It’s another new year and hence another occasion to predict how the cybersecurity landscape will evolve in 2023. Once again, it will be challenging, as most every year is, and could wind up being an unusually difficult 12 months because of multiple headwinds.
One is that it has become clear that a huge increase in remote working is here to stay, if only because so many companies have adopted a durable hybrid policy – one that blends remote work with work in the office some weekdays. This is good for workers, who prefer to commute to work less, but not for corporate cybersecurity because remote workers aren’t protected as well against cyberattacks. Another threat is the spread of the poorly protected Internet of Things (IoT) into every area of business and society, creating more opportunity for malicious actors to penetrate lax security.
And, many corporate chiefs and economists believe that the economy is shaky and may well fall into a recession. If this turns out to be the case, it may encourage more technically sophisticated folks with monetary woes to join the ranks of an already sizable pool of cybercriminals.
Amid this backdrop, here are some cyber developments that will likely come to fruition in 2023.
An increase in nation-state attacks
The biggest reason would be that more than 70 countries are scheduled to hold national governmental elections, more than usual. Such events are frequently a target for attack by hostile foreign interests, as was the case in the precursor to the Presidential election in the U.S. in 2016, which was hit hard by cyber infiltration by Russia.
Compounding this threat, the three countries responsible for much of state-sponsored activity – Russia, China, and Iran – are all embroiled in conflict, creating potential for heightened attacks. There is Russia’s invasion of Ukraine, China has repeatedly pronounced that it intends to take control of Taiwan, and there is increased dissident activity in Iran, which the government blames on hostile outside countries, including the U.S.
The increasing growth of zero-trust strategy
This concept of "never trust, always verify" will come at the expense, in particular, of Virtual Private Networks (VPN), which establish an encrypted and protected network connection using public networks. This is because remote working trends are likely to continue, undermining the ability of VPNs to meet scalability demands. In addition, VPNs are prone to vulnerabilities, and hence, cyberattacks. The Biden administration, meanwhile, has already mandated federal agencies to adopt a zero-trust architecture by September 2024, and Gartner has said it will grow more than 30 percent this year and entirely replace VPNs by 2025.
The likelihood of heightened demand for better third-party risk management
Software supply chain attacks grew more than 600 percent in 2022 – on top of more than 400 percent in 2021 – because it is typically easier for attackers to target a vendor as a conduit into a big corporation. Gartner predicts that 45 percent of organizations will experience attacks on their software supply chain by 2025. Boards and CEOs have begun demanding better security. Look for heightened demand for services, tools, and vendor questionnaires that can monitor and mitigate third party cyber risks.
Cyber insurance companies will increasingly require companies to provide detailed risk assessments before underwriting them, notwithstanding rising cyber insurance premiums
Companies will be required to present evidence spanning multiple security arenas to prove they’re in compliance with leading cybersecurity standards and best practices. The assessments will be used to determine decisions about insurance limits, coverage, and coverage gaps. Companies lacking basic cyber hygiene controls, such as regular employee training, and multi-factor authentication, will be declined by insurers more and more.
Companies adopting new generation 5G networks will be under heightened pressure to spend big to find loopholes to curb security vulnerabilities
The number of intelligent devices connected to 5G networks is expected to increase dramatically. Gartner predicts that the number of IoT devices will increase to 5.8 billion in 2023, up 21 percent from 2022. This makes 5G networks an increasingly target-rich environment for cybercriminals.
Prepare for a rise of automotive hacking
Today’s new vehicles are rife with automated software that provides easy Bluetooth and Wi-Fi connectivity for drivers in everything from engine timing, airbags, door locks, and cruise control, to advanced systems for driver assistance. As this trend continues to increase in 2023, prepare to see attackers work to increasingly gain control of the vehicle, or use microphones for eavesdropping.
Look for the widening onset of Ransomware-as-a-Service (RaaS) to continue increasing in 2023
RaaS gives more attackers the ability to easily execute ransomware attacks. Developing this malware requires technical savvy and skill, which RaaS has. It’s usually found on the dark web, and the prices aren’t prohibitively high. RaaS software is also helping to increase the number of new ransomware variants, boosting the chances of a successful attack.
It’s obvious that a number of the aforementioned points denote a grim outlook for the new year, but a couple of positive trends also exist.
One is that the federal government is in the process of creating a national cybersecurity blueprint that is embracing a major role for regulation for the first time. Just one, as an example, would require pipeline operators to develop detailed plans for responding to cybersecurity incidents. Such steps go well beyond prior strategies that mostly focused on information sharing and public-private partnerships. A notable exception last year was a new law requiring critical infrastructure owners and operators to disclose a major cyberattack to the federal government within 72 hours.
Another encouraging development is that two more states – Utah and Connecticut – have adopted new comprehensive consumer privacy laws, effective at different times this year, joining similar steps previously taken by California, Virginia, and Colorado.
Privacy and data security laws have existed for a long time, but until recently they were limited to certain industries or data types. These five state laws reflect a growing movement to protect individuals’ far more expansive right to privacy. These states, expected to be joined by others in 2023, have several provisions in common, such as such as the right to access and delete personal information.
The case can be made that these are extremely positive steps in the cybersecurity world because there are far more individuals subject to cyberattacks in the U.S. than there are organizations. Moreover, individuals are less able than organizations to financially weather an attack. This is the kind of development that truly makes a big difference.
About the Author:
Robert Ackerman Jr. is the founder and managing director of AllegisCyber Capital, an early-stage cybersecurity venture capital firm based in Silicon Valley. He is also co-founder and a board director of DataTribe, a seed and early-stage foundry, based in Fulton, Md., that invests in young cybersecurity and data science companies.
Bob has been recognized as a Fortune 100 cybersecurity executive and also as one of “Cybersecurity’s Money Men.” Previously, as an entrepreneur, Bob was the president and CEO of UniSoft Systems, a leading UNIX systems house, and founder and chairman of InfoGear Technology Corp, a pioneer in the original integration of web and telephony technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.