Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
More spending won't solve cloud security problems, better foundations will be needed
By Paul Baird, Qualys
According to IDC forecasts, the total value of IT security
spending in Europe will reach $50 billion by 2025. This is positive for the
longer term, as it shows how seriously business leaders take this area compared
to the past. However, even though companies are committing more budget towards
security than they ever have before, we are still seeing more successful attacks.
What will this mean in 2023? There are two
major areas where companies will need to focus - the impact of hybrid working,
and the increase of attacks on operational technology assets.
Prediction
#1 - Hybrid working will force more emphasis on the basics
The problem is that many organizations are
still focused on implementing more shiny new toys, rather than building better
processes that support their staff. All these products and technologies can add
significant value for security teams that are feeling stretched and need help
from automation, but this can overlook some of the security fundamentals that
still need to be solved.
Given all the focus on what is new, it is easy
to assume that every company has the essentials of security in place and working
effectively. Sadly, that is not the case - many companies still don't have
effective asset management programs in place. Like someone who has splurged on
a new hobby, it is all too easy to have all the gear and no idea. This is
something that is difficult to realize before an attack succeeds.
In 2023, companies will finally throw out the
idea that we will ever go back to ‘normal' after the pandemic, and instead,
they will commit to supporting long term flexible and remote working. This will
mean that the trusty asset inventory will have to adapt to tracking devices
that never show up on the company network. This change in mindset will actually
suit security teams as they will have to adapt their processes around asset
tracking and lifecycles, which will then improve overall security posture. For
those that look at their processes, they can improve their security and make
better use of those new tools. For those that don't, their organizations will
fall at the first hurdle of basic security hygiene next year.
Prediction
#2 - Operational Technology attacks will take place more frequently unless IT
security gets involved
This year, Gartner predicted that we'll see
cyberattackers weaponising operational technology (OT) environments to
successfully harm humans by 2025. I fear that this will happen much sooner, if
it has not taken place already. This year saw reports that a newborn baby died
as the result of a ransomware attack locking up IT systems in a US hospital, as
this included the OT assets that monitor fetal heart rates during delivery.
Bad actors have already seen that healthcare organizations
are more likely to pay ransomware demands. So why will they stop? The answer is
that they won't, so the number of attempted attacks will continue to go up in
this area. At the same time, there are more issues getting found in OT systems,
and the increase in money around ransomware will see threat actors able to
bring in skills to target those systems.
Alongside healthcare, oil and gas networks
will also be under more scrutiny. The cost of fuel has gone up thanks to the
war in Ukraine, which shows no signs of abating. The demand for gas and
electricity continues to rise, and the assets that produce that fuel and power
are at risk. For example, according to the US Government Accountability
Office, more than 1,600 oil rigs are at significant risk of a cyberattack
because they rely on remote management to control assets. If the remote
management systems can be attacked, or the on-rig assets compromised, this
would affect a substantial percentage of US fuel and power generation capacity.
In turn, this would affect global energy markets that are already under
pressure.
In response, 2023 will see IT security teams
take more responsibility for these OT networks. For years, OT has been kept
entirely separate from the IT function, so many IT teams have never had to
understand what was in use and what threats may arise as a result. OT security
is at least ten years behind IT security in terms of monitoring, visibility,
processes and the advancement of the technology itself. These assets are
typically very expensive capital investments that are expected to run for
decades.
Today, companies want to take advantage of the
data that their OT systems create in real time. This requires them to be
connected, and therefore vulnerable. IT security teams can educate the business
on the risks here, but they won't be able to stop this from taking place.
Instead, they will have to take responsibility for security overall. This will
include developing new processes to manage risk overall across OT environments,
deploying best practices where possible and mitigating potential problems where
direct fixes are not possible. Alongside this, IT security and the CISO will
have to educate the rest of the business on how to manage risk over time.
We've got a long way to go to improve security
of our OT environments, but the first step has
to be adding OT to the remit of the IT and security teams. Without this, I
predict that we'll see a disastrous level of cyberattacks via OT assets in
2022.
##
ABOUT THE AUTHOR
Paul Baird, Chief Technical Security
Officer UK, Qualys
Paul Baird is a 20+ year IT veteran who
migrated to cybersecurity six years ago. Baird previously built a security
programme from scratch at a FTSE 250 company, and later accepted the challenge
of building an entirely new SOC function for luxury automotive manufacturer
Jaguar Land Rover. Now at Qualys as their Chief Technical Security Officer for
the UK, he helps to drive the Qualys vision with customers and partners at
C-level.