Sascha Merberg, Technical Director DACH at XM Cyber, believes that companies need to be aware of their expanded attack surfaces in the coming year, and how they could be abused by malicious actors:
"Cybersecurity predictions tend to be a bit like stating the obvious. Being on top of what an attacker is or could be doing in an organization's environment was and still is paramount. Despite the plethora of reactive tools that are meant to stop a breach while in progress, organizations will continue to be breached. No matter how good the cyber hygiene, endpoint protection or event analytics. In addition, digital transformation and WFH have not just expanded the attack surface, but created completely new attack surfaces that are difficult, sometimes impossible to control on the one hand. On the other they become more and more intertwined with core business processes – like the home computer an employee might use to connect to a company's ERP system.
"The need to understand how an attacker could move through their network is more important than ever for businesses. Instead of adding layers of noise generated by reactive tools and overloading already overloaded teams, organizations have to utilize solutions that help predict future attacks and focus on what is most relevant. Both operationally and strategically."
Amir Tarighat, a personal cyber privacy expert and Co-founder and CEO of Agency, says that some things should be considered when allowing for more connected devices in the enterprise, noting first that BYOD, or Bring Your Own Device policies are inevitable:
"Even if you prohibit your employees from using their own devices, some employees will choose to use them anyway. The key advantage of BYOD is ensuring that any devices that could potentially be connected to your company are properly secured."
He continues, noting important factors to consider when implementing a BYOD policy:
"The services your team uses collect a vast amount of employee and even company information. Implementing ongoing dark web monitoring for data breaches affecting your employees is critical to preventing hackers from using exposed data to move into your systems.
"When implementing a BYOD policy, ensure that your internal security team or external vendors are prepared to support an increase in device volume and diversity.
"The number one place where BYOD policies fail is an ineffective onboarding stage. Sending employees a list of instructions may be challenging to follow, but can be remedied with a live onboarding plan for every device.
"At minimum, your BYOD policy should include: Mobile device management and remote monitoring, endpoint & network security, and personal data breach monitoring."
Experts from Quokka believe that the rise in BYOD implementation will lead to an increase in the amount of malicious attacks:
"The rise of BYOD will be accompanied by an increase in malicious attacks that attempt to breach the workspace sandbox. This makes pre-installed apps with privileged access a more desirable target for privilege escalation attacks. Mobile OS developers will continue to make accommodative changes at the operating system level to facilitate the adoption of BYOD but with continued improvements and dedicated efforts by cybercriminals, there is a higher chance of a security gap. The balance of security and usability for BYOD will need to be carefully considered and properly implemented."
Emphasis on security awareness in organizational culture.
KnowBe4 says that companies are recognizing the importance of building a culture of security, rather than just training, and anticipate a continuation of this trend. Developing an awareness of cyberthreats and taking basic safety measures seriously are imperative in 2023, Forbes reports.
Eric Hart, Manager of Subscription Services at LogRhythm, anticipates an expansion in awareness training:
“Coming to the end of a year in which so many organizations fell victim to social engineering attacks, more organizations will look to invest in training their end users to better detect threats. The past year has seen some big names – the likes of Microsoft, Cisco and Uber – suffer breaches by way of multi-factor authentication (MFA) fatigue, phishing and other social engineering tactics.
“With threat groups like Lapsus$ introducing bribery tactics to lure credentials from internal users, many of today’s attacks have evolved beyond the basic phishing techniques that end users are trained to recognize. Organizations will look to reassess their training programs to ensure that users are familiar with the bribery and extortion tactics associated with the latest social engineering schemes. Threat actors are constantly searching for new inroads into networks. Organizations concerned with their security postures will be sure to educate their users on emerging threats.”
Jason Keogh, Field CTO of 1E, says he believes a positive digital employee experience is the future:
“In 2023, organizations will focus on driving a positive digital employee experience (DEX) without compromising security. Not only do draconian security controls lead to bad DEX, but they also cause users to find workarounds, which on balance creates an overall less-secure IT estate. Out of frustration with tough or confusing restrictions, they may, for example, create or store company data on personal devices or in personal cloud storage, or access company apps and data from unprotected personal machines. Better auditing and change control aligned to self-service and real-time capabilities are key to good security with good end-user experience. Looking ahead to 2023, organizations should implement real-time controls and exception handling to improve DEX and security—together.”
Pete Renneker, Deloitte’s US Technical Resilience leader for the Cyber Risk Services Infrastructure practice, says that an integrated view of different scenarios can improve organizational resilience:
“As the digitization of business continues, organizations are becoming more connected within the global marketplace thus expanding the attack surface and increasing the frequency and impact of disruptions. The multitude of supply chain, geopolitical, environmental and cyberattack events organizations are facing challenges to traditional risk programs and are drawing increased regulatory scrutiny. By leading with an integrated view of scenarios that threaten core business operations, organizations can employ new techniques and technologies which develop situational awareness to emerging threats and improve their ability to respond to disruptions.”
Omer Gafni, VP Surface at Pentera, believes security strategies within organizations will shift focus, from vulnerability management to exploitability:
"Today, many companies' primary security strategy is predicated on vulnerability management. How many vulnerabilities do we have? Where are they? How do we remediate them? Companies assess their overall security posture based on the number of critical vulnerabilities in their environment, but the strategy is flawed. To effectively reduce risk you need to understand not only what vulnerabilities exist, but also which are exploitable and serve the hackers’ end goals.
"With the number of annual reported vulnerabilities now exceeding 20,000 per year, companies cannot remediate every alert, and need to become more surgical with their remediation strategies. To achieve this, we will start to see a shift from a focus on vulnerability to exploitability. Companies will start to put a major emphasis on understanding which targets are most impactful from the hacker’s perspective, and therefore the most exploitable targets. This will enable them to more clearly evaluate their true cyber risk and prioritize remediations to effectively reduce their organizational exposure."
Social engineering, or, say, friend, step right up.
The increasing commonality of social media storefronts and commerce, as well as the ease with which you can be verified on various platforms, will increase the rate of social media scams into the coming year, KnowBe4 says.
David Anteliz, Senior Technical Director at Skybox Security, predicts an increase in spearphishing specifically, with prominence on LinkedIn:
“Spear phishing continues to be a successful form of social engineering plaguing organizations today. Spear phishing is sure to be a prominent attack vector in 2023. We can expect threat actors to place an increased focus on targeting individuals via fake accounts on LinkedIn. LinkedIn is a platform that has traditionally been less frequently associated with malicious behavior and widely trusted by users. Threat actors will seek to take advantage of this sentiment to access critical information.
“Threat actors will disguise themselves as professionals looking to conduct surveys leveraging experts in various fields, giving them the perfect opportunity to obtain sensitive information from individuals and their organizations.”
Josh Yavor, CISO at Tessian, says that social engineering will be the root cause of many cyberattacks:
“In 2022 alone we’ve seen many high-profile companies across multiple industries fall victim to social engineering attacks. Social engineering is the leading cause because it works, is low cost, and when one path forward becomes more difficult - such as corporate email - attackers will shift to other communication methods. In fact, according to recent Tessian data, 56% of employees said they received a text message scam in the past year.
“While it’s a safe bet that 2023 will have plenty of headlines that are the result of social engineering, and that no organization is 100% safe, hope is not lost. We’re seeing attackers change their behaviors when social engineering tactics become more costly and difficult. That means some things are working, but we have so much work left to do. The question that should be top of mind for all CISOs as we head into 2023 is how their teams will approach making social engineering less reliable and more costly for attackers while extending the security umbrella to help cover risks outside of their reach.”
Mark Lee, CEO of Splashtop, predicts that malicious actors will increase the volume and sophistication of phishing scams:
"Unfortunately for most organization, it’s not just employees and employers who have adapted to the new work-from-home reality. Malicious actors have had nearly three years to study how the changing workforce paradigm has affected corporate security. In that time, we’ve seen attacks targeting network infrastructure fade to the background in favor of social engineering attacks targeting individuals. Research from the World Economic Forum has found that a staggering 95% of cyber crimes are the result of human error. That’s why phishing attacks have gotten far more prevalent and far more sophisticated than ever before – they’re bearing fruit for the bad guys.
"We know that malicious actors are opportunistic. Forward-thinking attackers will use current news events or trends to develop more realistic campaigns with a higher likelihood of success. The shift toward flexible work-from-home policies is a tectonic shift in work experience – and it’s not one that hackers have overlooked. Recent research from Gartner found that, by the end of 2024, the change in work will drive up the total remote worker market to 60% of all employees, up from 52% in 2020.
"With more targets staying home in the coming year, we will see an increase in remote access scams: phishing campaigns that impersonate popular companies like subscription services, then trick people into installing remote access tools that enable attackers to deploy malware. As with all phishing campaigns, companies will need to take proactive steps to mitigate this threat, including regular employee training, encrypting critical data, and ensuring strict compliance to security patches and updates across their extended enterprise."
Critical infrastructure, ICS, and OT security.
KnowBe4 anticipates the compromise of critical infrastructure next year, and references the ongoing nature of the Ukraine/Russia war as potential for increased likelihood.
Ramsey Hajj, Deloitte’s US and Global Cyber OT Leader, says that OT is seeing evolving threats in manufacturing and elsewhere:
“Cyber attackers are increasingly weaponizing Operational technology (OT) environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult. Organizations can implement cyber threat identification, detection, and prevention controls to address OT security risks by taking steps inclusive of increasing visibility to devices, implementing OT network segmentation, implementing security monitoring tools for the OT environment, correlating security information from OT and IT networks, and establishing security operations centers (SOCs) that address both.”
Coalition cybersecurity engineer Tommy Johnson says that critical infrastructure and nonprofit organizations need to be extra cautious:
“In analyzing the most frequently targeted industries and verticals, we noticed that organizations in critical infrastructure (manufacturing, materials, and energy, for example) experienced the highest volume of cyber claims thus far in 2022. We expect this to continue into 2023, with sophisticated attackers targeting organizations where they can maximize impact, especially regarding the ongoing geopolitical conflict.
“According to our data, nonprofits experienced the second-largest volume of cyber claims in 2022 (thus far). We expect this trend to continue into 2023, especially because November and December are the most prominent months for nonprofits to receive financial donations. Those funds will largely be put into use in January and February, making these organizations even more of a target at the beginning of the year.”
Mathieu Gorge of VigiTrust, believes that critical infrastructure will be a major target for adversaries in 2023:
"We really need to watch out for attacks on major infrastructure. Critical infrastructure protection is going to get a boost in 2023 from a regulatory perspective and assessments being done by governments. There's going to be a lot of work around critical infrastructure protection, because that's really what all of this is about."
Chief Information Security Officer of (ISC)², Jon France, believes that the need to secure OT infrastructure will be underestimated:
"Operational technology is one of the highest-targeted and lowest-prioritized technology areas out there. OT is low-hanging fruit for attacks and is so ingrained in the critical infrastructure systems that are struggling to keep up with the pace of change in cybersecurity. These systems have more tangible, real-world impacts on broader populations than traditional IT systems do, yet often they're built on legacy systems that have long life/replacement cycles and are outdated quickly, and are often dangerous to patch or "unpatchable" in the first place. This is an obvious attack surface for hackers, especially nation-state actors because incidents can have far-reaching, physical effects. The tensions rising in the Russo-Ukrainian war and in China and Taiwan only exacerbate the potential threat against OT systems. Securing these systems doesn't mean forcing "new" technology onto the systems – it's not about zero trust or having more regulations or more patching requirements. It's about increasing visibility into assets, implementing mitigating controls and building resiliency plans so that if the worst comes, downtime and impact can be mitigated. In 2023, we're likely to see the industry continue to misconceive what is needed to secure these systems, and we'll likely see a major attack on critical infrastructure because of it."
Mike Hamilton, Founder & CISO at Critical Insight believes regulations around cybersecurity for critical infrastructure will continue to develop:
"Sector-specific agencies will continue to 'regulate' critical infrastructure cybersecurity controls and the trend to increase regulatory requirements writ large will not abate."
The Securonix Threat Labs team predicts that OT/IoT security will become a greater cross-sector priority:
"While the OT-IT convergence presents an unprecedented potential for significant returns, it also increases the potential for damaging cyberattacks on systems that were previously isolated and harder to reach. Attacks are becoming more common because these systems – often consisting of critical infrastructures – are becoming more interconnected in a larger ecosystem. As cybersecurity continues to embrace a holistic approach, organizations, regardless of industry, will make OT/IoT security a much greater priority to defend against attacks. OT network information, including visibility and monitoring of assets and process control information from sensors and actuators, will deliver greater insights into how attacks are initiated and determine how deeply the infiltrator has penetrated the system.
"Threat actors will continue to take advantage of micro- and macro-level trends to target their victims throughout the next year. New advanced campaigns will be deployed globally through both tried-and-true techniques and new approaches that have yet to be seen. While 2023 will present new challenges, organizations that secure coverage across their extended environments and the cloud will be more prepared."
Ron Fabela, CTO & Co-Founder at SynSaber, predicts that the coming year will be an opportunity for focus on ICS cybersecurity:
“For industrial control systems cyber security 2023 is a year for focus and opportunity. Never before has there been more regulation, government guidance, funding, and awareness making this year the time for execution. 2022 was relatively quiet for ICS specific attacks outside of the war in Ukraine, and the predicted cyber war never came to pass. Nonetheless ransomware attacks against enterprises are on the rise with ICS environments affected as collateral damage. While ICS specific ransomware is still highly unlikely, disruption of operations due to enterprise ransomware will continue. Thankfully ICS has the "home field advantage" and 2023 will be the year where we all collectively fight for the operator and secure our critical infrastructure.”
Edward Liebig, Global Director of Cyber-Ecosystem at Hexagon Asset Lifecycle Intelligence, predicts that the ICS/OT skills gap will widen due to unprecedented demand:
"Research has shown that the vast majority of electricity, oil and gas, and manufacturing firms have experienced cyber attacks over the past year and a half or so. Research has also shown that the cybersecurity workforce gap is growing due to high demand for skilled professionals. In addition to the intense threats against critical infrastructure systems that’s been prevalent for years, the Biden Administration’s new 100-day sprints across sectors and more regulations are released, more specialized professionals are needed to keep up. Additionally, many organizations currently lack staff with the ability to successfully integrate security practices and rigor across IT and OT departments, which is gaining significance and importance with the rise of industry 4.0 in 2023."
He further predicts that industry 4.0 will drive the renewed IT/OT convergence conversation:
"Collaboration of IT and OT departments will continue to be the best solution for remediating vulnerabilities, tracking present and future threats, and responding to any incidents efficiently. However, the conversation will continue to be heated and overshadow the benefits of merging the security oversight and accountability of these two historically separated departments. IT-OT convergence is not a new idea. It has been around for decades and the most successful companies have reaped the benefits. The difference now is with the rise of Industry 4.0 and the interconnectedness of systems we’re seeing, collaboration between these two departments is no longer an option but a necessity. I anticipate we’ll see many major companies jumping aboard the converged security ship and observing the benefits from increased efficiencies and visibility to decreased costs and downtime."
He continues, predicting that attacks on ICS/OT will result in human costs:
"We all know that attacks on critical infrastructure have real-world implications. Whether it’s contaminated water supplies or minimal access to fuel, we’ve seen the costs these cyber attacks have firsthand. While hackers’ activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year. Asset visibility continues to be an issue for operators, which means securing, segmenting and hardening defenses becomes a guessing game of what’s important and what’s not. If IT and OT security convergence continues to be stunted and, thus, visibility remains poor, attacks that have been close calls in the past (such as the poisoning of the water supply from a Florida plant in 2021) will eventually have human costs."
Mr Liebig believes we’ll see a catastrophic attack on the energy grid in 2023:
"The skills gap, recession and tensions abroad are forming a perfect storm for a major attack on the power grid in 2023. Energy experts sounded the alarm in June of 2022 that the electric grid in the U.S. wouldn’t be able to withstand the impacts of climate change, and as Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the U.S.’s infrastructure as well. At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the U.S. electric power infrastructure for years. The combination of aforementioned factors makes the U.S.’s power grid more vulnerable to cyber attacks than it has been in a long time."
Increased efficacy and threat of deepfakes.
Deepfakes will advance in their ability to fool and damage reputations, KnowBe4 says. Due to the lack of knowledge around deepfakes, there is inadequate training around the topic.
David Mahdi from Sectigo says that he believes that deepfake phishing will ramp up in 2023:
“Virtually every single business relies upon email, chat, and video conferencing as fundamental modes of communication, especially in the era of hybrid work. Cyber-criminals are aware of companies’ reliance on them and are perpetrating a variety of attacks to profit from them. The idea is simple: get employees to send money or information by impersonating a person in a position of power. These days, employees may consider themselves experts at sniffing out untrustworthy communications so bad actors have added a new component to the scheme which we will see go mainstream in 2023: Artificial intelligence/machine learning (AI/ML) backed techniques, specifically deep fake phishing.
“Deepfake technology allows users to impersonate others with startling accuracy and we are going to see this technology continue to improve and become more mainstream in 2023. Bad actors can easily make autoencoders—a kind of advanced neural network— to watch videos, study images, and listen to recordings of individuals to mimic that individual’s physical attributes. Rather than deploy malware, perpetrators will increasingly rely instead on social engineering techniques and impersonation, making them notoriously difficult to prevent.
“Those in the security business should choose biometric authentication methods with care—and with the understanding that, as deepfakes become more sophisticated, those biometric authentication methods may be rendered much less useful. On the other hand, everyday individuals should monitor their accounts regularly, especially for banking, loan, and other financial services. Implementing email certificates is a quick and easy fix to decrease the chances of these attacks, combined with ongoing employee training.”
Tal Dery, co-founder and CTO of Red Access, believes that deepfakes will grow more sophisticated and widespread:
"Deepfake technology has made significant ripples in the cultural consciousness over the past year or two. And they will continue to blur our perception of reality in 2023, as AI and machine learning tools make them both easier to develop and more difficult to detect. In the coming year, we will likely see deepfakes play a more prominent role in a wider range of attacks, including impersonation in instances of fraud and as a political tool for the spreading of disinformation. Cyberattacks that target identity will become much more powerful as deepfake video impersonations of targets are used to gain trust and access to sensitive accounts. We can also expect to see them used in cases of economic and political sabotage, in which videos depicting prominent business and political figures saying or doing harmful things are disseminated…presumably simply to watch the world burn."
Impact of an economic recession on cybersecurity.
Tony Jarvis of Darktrace says that budget cuts are fueling more creative approaches to cybersecurity for CISOs, Security Brief Australia reports. "Rising cyber insurance premiums are one thing, but as more underwriters introduce exclusions for cyber-attacks attributed to nation-states, organisations will struggle to see the value in such high premiums," he says. "In 2023, CISOs will move beyond just insurance and checkbox compliance to opt for more proactive cyber security measures in order to maximise ROI in the face of budget cuts, shifting investment into tools and capabilities that continuously improve their cyber resilience."
Kevin Kirkwood, Deputy CISO at LogRhythm, says that cyberattacks will be prevalent during difficult financial times:
“When it comes to malicious attackers, organizations need to be acutely aware that we’re not talking about machines or software programs being at the other end of this, we're talking about creative human beings who are motivated and will do whatever it takes to achieve their goal of receiving more money. As organizations balance international turning points with Russia’s war in Ukraine while scaling down operations, threats will inevitably continue to evolve as cybercriminals take this chance to up their attack game during the recession. Therefore, it’s crucial that all organizations are proactive with their security strategies and adopt endpoint technologies and other security solutions that provide preemptive capabilities.”
Rohyt Belani, CEO and Co-Founder at Cofense, says that the cybersecurity industry isn’t recession-proof:
“In 2023, we will see fewer resources and tighter security budgets in corporate settings thanks to economic uncertainty, resulting in subpar security posture across organizations. Because of this, threat actors will capitalize on this asymmetry and evolve faster, creating the perfect storm for an amplified number of breaches across all vectors in 2023, especially using email as an attack vector.”
David Mahdi from Sectigo says that financial instability will prompt the securing of cyber infrastructure:
“The economic downturn will force enterprises to decrease investments in cyber protection and therefore increase their vulnerability to an ever-evolving and dangerous slew of threats.
“As such, it will be critical for public officials to re-assess cybersecurity regulation effectiveness amid conflict and, more importantly, for institutions to fortify their cyber infrastructures.
“To remain secure, leaders should focus on the people and processes within organizations, as swiftly and as promptly as they’d adopt new technology to stay competitive. For the sake of their employees and the customers they serve, close monitoring of digital identities within public and private networks will prevent organization missteps. As the next year has many unknowns, enterprises will ensure procedures and regulations work hand-in-hand for cyber resiliency.”
Drew Perry, VP of Information Security & CISO at Serta Simmons Bedding, says companies will not push for returns to work to conserve funds:
“Driven by continued economic instability, there will be an acceleration of organizations going back to remote work on a larger scale as a way to save money on big, expensive office spaces. As workforces become increasingly distributed, CISOs will once again have to prioritize the support of secure collaboration and communication technologies required by this shift. In 2023, zero-trust networks, data loss prevention, information privacy and cross-border data transfers will all become increasingly critical for a workforce that can work from anywhere.”
Jon France of (ISC)² predicts that the recession will cause companies to spend less on training:
"Despite the idea that cybersecurity may be a recession-proof industry, it's likely that personnel and quality will take a hit during the economic downturn. We're not seeing core budgets for cybersecurity being cut as of now, but the more 'discretionary' areas, such as training budgets, are likely to see scalebacks. This goes for both security awareness training at companies of all sizes and training cybersecurity professionals on how to adequately protect their critical assets. The industry is already facing a skills shortage, and unfortunately, we're likely to see that skills shortage worsen as the recession takes hold in 2023 due to the increased demand for skilled cybersecurity workers."
Rahul Raghavan, Senior Vice President in Kroll’s Cyber Risk practice, believes that the state of the economy right now will lead to a focus on short-term projects and outcomes:
“In the year ahead, economic pressures are likely to tighten spending on strategic cyber initiatives that are not directed by compliance or regulations. Short-term outcome drive projects will be the focus, as opposed to long-term transformation initiatives. For DevSecOps, this is likely to mean product security initiatives that are driven by strategic frameworks – such as OWASP SAMM, NIST SSDF and BSIMM – which offer a ‘hop-skip and jump’ approach to secure software development, keeping it cost effective and low-resource intensive.”
John Funge, Managing Director at DataTribe, says that next year will see more selective investment activity:
"Looking ahead, 2023 will be a slog for startups raising money. It will take longer for startups to complete next rounds as venture firms are both focusing more attention on their current portfolio as well as being more selective in new investments. As fewer deals will get done, there will be a “flight to quality” and the bar for attracting funding will be higher. Top startups that are hitting performance metrics will get funded at valuations not too far off historical. However, startups with a few words that previously would have gotten funded may find it hard to get funded at all — versus getting funded on less attractive terms.
"In 2023, cyber will be softer but will remain a bright spot for investing. Compared to the nearly 24% YoY decline in deal activity across all verticals, cyber deal activity across all investment stages is down only 3%. Several CISOs we work with highlight new levels of scrutiny in their budget requests, malicious actors and cyberattacks continue to drive robust growth in cyber markets. Some of the more interesting cyber trends we are following as we head into 2023 include: Web3 security, collective defense and collaboration, risk-based vulnerability management, and secure-by-design software engineering."
Benjamin Fabre, Co-Founder and CEO at DataDome predicts that the economic downturn should not have a negative impact on cybersecurity:
"I don’t see the economy negatively impacting the cybersecurity space in 2023. Why? Because the cost of not investing in cybersecurity is simply too great, even during an economic downturn. Companies have too much to lose – financially, reputationally, competitively – if their or their customers' data is breached. And when you consider the increasingly scrupulous legal and regulatory environment companies now operate in, the risk of not being privacy compliant or secure outweighs the short-term benefits of reducing cybersecurity budgets."
The continued evolution of authentication methods.
Multifactor authentication is not the strong protector it once was, says Darktrace’s Tony Jarvis, Security Brief Australia reports. Jarvis says, "Once considered a silver bullet in the fight against credential stuffing, it hasn't taken attackers long to find and exploit weaknesses in MFA and they will continue to do so in 2023. MFA will remain critical to basic cyber hygiene, but it will cease to be seen as a stand-alone set and forget solution. Questions around accessibility and usability continue to dominate the MFA discussion and will only be amplified by increases in cloud and SaaS along with the dissolution of traditional on-prem networks.”
Romain Basset, Director of Customer Services at Vade, anticipates phishing attacks targeting MFA and legitimate servers:
“We’ll see more phishing campaigns that are able to circumvent MFA by acting as a proxy with the real authentication system, or by tricking users who have MFA fatigue.”
John Pescatore, director of emerging security trends at the SANS Institute, believes MFA bypass attacks will increase significantly:
“We will see a continued movement away from using multiple-use passwords and towards adopting multifactor authentication (MFA), passkeys, FIDO 2 authentication and other additional layers of security. Companies like Apple and Google are also developing their own authentication token systems. This will all lead to a badly needed increase in security but also result in an explosion of attacks that aim to bypass such MFA approaches, including using stalkerware to take advantage of company executives and board of directors’ use of mobile phones to record their keystrokes and interactions.”
Stuart Wells, Jumio’s CTO, says that identity verification will be moved to multimodal biometrics:
“The era of passwordless authentication is well underway as businesses across sectors continue to adopt biometric identity verification. Biometric verification technology has improved significantly in recent years — so much so that it’s been ingrained in many everyday tasks, like unlocking our mobile devices. Even as facial recognition technology reaches upward of 99% accuracy, fraudsters have engineered workarounds through the likes of face morphs, deepfakes, digital image manipulation and the use of synthetic masks.
“These concerns will remain top of mind for enterprises heading into the new year, which paves the way for the rise of multimodal biometric adoption in conjunction with multimodal liveness. Introducing an additional level of biometric verification to the authentication process adds another layer of insulation between enterprises and malicious actors. Supplementing facial recognition with an additional biometric like voice or iris detection provides additional security for businesses seeking to verify their customers, patients, employees and other users. Additionally, adding multi-modal liveness detection further strengthens the protection the person is real. Techniques such as correlated mouth moment and speech, and detecting blood flow in the face all make the authentication process much harder to spoof.”
Miles Hutchinson from Jumio says that MFA fatigue will force the abandonment of the authentication method:
“Dating back to the mid-1990s with the inception of phishing, hackers have long employed the use of social engineering attacks for credential access and network breaches. Today’s hackers, however, aren’t hunting their next victims in AOL chat rooms — instead, they’re right beneath our fingertips spamming users into approving push notifications and sign-in attempts that grant outsiders inside access.
“The likes of Microsoft, Cisco and Uber, among other large-scale organizations, have all been struck by this multi-factor authentication (MFA) fatigue technique. The widespread success of this tactic, also referred to as prompt bombing, will soon force businesses to leave behind MFA strategies and search for verification alternatives. It’s likely that many organizations will begin to look toward passwordless authentication as the preferred method of authentication — and a sure way to avoid users falling victim to MFA fatigue.”
JD Sherman, CEO of Dashlane, believes that the industry is shifting toward new authentication methods:
"The vast majority of breaches today stem from the same culprit: compromised passwords. In 2023 we’ll see a huge shift to mitigate this phenomenon, as we usher in the next generation of security with unphishable logins called passkeys. These keys cannot be seen or accessed by humans, removing all human-related risks of password usage. We’ve already seen a number of popular websites and big tech companies launching passkey solutions this year, but everyone should be prepared for the upcoming period of transition."
W. Curtis Preston of Druva says that MFA attacks may significantly increase into the coming year:
"The big takeaway from the cyber incidents of 2022 is that MFA, while incredibly important, is not infallible. We will continue to see a dramatic increase in the volume of MFA exhaustion attacks. Bad actors will overwhelm the victim with so many MFA requests that they eventually authorize one of them, and the attacker is in. In 2023, companies must look to make their MFA systems more resilient to these types of attacks."
Torsten Staab, PhD, Principal Engineering Fellow, at Raytheon Intelligence & Space, predicts continued implementation of zero trust security solutions across organizations:
"Zero Trust (ZT) Security is a security model, not a product. Adopting Zero Trust Security across an enterprise requires careful planning and the use of complementary, multi-vendor solutions. For many organizations, adopting Zero Trust Security will be a multi-year journey. Establishing a solid ZT strategy up front and developing a phased, step-by-step implementation plan to avoid boiling the ocean and losing focus will be key to a successful Zero Trust Security implementation.
"Moving into 2023, look for additional ZT implementation guidance and recommendations from NIST and the U.S. Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Security Agency (CISA).
"Furthermore, as we head towards the Quantum Computing Era, adopting a Zero Trust architecture will become more important than ever. Zero Trust principles such as “never trust, always verify” and “assume breach,” coupled the PQC-inspired concepts such as Crypto Agility (i.e. the ability to seamlessly switch between classical and PQC algorithms and quickly replace compromised crypto algorithms if needed) will apply to any organization and be key for providing future-proof, next-generation cyber security."
Rob Deane, Associate Managing Director in Kroll’s Cyber Risk practice, predicts an increase in implementation of zero trust principles:
“We are likely to see more Zero Trust principles in software development lifecycles in 2023 to protect applications and the underlying code base. For example, this will mean requiring all users to be authenticated, authorized and continuously validated before being granted or maintaining access to an application and its data.”
Oz Alashe, CEO & Founder at CybSafe, expects attacks targeting MFA in 2023:
"In 2023, expect an increase in MFA fatigue, bombing, attacks, and similar attempts to compromise MFA, such as the Uber breach. MFA is a classic example of organizations using a security mechanism (MFA) to reduce compromise, but attackers find ways to circumvent it."
Mark Lee, the CEO of Splashtop, predicts that zero trust principles will go mainstream and become a priority for businesses:
"Cybersecurity has never been easy, but attacks have gotten more sophisticated in recent years. At one time, security was essentially about putting barriers in place that prevented bad actors from accessing your data and systems. Easier said than done, but still a straight-forward process. But now we live in a world where network perimeters are a lot less defined than ever before. When is the last time you heard one of your colleagues talk about their attack surface getting smaller? Whether you’re a multi-national enterprise or an SMB, odds are that your attack surface is moving in one direction: toward expansion.
"This is why Zero Trust principles – the idea that no user or application with access to corporate networks or data should be trusted by default - have taken off in the past year or so. Security teams need more control. 2023 will be a year where Zero Trust principles further take root in organizations of all sizes as security and IT teams internalize the principles behind this strategy and create policies and protocols to enforce them."
Tal Dery, co-founder and CTO of Red Access, believes that passwordless solutions will finally gain traction at the enterprise level:
"Though passwordless authentication solutions have been around for a while, they’ve struggled to gain widespread implementation at the enterprise level. This, however, appears to be changing, with companies like Google rolling out passwordless authentication options for Android and Chrome, and other major tech players initiating similar plans. With more phishing attacks taking place in 2022 than ever before, the shift to passwordless solutions will be a major step in the ongoing effort to stem the tide — as passwordless authentication solutions are inherently more phishing resistant than traditional passwords. Which type of passwordless authentication architecture will see the most widespread adoption, we’ll have to wait and see, but possible contenders include: biometrics, authenticator applications, physical security keys, and magic links."
US Federal government push toward cybersecurity.
Aleksandr Yampolskiy, CEO and Founder of SecurityScorecard, believes that there will be an increase government moves toward security:
“According to Gartner, digital immune systems that deliver resilience and mitigate security and operational risks will be a key strategic technology trend in 2023. We’ve already seen considerable mentions of security by default practices in the past several months within CISA’s Strategic Plan for 2023 - 2025 and the White House’s Guidance on enhancing software supply chain security. In 2023, we’re going to see increased guidance and legislation surrounding secure development practices that include specific metrics and timelines for federal agencies. As technology companies seek government contracts in the coming year, it will be increasingly crucial that they collaborate with the public sector and look at these government regulations as a baseline to build foundationally secure software.”
David Anteliz of Skybox Security, anticipates that the increase in cybersecurity directives from the federal government will increase federal agencies’ likelihood of being targeted, saying:
“The Cybersecurity and Infrastructure Security Agency (CISA) has issued a number of new guidance this year. Most recently, Binding Operational Directive 23-01 mandates federal agencies to take necessary steps to improve their asset visibility and vulnerability detection capabilities in the next six months. In 2023, we will see threat actors ramp up their attacks before new cybersecurity controls are implemented ahead of 2023 deadlines. This increase in attacks will likely come in the form of supply chain attacks as malicious actors seek to do their worst before they get caught.”
Veronica Torres, Jumio worldwide privacy and regulatory counsel, says that Congress will have to agree on a national privacy framework in the coming future:
“We’ve seen considerable momentum surrounding data privacy in the U.S. over the past few years, as consumers and watchdogs continue flagging concerns over the innumerable amount of data technology companies are collecting and storing about them. While state-level regulations have been a great starting point in protecting consumers, they have also brought a number of challenges, such as compliance issues for businesses operating in different states.
“It’s only a matter of time before the U.S. comes to an agreement on a federal bill that creates a national standard for how consumers’ data should be handled and safeguarded. The American Data Privacy and Protection Act has already been making its way through Congress, and it’s highly likely we’ll see some version of this bill passing in 2023. Once a federal framework is established, tech companies will be required to implement additional measures that prioritize the privacy of their users.”
Josh Lospinoso, CEO of Shift5, believes that Hunt Forward will be the new norm for US cyber operations next year:
“Ukrainian defenders beat all odds in preventing cyberattacks from Russia this year, and one of the key reasons for this success is Cyber Command’s Hunt Forward operation in Ukraine. Hunt Forward shored up Ukraine’s defenses and highlighted the power of international collaboration in the face of cyber threats. While Cyber Command is sometimes met with skepticism and distrust upon arrival at foreign government offices, the operation in Ukraine is proof that Hunt Forward works, and it will become the norm for US operations in 2023.”
Matt Warner, CTO and Co-Founder of Blumira, believes that the DOJ will crack down on ransomware payments:
“Ransomware and ransomware as a service will forever be a threat to small businesses and enterprises alike. Data has value, and cybercriminals know they can exploit this for monetary gain. As the threat landscape continues to evolve, in 2023, the Department of Justice (DOJ) and other federal agencies will become more serious about halting ransomware payouts, and start cracking down on businesses that pay ransomware demands. In the coming years, we’ll see broader solutions and stricter protocols to prevent organizations from paying known criminals. Additionally, with the upheaval in the crypto market, access to bitcoins and related cryptocurrencies may become increasingly difficult as regulations are created.”
Balaji Ganesan, CEO and Co-founder of Privacera, believes that new federal regulations may be put in place to protect consumer data:
"Consumers are becoming more aware of how organizations are collecting, storing, and using their data which is creating an urgency for Congress to write and pass federal regulations surrounding data security and privacy. Currently, regulations are enforced at the state level, in places like California, Colorado, and Utah. But the U.S. market needs a uniform federal mandate, similar to the EU’s General Data Protection Regulation (GDPR), which we might see come to life with the newly elected Congress.
"Moving toward a federal privacy law has bi-partisan support. Earlier this year, we saw the American Data Privacy and Protection Act (ADPPA), which would be a common standard for how to handle data, passed out of the House Energy and Commerce Committee. Fresh off the midterm elections we are expecting these conversations to continue among legislators and businesses alike.
"As we wait for legislation, we can expect to see more “Big Fish” companies receive hefty fines for security incidents that resulted in breached information. Regulators will look to make an example of those who have been compromised with fines and other significant consequences, so it’s more important than ever companies are proactive about their security approach."
Haimavathi Marlier of the Morrison Foerster Privacy + Data Security team predicts the SEC's implementation of cybersecurity rules for public companies and investment advisors:
"In 2023, the SEC likely will issue final cybersecurity rules for public companies and for registered investment advisers and other registrants, respectively. I expect that these final rules will impose heightened disclosure and internal controls obligations on issuers and registrants. I also expect that the SEC’s cybersecurity-related enforcement to continue, especially in cases where the agency perceives there to be a failure to escalate cybersecurity incidents that results in delayed investor disclosures and prolonged exposure of customer data."
Kristen Mathews of the Morrison Foerster Privacy + Data Security team, says that privacy policies will need to be strong in the coming year, due to an upcoming California regulation:
"The California Privacy Rights Act (CPRA) will be enforced starting July 1, 2023, and it will, for the first time, apply to employees in addition to other consumers. This means that employers need to present robust privacy policies to their California employees and give them numerous rights, some of which will be challenging to honor in the context of employer-employee relationships, such as the right to have their personal information deleted or corrected by the employer, the right to receive a copy of their personal information that is held by their employer, and the right to opt out of their employer using their personal information for certain purposes. These rights apply to current employees and independent contractors and also job candidates and former employees. We predict that these rights will be exercised in the context of legal disputes, making responding more high stakes."
Vincent Schroder from Morrison Foerster, says that compliance will be at the forefront of regulatory scrutiny in the coming year:
"Nearly three years following the effective date of the California Consumer Privacy Act (CCPA), increasing enforcement activity by the California Attorney General suggests that businesses should expect even more vigorous regulatory scrutiny next year. In the first half of 2023, audits by the Attorney General and the new California Privacy Protection Agency will likely continue to revolve around compliance with the CCPA’s extensive disclosure requirements and opt-out rights regarding the selling of personal information. Following the enforcement date of the California Privacy Rights Act on July 1, 2023, the focus might particularly expand to the processing of sensitive personal information."
Tina Reynolds and Markus Speidel of Morrison Foerster discuss the coming software attestation requirements for the US government:
"Companies whose software products are sold to the U.S. government will need to begin providing attestations concerning the vendor’s software supply chain security in 2023. Federal agencies will be required to collect attestation letters from suppliers of “critical software” by mid-year, and from all suppliers by the end of the year. Affected vendors must attest to compliance with the relevant NIST guidance and may also need to supply a complete Software Bill of Materials, depending on software criticality or agency need. Additional agency guidance is expected in early 2023."
Supply chain attacks and SBOMs.
Software supply chain attacks have solidified the need for organizational use of a Software Bill of Materials (SBOM), DigiCert reports. Wide adoption is predicted in the coming year, following a 2021 US executive order requiring software sellers to provide federal agents with an SBOM.
Kevin Kirkwood from LogRhythm, believes that supply chain attacks are still a major threat to users of open-source software:
“Organizations should be on high alert for supply chain attacks if they use open-source software. In recent years, hackers have become more strategic when it comes to exploiting open-source software and code. 2023 will be no different. Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.
“Most folks think of ‘supply chain attacks’ as an attack on the physical pipeline that will keep folks from being able to produce physical products. Software supply chain attacks are similar in nature to the physical world. Developers use libraries, executable code and code snippets to complete their software products. If those elements are compromised and malicious code is inserted into those elements, the end product that the developer has produced becomes a vehicle for threat actors to compromise the product and potentially gain entry to the system that houses the software.
“In 2023, we’ll see bad actors attack vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that utilizes third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins. Without a robust scanning program and a ‘curated zone’ for source code and plugins, companies will continue to be at risk.”
Michael Posey, Pre-Sales Engineer at Vade, anticipates an increase in supply chain and hijacking techniques all around in the coming year:
“As users become more proficient at spotting and reporting common phishing scams from well-known brands, we will see hackers adjust their strategy, including impersonating suppliers or customers. I expect more supply-chain attacks and hijacking.”
Sharon Chand, Deloitte US’ Cyber Risk Secure Supply Chain leader, believes that complex supply chain security risks will continue to emerge:
“Today’s hyperconnected global economy has driven organizations to heavily depend on their supply chains—from the components within their physical and digital products to the services they require to run their day-to-day operations. This critical interdependence makes supply chain security and risk transformation an imperative for today’s globally connected businesses. Organizations now require a holistic approach, which includes shifting away from point-in-time third-party assessments toward real-time monitoring of third-party risks and vulnerabilities in inbound packaged software and firmware components. For instance, this includes implementing leading practice techniques around ingesting Software Bill of Materials (SBOMs) and correlating the output to emerging vulnerabilities, identifying risk indicators such as geographical origin of the underlying components, and providing visibility to transitive dependencies. Organizations are also focusing on deploying and operating identity and access management (IAM) and Zero Trust capabilities that better enforce authorized third-party access to systems and data and reduce the consequences of a compromised third-party. The threats introduced into the supply chain continue to evolve in complexity, scale, and frequency, so organizations need to continue the momentum with innovating and maturing their supply chain security and risk transformation capabilities.”
Rob Brown, Co-Founder and Vice President of Business Development at RKVST, believes in scaling SBOMs:
“Organizations often use manually intensive, outdated processes to assess risk and share information across their software supply chains. But the general trend toward digitalization and the need to scale software bill-of-material processes will accelerate the move away from these legacy approaches and toward more scalable, efficient and automated SBOM and other processes.”
Laurence Pitt of Searchlight Security believes that the coming year will see better protection for the supply chain:
"Organizations have invested time, resources and money into ensuring that their cyber defence strategy is resilient – but what about third parties? These companies often have access to restricted access information or critical systems such as HVAC and ICS monitors. They can be the weak link, and supply-chain attacks are growing year-on-year.
"Individual chain links are not necessarily weak, but joining together can expose issues that give access to attackers wanting to insert droppers, seek out weak spots in the network and possibly even launch nation-state-level Advanced Persistent Threats (APT). With entire service stacks now living online, inside third-party ecosystems, the challenge to keep ahead of supply chain risk is increasing. There is no silver bullet to resolve this, and we’re going to see growth in new technology investments to help them stay as far ahead of threats as possible.
"The adoption of zero-trust technologies will increase. User awareness and training are vital for alerting and prevention. The SOC team has to be better armed with tools that allow them to discover conversations across all levels of the internet and understand when a threatened attack could threaten a part of their supply chain. Many industries now rely on a just-in-time methodology to create and deliver their services, it only takes one link to crack, and just-in-time can turn into not-on-time and a big financial hit.”
Jenny Buckley, SVP at ISN, believes that system intrusion attacks from supply chains may increase, and prioritizes TPRM solutions for vendors:
“2022 showed us that 62% of system intrusion incidents stem from an organization’s supply chain. The rise of phishing resistant authentication technologies in 2023 should lead to a higher percentage of system intrusions due to threat vectors like malware. Since external supplier reliance is increasing, they may see heightened cybersecurity due diligence placed on vendor assessments before and after procurement.
The most critical component of managing cybersecurity supply chain risk is standardizing a third-party risk management program across all supply chain participants. Suppliers should be categorized according to criticality then required to submit evidence to relevant supply chain stakeholders that proves their cybersecurity posture on a tiered, risk-level basis. Even as cyberattacks evolve, the communication channels established in this program will facilitate a two-way conversation between parties that will allow all stakeholders to keep their sensitive data secure.”
Experts at Quokka predict that mobile devices will be a larger target for supply-chain attacks in 2023:
"Supply-chain attacks have proven to be a potent attack vector in the past and next year they will continue to proliferate. Mobile devices will be a greater target due to our smartphones being an extension of our personal and working lives, and these devices are no exception to supply-chain attacks as these attacks will cast a wide net over a captive user base. We will see an increase in cybercriminals using selective targeting by employing scrutinizing criteria in an attempt to limit the probability of detection. We will also see the presence of insecure debugging and engineering apps finding their way into Android vendor builds."
Eric Byres, P.Eng, ISA Fellow; Founder and Chief Technical Officer at aDolus Technology Inc., predicts increased supply-chain attacks, and notes that organizations need to take SBOMs into account as part of their cybersecurity solution, not the solution in its entirety:
"Software supply chain attacks will continue to increase exponentially in 2023 - the ROI on these attacks is just too sweet for professional adversaries to resist. Take the attack on Solarwinds (the poster child for attacker ROI). It yielded over 18,000 top-shelf victims, including all five branches of the US military and most Fortune 500 companies. Moreover, many other intrusions have followed — according to Sonatype and others, supply chain attacks grew by 742% over the last three years.
"Defenders will continue to scramble in response to these attacks and the legislation and regulatory initiatives they provoke. The regulatory push will continue to focus on software companies providing Software Bills of Materials (SBOMs). However, government agencies and enterprise users will quickly discover that SBOMs are just tools — not a complete solution. Expect a more ravenous C-level appetite for proper supply chain visibility via dashboards that provide the necessary breadth and depth to identify and reduce risk from the third-party and open-source software hidden inside today’s software packages and platforms."
Tom Pace, CEO of NetRise, predicts continued adoption of SBOMs into the coming year:
"SBOM is going to continue to garner mainstream adoption, not just from software/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use. This is due to vulnerabilities and issues such as log4j, text4shell and the most recent openssl vulnerability. All of these vulnerabilities were not world enders, but even so, the need to be able to rapidly understand the provenance of software components is becoming increasingly critical. Without this visibility, the window for attackers to exploit these vulnerabilities is much too big and puts cyber defenders at a significant disadvantage. Additionally, the federal government has already laid out its requirements for SBOM based on the OMB memorandum that came out in September. This is going to cause a cascading effect in the private sector since obviously the federal government does not manufacture all its own software and firmware, in fact very little is manufactured in house."
Cloud native application security company Oxeye predicts that software supply chain security will finally have a clear definition:
"But it’s not a simple one. Ask 10 different people what software supply chain security is and you’re likely to get 10 different answers, with some of them being lengthy and confusing. As software supply chain security continues to receive more scrutiny, a more precise and consistent definition will emerge. It will not likely be a simple, one-sentence definition, but clearly defined categories where each have their own definitions and requirements."
Lorri Janssen-Anessi, Director, External Cyber Assessments at BlueVoyant, predicts that supply chain security will dodge budget cuts in manufacturing and energy:
"As the manufacturing sector continued to battle unpredictable supply chain disruptions this year, the industry made dramatic strides in managing third-party cyber risk. In fact, 64% of manufacturers say they had supply chain cyber risk on their radar this year and nearly half (44%) have established an integrated enterprise risk management program, the highest of any industry surveyed in 2022. That said, because of the reliance of thousands of vendors, the urgency and severity of supply chain-related cyber breaches in manufacturing will make it the most likely sector to receive budget increases for external resources in 2023.
"For the utilities and energy sector, 99% of energy companies say they have been negatively impacted by at least one supply chain breach in the past year, representing the highest rate of overall impact in any other industry. Because it remains one of the most frequently attacked verticals, it is especially crucial that it rises to the challenge of supply chain defense in 2023. The good news is the sector maintains the highest rate of any vertical to increase its yearly budget for supply chain cyber risk and 60% of energy companies are increasing their budget for supply chain cyber risk by an average of 60% over 12 months."
The importance of threat intelligence.
Geektime reports that threat intelligence is a key part of blocking cyber threats, giving you an early look at risks, and contextual threat-related intel.
Tonia Dudley, Vice President and CISO at Cofense, believes that crowdsourced threat intelligence will be increasingly relied upon in the coming year:
“As threat actors continue to share what works on their side in terms of attack vectors and tactics, security leaders and cybersecurity organizations will increase their communication with each other in 2023 on what is working best to defend against threat actors. This crowd-sourced threat intelligence will allow organizations to learn how to better defend themselves.”
Seagate predicts that in the next year, automation will expand and open doors for those with specialized skills to bridge the cybersecurity skills gap.
Tech devices, better for both good and evil.
Michael Innes, President at VisionTek, discusses upcoming shifts in tech devices, hardware, and demand:
“With the influx of new tech devices in recent years, universal compatibility and maximum efficiency will be king in winning over consumers. We know USB-C and Thunderbolt connections are gaining popularity - especially given recent legislation. Successful companies will be those who focus on the ability to connect to as many devices as possible while also charging with the highest efficiency allowed.
“Crypto mining fueled tremendous GPU and PC hardware growth over the last 3 years and created massive shortages in the industry, however this will begin to wane in 2023. This decline in scope will reduce manufacturing demand, open more production capacity, and normalize inventory levels. Prices will drop and other applications in the PC space will fill the void, like VR.”
Experts at Quokka predict improvements in wearables and 5G-enabled devices:
"In 2023, the trend toward digital transformation will continue to accelerate with new and innovative technologies. This will include improvements in wearables and 5G technology, which will enable more devices to run Android and iOS. Unfortunately, this will also increase the number of complex cyber threats and malicious actors focusing on wearable technology, mobile devices and applications."
The changing cyber labor market.
Seagate predicts that in the next year, automation will expand and open doors for those with specialized skills to bridge the cybersecurity skills gap, saying:
"To address the security talent shortage, organizations have adopted automated security tools, which offer cost efficiencies. But managing these tools requires specialized skills. While automation may solve the current security skills gap, it may create another one—by requiring a level of specialization that many security workers don’t currently have. Organizations that strategically adopt new technology and invest in upskilling IT staff will be better prepared against security threats, while deepening loyalty from their employee base."
John Pescatore of the SANS Institute believes that companies need to go on the offensive to attract cyber talent:
“Cyber professionals need to close the skills gap to understand what attackers are exploiting and why. Next year, we will see more offensive training and increased focus on threat hunting to improve hunt-to-detection time and examining endpoints and network traffic for anomalies to detect attacks and prevent them from causing damage. This will be especially important with an expanded attack surface from a continued hybrid workforce. At the same time, organizations won’t be able to hire during the recession and will need to upskill and make their staff better trained to defend against attacks. As such, we will also see a rise in purple teaming so that security professionals can practice with each other on penetration testing, uncovering, and defending against the newest cyberattacks.”
Sachin Bansal, Chief Business Officer of SecurityScorecard, believes that hiring and retention of cyber talent will be a challenge for the public sector:
“The cybersecurity skills gap that has plagued the security community for the last several years won’t be closing any time soon. Research reveals that 80% of organizations suffered from at least one data breach in the past 12 months due to a lack of cybersecurity talent or awareness. The public sector is especially at risk, with more than 700,000 unfilled cybersecurity positions as of July 2022. In 2023, the inability to hire and retain appropriate talent to defend against a high volume of attacks will leave the public sector highly vulnerable. To fill the widening cyber skills gap, the public sector must improve compensation packages to prevent losing talent to well-paid roles within the private sector, as well as expand diversity within their workforce.”
Deborah Golden, Deloitte’s US Cyber & Strategic Risk leader, says that the talent search and outsourcing will evolve due to a talent shortage and growing labor costs:
“With the breadth, complexity and frequency of cyber security risks exponentially increasing by the day and the increased pressure from stakeholders (regulators, boards and employees) to manage cyber security risks – organizations have a huge demand for skilled and experienced cyber talent. This need compounded by cyber talent market shortages, particularly of highly trained specialized skill sets, makes attracting and retaining niche, hard-to-find talent extremely difficult. Organizations are scrambling to fill required positions, impacting their ability to manage cyber risks. As this talent shortage continues to grow, more organizations will consider alternatives such as outsourcing and management of core cybersecurity functions. To remain agile and optimize operational processes, organizations will need to focus on hiring and retention of niche cyber talent along with outsourcing strategies.”
Almog Apirion, CEO and Co-Founder of Cyolo, anticipates the recruitment of service industry workers for cybersecurity positions:
“More companies, in addition to larger enterprises like Amazon, will look to fill the empty positions within their own organizations by ramping up specific training to transform service industry workers into security professionals.
“Service industry workers have the basic skill sets, and with additional on-the-job training, companies may shift their focus and employ these individuals. The caveat for 2023 is how organizations moving to this new model will be able to train and reskill employees to meet the security skills criteria needed.”
Steve Winterfeld, Advisory CISO at Akamai, says that retention needs to be a focus:
“Staffing pains within the security department of financial institutions will stabilize as the great reshuffling fades out. It is critical for organizations to stabilize their staff after a period of high turnover. As the economy slows, people will be less likely to change jobs, but the best ones will still be at risk of being lured away as cyber skills are still in high demand. The banking and financial industry is very complex and thus requires a more comprehensive period of onboarding and training. If organizations don’t invent in this area, they will likely incur higher costs while battling staff retention issues.”
Matt Warner of Blumira, says that low-noise cybersecurity solutions can help close the skills gap:
“The cyber skills gap is an issue for businesses of all sizes, but the impact on small and medium-sized businesses is unparalleled and unique. SMBs are prime targets for attacks but often lack the resources to pay competitive salaries in a market where experienced candidates are in high demand. Ten years ago, SMBs weren't regarded as attractive targets for breaches or ransomware attacks, but now they're seen as low-hanging fruit – making the risk even more significant. The talent shortage looming over the cybersecurity industry has left positions critical to the security of SMBs vacant and, therefore, businesses even more vulnerable.
“With this, SMB IT leaders must prioritize partnering with security companies to reduce their attack surface and increase visibility across their environments. With such high demand for security professionals to detect and respond to threats, it can be easy to overwork the individuals that businesses do have. That's where threat detection and response solutions that create minimal work for admins – not products that generate endless noisy alerts – become critical.”
Leonid Belkind of Torq says that he believes that security automation will help close the cybersecurity skills gap:
"Security automation will enable more “non-security” professionals to enter cybersecurity. In addition, no-code security automation, with its prebuilt workflows and templates, will democratize cybersecurity as a profession, meaning it will eliminate technical barriers, and coding/development knowledge requirements, while enabling staff to deliver the most precise, reliable, and resilient cybersecurity posture possible."
Mathieu Gorge of VigiTrust believes that the cybersecurity ramifications of COVID will continue to be seen:
"I also believe that we're going to continue seeing the ramifications of that void that we had during COVID – everyone working from home, the Great Resignation and silent firing. This will definitely have an impact on cybersecurity and data protection because hybrid working is not going to go away. It's very hard to get people to go back to the office. Therefore, we need to put the right process in place to make sure that if people do work from home, even if it's like three days a week instead of five, that we plug all the holes that were created during COVID. The instinct during COVID was to survive. It wasn't to do it in a confined and secure way."
Olivier Gaudin, CEO and Co-founder of SonarSource, says that he believes that companies will focus on improving the developer experience, which can improve retention:
"Developer burnout is a major problem that causes enterprises to lose many talented programmers. As we head into 2023, companies are addressing this challenge by improving the developer experience. This includes a variety of different tools and initiatives. Overall, enterprises are increasingly leveraging technology and methods to improve coding efficiency, eliminating cumbersome rework and many mind-numbing manual programming tasks. This liberates developers so they can focus on continuing their professional growth and doing what they love the most - delivering innovative software through well-written, clean code. Organizations will benefit from reduced employee turnover, and will also see business gains with devs free to focus on higher value projects."
John DeSimone, President of Cybersecurity, Intelligence and Services at Raytheon Intelligence & Space, says that there should be a push toward the hiring of non-traditional cybersecurity candidates:
"As cybersecurity threats intensify, there remains a struggle to develop talent to meet and keep pace with the expanding cyber landscape. We as an industry should broaden our perspective on hiring to recruit and develop non-traditional talent heading into the new year. Ultimately, the cybersecurity industry needs creative problem solvers from various backgrounds and disciplines - not limited to experiences only in cyber. Creativity is a skill that can’t necessarily be taught, but we can teach these candidates how to use technology they don't already know. Each candidate’s unique skill set will help advance these technologies and effectively prepare the industry for the latest cyber threat."
Melissa Rhodes, Executive Director of Human Resources at Raytheon Intelligence & Space, believes that commitment to diversity in the cyber industry is imperative in the coming year:
"In the new year, we’ll begin to see a higher demand for the security industry to expand in more ways than one. Specifically, it will call for deliberate leaders who have the self-awareness to question hiring choices. Giving one job candidate an edge over the others because of “cultural fit” or “gut feel” can all be signs of unconscious bias creeping into those decisions. If the cyber industry doesn’t recognize this, it will limit the creativity that goes into brainstorming, problem solving, and new ideas that are essential for fighting cybercrime. In fact, the business case for diversity is well-documented - a study conducted by the Boston Consulting Group indicates that diversity increases innovation, expanding ideas and ultimately impacting a company’s bottom line. In response, the security industry as a whole must be committed to giving opportunities to grow and learn to all those who have unique backgrounds that could also lend themselves to a successful cyber career. Because cyber attacks don’t discriminate, it will require diverse thinking to counter them and protect our way of life."
Mark Lee, CEO of Splashtop, believes that the struggling cyber labor market, specifically organizational IT teams, will see an increase in co-managed IT:
"The skills gap in the tech industry continues to plague organizations: particularly SMBs, who must compete with large enterprises for top talent. Recent research from Spiceworks found that three in five companies (59%) believe it’s difficult to hire skilled IT workers, and as a result, businesses are increasingly turning to managed services to fill the gap. As a result, services spending will account for 18% of IT budgets in 2023, up from 15% in 2020.
"In 2023, we will see a significant uptick in co-managed IT, where in-house IT teams partner with managed service providers and managed security service providers with specialized expertise, to fill these gaps and manage employee devices and IT needs around the clock. In turn, MSPs/MSSPs will increasingly turn to secure remote desktop access and support technologies to ensure efficiency, business continuity and high performance across their platforms."
He also believes that hybrid work will continue to be a norm in 2023:
"The hybrid work train has left the station, and it’s not coming back. Initially fueled by external forces beyond the control of employers and employees, the shift to work-from-home for knowledge workers during the pandemic has shown no signs of slowing down. If you’re wondering how deeply rooted those habits have become, there’s plenty of evidence to back it up. A recent “Everywhere Workplace Report” found that employees would rather have the option of working from home than receive a promotion. Additional research has shown that half of employees who have transitioned to working from home would resign if they were told they must report back to the office full time.
"Employees aren’t the only ones with a stake in the new paradigm. Recent research from The Future Forum found that workers with full flexibility are 29% more productive than their full-time office-bound counterparts. It’s a productivity boon that employers can get behind.
"We all know that workplace flexibility is no passing fad. In 2023, employers will take the necessary steps to further entrench remote work as part of standard operating procedure. That means adopting policies, procedures and protocols that extend enterprise security across networks that are expanding into living rooms, bedrooms and home offices across the world. It is no longer acceptable for security and IT teams to turn a blind eye toward unsafe remote access habits. 2023 will be the year that policy catches up to real-life practice: we will see companies prioritize, update and enforce remote access policies that allow employees to access everything they need to do their jobs seamlessly without introducing unnecessary risk."
Matthew Fulmer, Manager of Cyber Intelligence Engineering at Deep Instinct, says to blame it on the skills gap:
"Although the industry acknowledges that the cybersecurity skills gap continues to be a major challenge, it’s not something that the community has made meaningful strides in solving and its persistence is something that’ll continue to be a plague moving forward. Earlier this year our annual Voice of the SecOps report found that 45% of cybersecurity professionals admitted to considering quitting the industry on at least one or two occasions. In response, companies are using the skills gap as an excuse to justify why they can’t retain their top talent. Instead, we need to start enhancing how we train and educate employees. That way the industry won’t fall into a vicious cycle of: highly talented individuals leaving companies that exploit them, then, in turn, these exploiters eventually want the talented individual back because they can’t backfill their old position with other candidates who aren’t as qualified and can’t live up to expectations.
"Also, it doesn’t help that speed at which our industry changes can be very intimidating and is another barrier to entry. In turn, many job requirements are out of touch with reality and have unrealistic expectations that eliminate qualified candidates. For example, asking for 10 years of experience for a topic that’s not even 10 years-old. There’s even a Mt. Kilimanjaro learning curve to transition from Information Technology (IT) to the cyber team, let alone starting from scratch. Therefore, we need to focus more on constant learning and development rather than relying on one or two rock stars that can do everything. By conducting ongoing training, it’ll also help companies mitigate risk when their top talent is inevitably poached. Ultimately, companies need to make a shift to form a team who can collectively do it all, which will benefit all parties in the long run."
DJ Oreb, President, Managed Services at DMI, predicts that as recession concerns abound, workforces will need to be consolidated and optimized, leading to more reliance on managed services and outsourcing, rather than developing teams in-house:
"Moving into 2023, I think a big trend will be for businesses to figure out how they can consolidate and optimize their workforce while still providing a present end user experience with the ability to scale. I think the drive for managed services will become more prevalent, not only in the commercial sector, where it has been customary for years, but in 2023 we’ll see this drive coming for the state, local and federal sectors as well. Managed services may be the way of the future for them to control costs as well as grow and continuously innovate.
"A big portion of this stems from the Great Resignation. As talent left jobs where they no longer felt valued, the way employees are hired, recruited, and maintained changed completely. As such, a lot of companies may realize that, while they want to invest in their employees, in culture, and in growing teams, outsourcing to larger companies that have the economy to scale might be a more viable solution. Managed services companies can hire those same employees, manage those same components and service those employees, giving them the same experience they would get with a company, but just from a different perspective.
"This presents a big opportunity for managed services companies. They will be able to grow and absorb some of the workforce that has been laid off, and mold them into supporting managed services capabilities. This will build strong teams that are scalable but more optimized. Workers will have the ability to support multiple companies versus one and will maintain their job rather than being replaced by a managed services provider."
The ever-changing cloud.
Mario Espinoza of Illumio says that he expects cloud infrastructure to be a major target of attacks in 2023:
"With economic uncertainty looming, companies are looking to the cloud as an efficient way to tighten costs. However, as cloud adoption continues to accelerate, we’ll see more organizations leverage a lift-and-shift approach – moving an application and its associated data to a cloud platform without redesigning the app – tremendously increasing the attack surface in the cloud. Because of this, in 2023, we could witness an uptick in attacks targeting cloud infrastructure."
Orca Security predicts an increase in brute force cloud attacks, API threats, misconfigured and shadow data stores, supply chain attacks, and critical vulnerabilities, as well as increased targeting of CI/CD environments.
Balaji Ganesan of Privacera predicts that multi-cloud adoption will increase in 2023:
"In terms of adopting a multi-cloud environment, most enterprise-level organizations are in the ambitious early stages of migration and still have a lot of data that needs to be moved. There are some “born in the cloud” enterprises that are fully integrated and working well, but over the next year, we expect the adoption of multi-cloud services to continue to rise as a majority of business leaders look to modernize their data architecture.
"Since more organizations have shifted away from a single cloud solution when it comes to implementing their data strategies, we’ll see many business leaders faced with the challenge of deciding which service providers they actually want to mix and match. To help make those important decisions, we expect business leaders to take a “best of breed” strategic approach that looks at individual organizational use cases. Choosing different cloud partners and services to handle different business needs has become a reality today. It does require a comprehensive data security governance approach to address the increasing challenges of a multi-cloud data strategy.
"We also expect to see a shift in the share of voice from public cloud vendors to focus more on data governance, secure and trusted data management strategies. There’s a sharpened focus from enterprise leaders seeking cloud partners that can offer more than data storage. They are looking for even more scalable ways of building data-centric applications including self-service analytics and modern data collaboration to get even more mileage - and ultimately value - out of that data. And a critical prerequisite to achieving this modern data collaboration is to integrate with a scalable data security platform."
Zur Ulianitzky, VP of Research at XM Cyber, believes that the cloud will be a major target of malicious actors:
"As organizations continue to adopt cloud services, the connectivity to the cloud is getting bigger. That means that multi connected systems, such as Kubernetes and the cloud, and on prem and the cloud will be major vectors that will be exploited by hackers."
Rob Deane, Associate Managing Director in Kroll’s Cyber Risk practice, predicts a continued increase in cloud adoption:
“We saw a continued acceleration of cloud adoption in enterprises this year as many tried to gain from its flexibility, agility and scalability. This paves the way for growth in the DevSecOps practices, as cybersecurity needs to be integrated at every phase of the software development lifecycle.”
DJ Oreb, President, Managed Services at DMI, predicts continued cloud migration, but with caution:
"More companies are really focused on migrating to the cloud for increased access and reliability, but there's still fear, with a possible recession on the horizon, because cloud can be expensive. Businesses are realizing that if their migration is not managed properly, they could spend more money. The continuous migration to the cloud will be something that will be relevant at least over the next few years.
"Businesses who are considering this in 2023 will see more value when partnering with a third-party organization that can come in and assess the overall project: how much cost optimization or savings will this result in? What are your performance requirements? Sometimes, there is a push to migrate because business leaders mandate it, rather than focusing on what is best for the company at a current point in time. Is your current infrastructure still reliable? Maybe you have two or three more years in it. Maybe the strategy should be to migrate 50% now and save the other 50% for one or two years down the line. A trusted partner can help a business work through these scenarios to find a solution that optimizes cost and performance without introducing expensive overhauls at every turn."
The evolution of, and threats to, business communications.
Steven Spadaccini, VP of Threat Intelligence at SafeGuard Cyber, believes that there are changes and threats coming to business communications:
"If an employee feels like their security and compliance solution is curtailing their freedom to communicate effectively and efficiently, chances are they’ll find another way to circumvent the process and monitoring tools. According to a 2022 Business Communication Report, 45 percent of business communication happens in digital channels outside of email. This is a trend that will escalate in 2023.
"Digital natives in particular are still not open to completely following cybersecurity protocol for various reasons, and frequently communicate via channels outside of email. Those reasons include:
- "The security protocol slows tasks and operation progress with long, tedious authentication processes.
- "It hinders productivity by restricting access to documents and data that a teams/individuals might need to complete a task.
- "Constant monitoring induces anxiety and raises stress levels because of the feeling of 'being watched.'
- "Privacy seems moot when your security solution flags every message on your platform and sends them to an IT security personnel for evaluation.
"Increased layoffs across the globe will lead to job seekers utilizing messaging channels to communicate with potential employers, specifically LinkedIn messenger. Departing employees are far more likely to share critical information and data about their former employer in these communications. In many cases, job seekers will be looking for similar positions and will believe that sharing specific data from their former company will give them a leg up in landing their next gig.
"Phishing attacks are becoming more collaborative and span multi-channel communications. An attacker will need to impersonate several communication platforms in order to gain trust from the target. Attackers are looking for any way into an organization and are becoming better at language-based attacks that travel across communication channels, making it easy to deliver ransomware in unmonitored collaboration applications.
"Once an attacker obtains credentials, they will then log into a corporate channel that is not monitored and will be able to operate within it for hours unnoticed. This gives them ample time to observe and/or exfiltrate sensitive data. A similar real world example occurred in September when an attacker compromised an Uber employee's credentials and then revealed themselves in the corporate Slack channel. There will be a direct correlation in 2023 of compromised accounts, either stolen or sold, that will be used to attack an organization in minimally observed communication channels.
"Social engineering attacks originating in employee owned communication channels are highlighted in the news on a weekly basis. Cyber criminals are targeting high value employees on LinkedIn, Telegram and WhatsApp to infiltrate enterprises. Employers are struggling to enforce mandates and policies but will have to weigh the risk vs. rewards. Contention between personal privacy and corporate visibility to protect organizations - will see its first class-action suit - testing the boundaries of employee mandates and corporate control in legal settings."
Devin Redmond, CEO and co-founder of Theta Lake, believes that more sectors will see repercussions for unmonitored communications, and believes that the return to the office may increase the use of mobile applications:
"The over $2 billion in fines imposed on U.S. banks for failing to capture chat communications are the thin end of the wedge for regulatory focus. Firms from all sectors and all geographies should be prepared for regulatory scrutiny of their ability to capture, monitor, retain and retrieve all relevant communications. From the UK Information Commissioner's call for a review into the UK Government’s use of private messaging apps to the reported U.S. federal agency scrutiny of private equity and asset management firms, there’s no slowing down of investigations into record-keeping failures.
"In a post pandemic world, a return to the office means a return to travel, being on the go and being in touch anywhere/anytime. As a result, chat and video support on mobile devices across UC platforms will be increasingly critical as organizations seek to support employee functionality regardless of geography. UC and compliance teams will need to implement a robust joint strategy to enable mobile apps as users will demand full feature support (such as meeting chat and file sharing). As a matter of course the oversight of all aspects of mobile app usage should be included in monitoring plans."
Shifts in creation, proliferation, and handling of data.
George Waller, Co-founder and EVP of Zerify, believes that data will grow exponentially into the next year:
“The most valuable commodity today is data,” said Waller. “With data, you have identities, corporate information and proprietary healthcare details, and 2023 will only lead to an explosion of more data as more companies rely on video conferencing. Healthcare is the number one type of data hackers set their sites on, and healthcare identity fraud is prevalent.”
Ameesh Divatia, Co-founder and CEO of Baffle, predicts that enterprises will accelerate transitions from from traditional data stores to data pipelines:
"Companies are generating, ingesting and consuming massive streams of data. This data is critical for business success, as evidenced by the increasing investments in data processing infrastructure and data engineering personnel in corporations. We will see an accelerated reliance on data pipelines, allowing multiple sources to feed a data warehouse using streaming mechanisms. This method will begin to replace traditional ETL approaches. Innovative approaches that would enable sensitive data to be de-identified in these streams will gain more prominence, and privacy-enhanced computation techniques that data processing without exposing it to infrastructure administrators will become standardized."
Balaji Ganesan of Privacera predicts the implementation of a frictionless data security governance (DSG) environment:
"Implementation of a data security governance environment that meets the enterprise where their data lives is essential in today’s business landscape. Doing so will ensure organizations are working towards meeting every changing and complex compliance requirement while simultaneously protecting and regulating discovery and access of sensitive company and customer information. Frictionless also translates into an all encompassing DSG environment that is universal by applying security and governance controls to the entire data estate within smaller and larger organizations. This approach leaves nothing to chance and allows for a DSG framework where policies and declarative rules are not just expressed by code, but can automatically be instantiated based on intent. With such a scalable DSG environment, this lends to an intelligent system that allows to take immediate actions to minimize risk for data-driven organizations, while maintaining an ambient presence in the day-to-day experience with data collaboration and monetization. A solution such as this is also context-aware and immersive. For example, think of how a GPS readjusts when you turn the wrong way, a frictionless data security governance environment will course-correct and act in the same manner seamlessly."
Carl D'Halluin, CTO at Datadobi, believes unstructured data growth will see new methods of management:
“Organizations will be forced to look for new approaches to manage unstructured data growth in 2023. Many have already noticed that the pace of unstructured data growth is snowballing exponentially faster than it has in the past. This leads to increased costs, as companies have to buy more storage, and the introduction of risk, as the organization has less knowledge about the data as it ages in its network. Organizations need new solutions to minimize the financial impact and risk their business faces.
"Furthermore, much of this unstructured data is stored in network-attached storage (NAS). This is because many applications haven’t yet been redeveloped to leverage object storage. So, much of an organization's unstructured data will continue to be stored on-premises in 2023. Because of this, public cloud providers will form more relationships with traditional on-premises NAS vendors. They will offer branded, cloud-based, managed file services. These services will benefit customers because they have a simple “on-ramp,” they preserve pre-existing documentation and processes, and they take care of the underlying hardware and operating environment for the customer.”
Steve Leeper, Vice President of Product Marketing at Datadobi, believes that prioritization of environmental, social, and governance (ESG) policies is important, and that it will allow for more action on unstructured data management:
“In 2023, businesses are going to have to prioritize environmental, social, and governance (ESG) policies to gain a competitive advantage. A recent PwC report found that over 80% of individuals are more likely to buy or work for an organization that stands for ESG best practices. And as of this year, only a little more than half of companies have an ESG plan in place or are actively planning for one.
"Unstructured data plays a pivotal role in the success of an organization’s ESG policies. A holistic approach to reducing carbon footprint should bring unstructured data management into the conversation. When done with the right solutions, unstructured data management can enable organizations to move away from legacy models where data is stored in a digital ‘landfill.’ In these environments, data takes up money, space, and precious resources but gives very little in return. Organizations should be able to monitor their key ESG indicators and take actions on unstructured data to achieve their targets by moving data to the cloud or less polluting storage, deleting redundant, obsolete, or trivial (ROT) or orphaned data, enabling consolidation, reuse, and earlier shutdown of hardware. By doing so, IT leaders get a win-win of an effective approach to unstructured data management that also delivers on ESG objectives.”
Steve Santamaria, CEO of Folio Photonics, predicts changes to the data storage industry:
“Data Storage will take on global warming. As the world continues to strive toward Net Zero, additional industries will come under the microscope. One industry heavily influenced by this will be the data storage industry. By 2025, data centers will consume >3% of the world's electricity and storage can make up anywhere from 10-30% of a data center's overall energy consumption. When there is a specific industry accounting for >1% of global electricity consumption, people start to take notice and ask what can be done to lessen the power burden. This will create an industry-wide push toward sustainable storage technologies that are more energy-efficient than legacy hardware.
"This sustainability push comes at an intriguing time in the industry as well. We have recently seen newer SSDs actually use more energy than HDDs, which has not been the case until now. HDDs will continue to push toward consuming less energy, but their technology will continue to struggle in terms of power consumption per TB relative to others. For meaningful sustainability advancements to be made with HDD technology, the idle energy consumption will need to be lowered significantly. Tape will continue to show that it is the most energy-efficient product on the market, but the tight window on operating and storage conditions will be a looming cloud on their sustainability narrative. For meaningful sustainability advancements to be made with tape technology, their operating conditions will need to be made significantly wider.
"Next, cold storage will steal the spotlight. There has always been considerable interest in hot storage, but the drive to $0/TB has started increasing momentum toward the cold storage segment. As new applications that generate and analyze massive amounts of data are developed, there will be an overwhelming interest in developing new cold storage strategies to keep data lakes cost-efficient, energy-efficient, and secure for long periods of time. We have already seen an increase in extremely high-capacity HDD, optical, and tape technologies being researched in many labs across the globe. It will be a growing challenge to keep cold storage accessible while keeping it cost-efficient. This will create an influx of investment in current technologies paired with additional investment in new technologies that have the potential to disrupt this emerging industry. We have seen this trend start to begin in 2022 as there were high-capacity HDDs released, new tape libraries announced, and rising interest in new types of optical storage media and DNA storage.
"And in 2023, immutable storage will becomes increasingly commonplace. It is no secret that data has become a strategic asset. It is directly or indirectly tied to profitability for nearly every organization in the world today. Unfortunately, this means it’s becoming a high-value target for cybercriminals. The ever-growing threat of malicious actors will drive up demand for immutable storage. Not only will immutable snapshots be in high demand, but immutable media will find itself being implemented in storage architectures across every industry.
"Last but not least, while I believe these trends to be those with the most momentum in the upcoming year, I do not believe they are the only ones we will see. New, emerging business models such as Hardware-as-a-service will grow in popularity and storage-as-a-service providers should see an uptick in market share as well. Lastly, the fragile dynamics of the industry will come under fire even more so in the upcoming year as the threat of a vertical market failure continues to rise. All of these trends, amongst others, will create an interesting upcoming year for the storage industry.”
Security in DevOps.
Olivier Gaudin of SonarSource, believes that enterprises will become aware that code security lapses are not actually security issues:
"When it comes to code security, most developers think of traditional threats like malware, phishing and SQL injection. Enterprises have rightly invested significant money and resources in combating those threats. However, organizations are starting to realize that the majority of code security breaches are not caused by explicitly malicious behavior (i.e., backdoor attempts), they’re caused by coding mistakes that result in vulnerabilities. In 2023, developers will change how they approach security, realizing that it’s mainly an issue of code quality - and if that’s addressed, there will be fewer security issues. To avoid vulnerabilities and potentially catastrophic breaches, devs will adopt new methods that make it easier to write clean code."
Dynatrace founder and CTO, Bernd Greifender, says he believes there will be a move from DevSecOps into SecDevBizOps:
"Cyber risk will become front-of-mind for everyone involved in innovation, as growing maturity in the insurance industry makes it imperative to treat security as a shared responsibility. Organizations taking out cyber-insurance policies will be required to demonstrate that every innovator in the business can conduct due diligence and manage the risk associated with their actions. There will therefore be a growing focus on solutions that enable teams to mature their DevOps and BizDevOps-centric strategies into a more holistic SecDevBizOps approach. This will lead to increased investment in observability platforms that support cross-departmental processes and ensure everyone has the answers they need to be accountable for delivering secure innovation."
Shifts in adversarial cyber infrastructure and targets.
Gareth Owenson, CTO and co-founder at Searchlight Security, believes cybercriminals will diversify their dark web infrastructure in the coming year:
"We expect to see more diversification in the dark web infrastructure that cybercriminals use next year. To date, Tor has been by far the most popular because it is the easiest to use. However, like many dark web networks, its plagued by low latency and we’ve recently observed some movement over to the Invisible Internet Project (I2P), an alternative dark web network to Tor. In particular, users of the popular dark web forum Dread have been migrating to its I2P mirror because its dark web site has been taken offline by a denial-of-service (DoS) attack.
“Tor is well funded and the highest profile dark web network, so it isn’t likely to be usurped in a year. However, its high profile makes it a target, and we could well see cybercriminals simultaneously use multiple dark web networks like I2P to maintain their operations, as the administrators of Dread have done.”
Lisa Plaggemier, Executive Director at the National Cybersecurity Alliance (NCA), believes that more industries will be targets of threat actors:
"The frequency of cyberattacks across myriad industries have continued to increase, with no sign of slowing. Organizations operating in financial services, healthcare, energy, government, and critical infrastructure have long been perceived as abundant hunting grounds for hackers to disrupt and steal from. It’s reasonable to assume, however, that these industries are slowly adapting better incident response protocols, investing in security services and technologies, and increasing cybersecurity training measures. Though attacks on the aforementioned industries will continue, bad actors will also always seek out less prepared targets where low tech, high impact attacks (e.g., phishing, ransomware, social engineering) will net big rewards. In the coming year, education, aviation, auto and gaming will be greater targets in cyber criminals’ crosshairs. And incident frequency is already ramping up in the wake of recent ransomware and DDoS attacks against airlines and auto parts manufacturers. Recent data indicates a 167% spike in attacks on gaming companies and a 44% increase in education sector attacks this year alone. Expect these numbers to continue at pace or increase in 2023. The silver lining, however, is that new targets will slowly adapt and learn the value of deterrence measures like those before them."
Plaggemier also predicts an increase in targeting of the older demographic:
"As emerging software, tools and technologies continue to be used and relied upon by younger generations, older demographics will understandably struggle to keep up. However, this does not necessarily mean that the group will be exploited at a greater number or percentage by cyber criminals. In fact, according to NCA’s Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2022, over a third of Gen Z respondents lost data or money due to phishing which was nearly 3 times higher than the older generation. However, even if there is a misconceived perception that the elderly population is more likely to fall victim to common cybercrimes, the stakes for this group are significantly higher.
For example, older demographics now rely heavily on technology that monitors their wellbeing such as wearable devices that detect vital signs and other health indicators. While this technology has no doubt improved the lives of the elderly population, it has also made them extremely dependent on it, and thus, vulnerable to cyber criminals who would exploit these assets. As we approach 2023, the incorporation and reliance on emerging technologies to help with everyday life, especially in the healthcare sector, will need to have cybersecurity-related safeguards in place to help protect their users from bad actors."
Anthony Knutson, Senior Vice President in Kroll’s Cyber Risk practice, predicts advancements in adversarial tactics and speed:
“In 2023, threat actors are likely to hone their tactics and move quicker. This means less dwell time between infection and exfiltration of data, new forms of compromise around the supply chain and industrial control systems (ICS) or operational technology (OT) environment, as well as more sophisticated techniques to circumvent cyber defense tools. This makes detecting suspicious activity quickly even more critical for organizations. While solutions to achieve this are becoming more commonplace, and they undoubtedly help from a logging perspective in incident response investigations, the actual monitoring of these systems is an area that is due to ramp up in 2023 as pressures on internal capacity lessen.”
Third-party risk management may see big advancements.
Alastair Parr, Prevalent's SVP of Global Products & Delivery, and Brad Hibbert, Prevalent's COO and CSO, predict a move away from the "annual and manual" approach to third-party risk management, and toward proactive, continuous methods:
“Given the continual onslaught of third-party vendor and supplier-originated security incidents (for example, the ransomware attack at Kojima Industries that stopped production at Toyota), organizations are trying to better predict disruptions and mitigate them when they do happen. As if this wasn’t challenging enough, increasing regulatory pressures in the areas of data protection and supplier due diligence are requiring these same organizations to more regularly assess the business resilience of their vendors and suppliers.
"What does this mean? Organizations have to be more proactive, continuous, and agile in assessing their third-party vendor and supplier resilience, ditching manual methods once and for all. Threats, regulatory requirements and legislation won’t allow the bare minimum third-party vendor and supplier due diligence reviews anymore.
"Simply put, TPRM can’t be an annual, manual check-the-box exercise.
"To accommodate this shift, expect TPRM offerings to deliver better machine learning (ML)-based automations and analytics and stronger correlation against prior assessment findings. This evolution will help organizations more easily spot and respond to incidents and more efficiently gauge vendor and supplier resilience on an ongoing basis.”
They also predict a shift toward management across the lifecycle of a vendor relationship, rather than one specific point:
“It’s all about supplier resilience now, and that means looking at risks from the beginning to the end of the vendor relationship.
"Looking at risks at a single point in the supplier relationship, for example only at the time of onboarding, is the wrong approach. Risks continually present themselves throughout a supplier relationship long after the contract is signed. Yet, according to a recent TPRM trends report, fewer than half of companies are tracking third-party risks as the relationship progresses through maturity.
"In 2023, organizations will begin to look at third-party risks as a lifecycle with uniquely-tracked and managed risks during sourcing and selection, onboarding and contracting, ongoing management, and offboarding. This evolution will be driven by the need for better program oversight as professionals seek to capture information from colleagues adjacent to them in areas such as procurement, legal, compliance, audit, and risk. To facilitate this, data must become more accessible across teams and processes consolidated around a consistent set of workflows.”
Parr and Hibbert believe there may be increasing accessibility to geographic and political insights in third-party risk management solutions, as well:
“If there was anything that the Russian invasion of Ukraine taught us, it’s the need to consider geo-political concerns in making supplier decisions. This is inherently a non-IT risk.
"It is notoriously difficult to identify the regional sites of a third party supplier that may be impacted by a geographic event such as adverse weather or geo-political issues. While the head office is commonly identified during the contracting phase, the regional sites such as manufacturing plants are often not readily available.
"Considering the ramifications of the Russian invasion of Ukraine, in 2023 organizations will seek to capture more geographic information so they can report immediately to executives once a major event hits the media, identify potential challenges in the supply chain quickly and efficiently, and adjust accordingly. Supplier risk management solutions will help facilitate the collection and analysis of this information through passive scanning and the creation of a comprehensive supplier profile.”
Changes to education in the cybersecurity sector.
Wesley Alvarez, Director of Academics at EC-Council, believes a shift to a more hands-on approach to cybersecurity education has begun, and will continue into the next year:
"Programs with standard educational simulations simply will not cut it, and students need live-range experiences and scenarios they can discuss in the classroom, with their peers, and with potential employers as proof of their knowledge. We are starting to see an overwhelming number of institutions facilitate competitions, range challenges, and hands-on components in the classroom that are aligned to workforce skills and specific job roles to help students narrow their skillset and focus, while proving they can be adaptive, a trait also highly regarded by employers with the ever-changing cyber threat landscape.
"These programs are confidently producing work-ready graduates, and we see these programs really shine. This will be the new standard in successful Cybersecurity education programs that focus on career-based outcomes, and we expect to see more cyber competitions and challenges implemented to showcase student talent to potential employers in 2023."
Cyber insurance sees changes in perception and viability.
Chris Denbigh-White, Cybersecurity Strategist at Next DLP, believes the future of cyber insurance is uncertain:
"2023 will begin with some definite questions from CISOs and insurance companies alike around the viability and usefulness of cyber insurance as a concept. 2022 saw some drastic geopolitical developments which have led to some significant changes within the cyber insurance market which will have definite repercussions in 2023. Insurance premiums, prerequisites and policy exclusions will no doubt continue to increase in 2023 which will have the effect of narrowing the actual scope of what is really covered as well as increasing the overall cost. Add to this the many geopolitical uncertainties as we go into 2023 and cyber insurance becomes not only difficult for organizations to gain real reassurance from but also equally difficult for insurance companies to effectively underwrite. Whilst carrying cyber insurance is rapidly becoming a 'security prerequisite' for many organizations, its benefit in relation to cost and cover remain uncertain as we move into 2023."
Aidan Kehoe, SVP at Barracuda, believes that cyber insurance will become more expensive despite covering less:
"Going into 2023, the capacity of cyber insurance will continue shrinking as a result of increased demand and expected losses. This will cause premiums to skyrocket and unfortunately, many organizations will not be able to afford the exact policies they held last year. Additionally, the gray areas created by the anonymity of cyber attacks and the recent cyber insurance mandates excluding war and non-war, state backed cyber-attacks will drive litigation and investigations around coverage next year. To compensate for gaps in coverage and liability, organizations will be forced to purchase additional cybersecurity solutions."