Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
What the Cybersecurity Industry Can Expect in 2023
By Nathan Hunstad, Code42, Deputy CISO
If there has ever been a quiet year for the
cybersecurity industry, 2022 certainly was not it. As a whole, cybercrimes rose more than 600% over the last year, with
data breaches costing companies more money than ever before. (The Appian and Pegasystems trade secret theft case
clocked in with an epic $2 billion award.) Unfortunately, thanks to a
significant talent drought plaguing the industry, many companies didn't have
the resources and skills needed to protect themselves. This issue is only
expected to get worse, with recent data
citing we need 3.4 million more cybersecurity workers worldwide to secure
assets effectively. I believe that supply chain attacks, the distributed
workforce, and a dearth of cybersecurity professionals are all important areas
security teams and business leaders need to proactively address as we enter
2023.
Prediction
1: Attackers will target internal employees to implement larger attacks
It used to be that if you wanted to gain
access to an organization's infrastructure, you'd utilize spam emails or
ransomware. However, as cybersecurity tools became more attuned to blocking
these more obvious attempts, nefarious actors had to create more sophisticated
methods to break through. Security teams need to bear in mind that these newer
approaches won't necessarily be caught in a spam filter or firewall - because
they're coming from within the
organization.
This latest tactic involves working with an
insider to gain access to critical pieces of data and information. Sometimes
attackers will be upfront with insiders, convincing them that personal gain is
worth partaking in nefarious illegal activities. Other times, the insiders
themselves will be duped into unknowingly handing over data to outside sources.
Either way, security teams need to be flexible in changing their defensive
mechanisms as attackers shift and become more sophisticated. In light of this,
organizations are also likely to prioritize better training exercises and
guidance so employees can better respond and understand how to spot these kinds
of threats to avoid falling victim.
Prediction
2: A continued rise in cloud collaboration tech usage will cause more company
data exposures
It's clear that remote work is here to stay,
and companies will only continue to increase the number and type of cloud
applications they use to move and store data. We're also seeing that today's
job market is continually expanding, leading to a future scenario where the
pool of eligible candidates includes the entire world, regardless of location.
This reliance on cloud collaboration tools opens the door for data exposures if
employees aren't utilizing these solutions properly.
Our current workforce is also much more
transient than in years past; employees are not retiring with the company they
started with and are moving around much more frequently. This tendency to job
hop leads to more data exfiltration, as people leave and take data with them -
whether with malicious intentions or not. In fact, research shows there's a one-in-three (37%) chance your company loses
IP when an employee quits, and 71% of organizations are unaware of how much
sensitive data their departing employees typically take with them.
My colleagues at Code42 are keeping an eye on
a few other trends as well:
Jadee
Hanson, CIO and CISO:
Prediction
3: Companies will prioritize cybersecurity retention to help reduce turnover
As we enter 2023, there are millions of
unfilled cybersecurity jobs, giving job seekers a major advantage if they're
looking to gain different employment and negotiating power. However, for
employers, the cost of replacing security talent is incredibly high. For a
cybersecurity practitioner to do an effective job, they need to understand the
full technology landscape of an organization, which takes a great deal of time.
In the year ahead, companies will look inward
to ensure they're doing what they can in order to retain their existing
cybersecurity talent. While money is usually some part of maintaining employee
happiness, cybersecurity professionals are generally not entirely motivated by
salary. Instead, most want to make sure they're doing work that is
intellectually stimulating: they want new projects to work on, different spaces
to dig into, and interesting assignments that allow them to flex their creative
problem-solving muscles.
Employers will also have to look more broadly
for talent and consider more "unconventional" candidates. Most job postings
start with an emphasis on skill mastery, requiring years of experience in
cybersecurity for a hiring manager to even look at a person's resume. Instead,
a candidate's soft skills - someone who is curious and wants to learn - will be
of greater importance.
Prediction
4: Budget cuts will leave companies vulnerable to cyberattacks
Economic uncertainty often causes budget
concerns for CFOs trying to keep their company above the potential fray. What's
more, cybersecurity spend is sometimes seen as an added company expense rather
than an essential function, perhaps in part due to a difficulty in quantifying
success metrics and ROI.
Companies that don't readily see the value in
their existing programs may try to reduce expenses by cutting investments in
cybersecurity tools or talent. However, these cuts could reduce an
organization's ability to properly detect or prevent data breaches, leaving
them vulnerable to potentially devastating impacts. Leaders should especially
be concerned given the consistent rise in ransomware attacks in the last few
years; these are not expected to slow down anytime soon. We can expect to see
companies that choose to maintain efficient cybersecurity resources, even in
the face of economic uncertainty, fare much better than those who slash and
burn.
Matt
Jackson, Senior Director, Security Operations:
Prediction
5: Supply chain attacks will become more sophisticated and harder to prevent
Supply chain attacks occur when hackers
infiltrate a company's infrastructure through a third-party partner, many of
whom now have more access to sensitive data than ever before. Cybercriminals
have increasingly turned their focus to this method of access because it
enables them to gain an exponentially greater amount of information from a
single breach. We already saw software supply chain attacks rise by more than 300% in 2021 compared to
2020; the impact of some incidents, like the SolarWinds hack, is still unfolding.
This means that, unfortunately, companies
cannot only rely on their own cybersecurity power to keep sensitive information
safe. Since supply chain attacks often target smaller organizations to get to
the bigger fish, companies now need to be increasingly aware of the
cybersecurity practices of all partners and vendors they work with.
In the year ahead, companies will ramp their
cybersecurity diligence up to an "11" because attackers never get worse - they
only get better and sneakier. We will likely see companies buckle down on their
efforts to mitigate these supply chain risks. One of those ways is utilizing
compliance verifications to vet the security tools and systems used by
third-party partners and making sure their teams are updating their processes
as new types of attacks and vulnerabilities emerge.
There's no sure-fire way to make certain your
company is entirely immune to every type of cyber attack, but there certainly
are ways to ensure you're putting your best foot forward. By proactively
building responses and processes to address these major issues, security
leaders can set their teams up for the best possible success moving forward.
##
ABOUT THE AUTHOR
Nathan Hunstad, Code42, Deputy CISO
Nathan is the Deputy CISO at Code42, the Insider Risk Management leader. He
leads the Identity and Access Management (IAM) and Platform/Application
Security teams. In past roles as a senior leader on the Code42 security team,
he led or held roles in security operations, threat and vulnerability
management, security engineering, red team, cyber intel, risk assessment, and
security consulting. Nathan joined Code42 in 2016, bringing experience from
both the private and public sector, and is a graduate of the Masters of Science
in Security Technologies (MSST) program at the University of Minnesota.