Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
The Boiling Point is Here; Will the Frog Escape the Pot?
By Tom Sego, Co-founder and CEO of BlastWave
As the fable
goes, a frog will stay in a pot of water as it's brought to a boil. Despite
obvious warning signs, it's too late by the time the boiling point is reached. In
the same vein, will companies heed 2022's warnings and evolve from detect and
patch models to a preventative security approach that stops attacks before they
happen? 2023's cybersecurity trends boil down to three questions. What is the
threshold that companies will hit before they pivot to Zero-Trust Network
Access (ZTNA), phishing-resistant multi-factor authentication (MFA) and
software-defined perimeter (SDP) approaches to Zero Trust Architecture (ZTA)?
What growth will we see? What will go up in smoke?
Manufacturing ransoms will hit $3 million
In 2022, the average ransom payment was
$920,000, growing by 71 percent in the first few months. Manufacturing was even
worse, as ransomware payments averaged $2 million. In 2023, the average ransom
payment will break $1 million, and the average manufacturing ransom will break
$3 million. Manufacturing ransoms are higher because
OT security is decades behind, with studies showing
that 87 percent of OT security professionals lack visibility into their OT
network activities across devices, users and applications. Meanwhile, 78 percent experienced over three cyber breaches in
2022.
Many companies
that depend on critical OT infrastructure still use COBOL, including 43 percent
of banks. As a result, cybercriminals are now searching job postings
to target companies that require COBOL skills.
The most common OT attack vectors are vulnerabilities, often leading to ransom
demands, while the most common IT attack vector is phishing. OT assets and workstations are low-hanging fruit for hackers
because they're often unpatchable, with ICS vulnerabilities rising 50 percent
in the past year compared to 0.4 percent in the number of vulnerabilities
overall (IBM X-Force Threat Intelligence Index 2022). Manufacturing's
resistance to evolve from futile detect and patch models caused it to be the
most targeted industry in 2023, taking the mantle from
financial services. There is quite a bit of
spending on cybersecurity in the IT side, with reports projecting that 11 percent of managed
IT services budgets will be spent on security applications over the next year. Unfortunately, many of these security
applications cannot secure OT workstations and assets, which are twice as
likely to be hacked.
These challenges
are further compounded because IT and OT security concerns are different. OT
security administrators don't just have to worry about compromised credentials
and data. The real catastrophe in an OT security breach results from
operational downtime. OT vulnerability has grave consequences for companies in
manufacturing, water, healthcare and other sectors, as Gartner predicts that
cybercriminals will soon weaponize OT systems
to cause bodily harm. Due to the inefficacy of detect and patch security
models, OT ransoms will increase despite OT security spending
projected to rise at a CAGR of 15.8 percent to $32.4 billion by 2027.
70 percent of companies will implement ZTNA
ZTA adoption can
address these issues, and ZTNA that authenticates before allowing connection
will accelerate compliance with ZTA requirements as defined by the United
States government. Amid the branding hype, companies must remember that zero
trust is not a product - it's a framework. Many products that claim zero trust
do not meet the five pillars of the
Zero Trust Maturity Model defined by the
Cybersecurity and Infrastructure Agency (CISA). ZTNA that takes an SDP
deployment model approach to ZTA can help companies meet these federal
requirements and stop attacks before they happen. Gartner recently
stated, "ZTNA is the fastest growing
segment in network security." The report estimates that "70 percent of new
remote access deployments will rely on ZTNA by 2025." That's conservative amid
increases in ransomware payments. ZTNA implementations will hit 70 percent by
2024.
SDP
approaches will double in manufacturing
With hybrid work, cloud computing and
billions of connected IoT devices, the enterprise security perimeter is
disappearing, and business environments are more complex (and vulnerable) than
ever before. In manufacturing, these issues are heightened as OT security
administrators connect their formerly air-gapped and often unpatchable OT
systems to the cloud, with recent reports showing 49 percent are using the
cloud to support OT systems. In response, manufacturers will implement SDP
approaches that can support full-mesh, peer-to-peer, high-performance
connectivity. High-performance security is important, with recent studies showing
that 79 percent of employees sacrifice security for speed. We talk about
security by design, but this is vulnerability by design - when someone needs
something urgently and they work around access controls.
An SDP deployment model allows companies
to transcend network location and underlying configuration to implement Zero
Trust Architecture. When the network is your biggest liability, why would you
want a network-centric security approach that exposes IP addresses to the
public Internet? With network-centric models, access is defined by network
location. With SDP, access is defined by lightweight, policy enforcement point
(PEP) software on end-user devices, mirroring how hybrid work has evolved. Fortunately, the SDP
market is expanding, projected to reach $23.1 billion by 2026. SDP is easier
to implement in OT systems than VPNs because it removes the need for digital
certificate management, network subnetting and more. SDP can even be
implemented as an overlay on the existing network or SCADA system. This
approach can also protect legacy OT systems
through the use of gateways, even if those systems cannot host a PEP.
Less than half will implement phishing-resistant MFA
2023 will be the
twilight year of traditional MFA if the US government reaches its lofty goals.
2022 saw the widespread exploitation of traditional MFA that relies on
session-based tokens, one-time passwords, SMS and push notifications, including attacks on Uber, Microsoft
and Twilio. Memorandum M-22-09, issued by the
Office of Management and Budget (OMB) in January 2022, sets January 2023 as the
date that federal agencies must offer a phishing-resistant alternative, and
states that traditional MFA must be eliminated by 2024. The CISA recently urged
organizations to implement phishing-resistant MFA as well, dubbing it the "gold standard." Seeing as the FBI itself was
recently hacked, this timeline seems
unrealistic, whether we're talking about government agencies or enterprises.
Unfortunately,
experts estimate that up to 90-95 percent of
current MFA implementations are not phishing-resistant. Meanwhile, the gulf in adoption of security controls in IT vs OT
is substantial. Unlike IT networks, the use of third-party contractors in OT
systems increases the risk of exploitation, further highlighting the need for
phishing-resistant MFA in OT security. Unfortunately, surveys show that only 18
percent of companies with OT
systems enforced even traditional MFA or basic remote access restrictions this
past year.
Phishing-resistant
MFA ensures secure remote access through passwordless MFA methods, including
biometrics coupled with a built-in authenticator and FIDO2 security keys. These
methods remove human decisions from the authentication process and reduce human
error. The good news? Companies are increasingly implementing
phishing-resistant MFA, with GitLab boosting their adoption to 93 percent. Still, I predict that less than half of companies will align with
federal goals by 2024.
Too many cooks in the kitchen
Amid 2022's
statistics, I have empathy for CISOs that manage complex configurations and
policies across multiple cybersecurity products. They're facing hurricane
headwinds, and a sea change is necessary. In 2023, companies will implement
ZTNA solutions that create a software-defined perimeter including multiple
access controls. This will help companies evolve past network-centric, detect
and patch security models to achieve a preventative zero trust security
approach that stops attacks before they happen. Zero trust is a framework that
assumes there is no network perimeter and that there's a malicious actor in
your network right now. Today, that isn't an assumption; it's reality.
##
ABOUT THE AUTHOR
Tom Sego is
Co-founder and CEO of BlastWave, a leading provider of zero trust networking
solutions that help companies stop attacks before they happen. Tom oversees
operations for BlastWave's Zero-Trust Network Access solution, BlastShieldTM,
and focuses on cross-functional team leadership. Previously, Tom served as
Senior Director of WW Sales Support at Apple.