We normally lay out five top predictions for the year. But with cybersecurity being such a vibrant — and sometimes frightening — field, we couldn’t keep it to five.
Hence, we have 10 this year:
Top Cybersecurity Predictions
- 1. Internet Of Things Under Attack
- 2. Security Cultures Emerge
- 3. Zero Trust Comes Of Age
- 4. Autonomous Endpoints
- 5. Chrome Attacks
- 6. VPNs Lose Share
- 7. Logji4 Will Drive Innovation
- 8. Chaos Engineering Will Improve Security
- 9. BEC Drives MFA
- 10. Prioritization Of Risk Management
- Mitigating Risk
Haris Pylarinos, former ethical hacker turned CEO of Hack The Box, said that he had to think like a cybercriminal to identify the biggest threats for next year.
He predicts that 2023 will see an invasion of Internet of Things (IoT) devices and sensors.
“The industry is underestimating how dangerous IoT attacks could be,” Pylarinos said.
“Hardware skills will be critical to prevent disastrous attacks that could perhaps take down entire societies.”
The answer to cybersecurity attacks and new virus strains and emerging threat vectors has generally been the development of a new set of tools.
But there are now so many tools in cybersecurity that it is becoming unwieldy. Companies deploy all the latest systems only to be told that now they also need ransomware protection or security access service edge (SASE) or zero trust network access (ZTNA) and so on. It seems like it never ends.
Joanna Huisman, SVP of strategic insights and research at KnowBe4, thinks 2023 will bring a shift in focus to creating a security culture within organizations across the globe.
“The need for security awareness training is now clear to most organizations, and they are starting to evolve from just training to additional emphasis on behavior and culture,” Huisman said.
“There has been a positive momentum toward building a strong security culture globally that involves support from executives and the employee base as a whole.”
Zero trust has been a huge buzzword in 2022.
But up until now, it has been more talk than reality.
“The actual application of zero-trust technology within corporate infrastructure has been limited,” said Ashley Leonard, CEO, Syxsense.
“My prediction for 2023 is that we will finally see zero trust concepts implemented widely within the corporate IT environment.”
Leonard with Syxsense also put the spotlight on the changing role of the endpoint in IT, in compute power and in cybersecurity.
Endpoint security has been growing in prominence in recent years and this will continue. It makes sense to emphasize the security of the smartphone, PC, server, tablet, and laptop as the front line in the prevention of incursions to stop attacks in their tracks. But beyond cybersecurity, more tasks will be farmed out to endpoints.
“In recent years, there has been a lot of focus on the cloud, which centralizes computer power but leaves the incredibly powerful processors and the endpoints underutilized in many cases,” Leonard said.
“Many tasks managed today by the cloud could be better performed at the endpoint and that will begin to change in 2023. As part of this, orchestration and automation technologies will be key to allowing IT to maintain security and service.”
See more: 5 Top Endpoint Protection Trends
Data removal company Incogni analyzed the risk profiles of 1,237 Chrome extensions available on the Chrome Web Store with a minimum of 1,000 downloads.
The study reveals that one in two Chrome extensions (48.66%) had a high to very high-risk impact, such as asking for permissions that could potentially expose personally identifiable information (PII), distribute adware and malware, or log everything users do, including the passwords and financial information they enter online.
Expect plenty of attacks on Chrome and browser extensions in general in 2023.
“Users should be cautious with browser extensions that require the following permissions: read and change all your data on all websites you visit; audio capture; browsing data; clipboard read; desktop capture; file system; geo-location; storage; and video capture,” said Aleksandras Valentij, information security officer, Surfshark.
“Use common sense when granting permissions to browser extensions, such as why would an ad blocker need audio capture access or access to your file system.”
Like many technologies that preceded them, virtual private networks (VPNs) were once a cutting-edge technology.
Over time, the world’s IT and business climate has progressed, while VPNs have remained mostly unchanged. Consequently, VPNs now may not be able to keep hackers at bay, and they may sometimes make their jobs easier. Businesses are likely to move on from them in 2023.
“What is virtually impossible to accomplish with VPNs can now be achieved with a modern software-defined perimeter (SDP),” said Don Boxley, co-founder and CEO, DH2i.
Boxley said an SDP enables organizations to use zero trust network access tunnels to connect applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs.
The Logj4 vulnerability was a wake-up call, impacting one in 10 companies.
Joey Stanford, VP of privacy and security at Platform.sh, believes Logj4 will lead to more secure open-source innovation in 2023, by encouraging businesses to give monetary support to open-source by hiring experienced developers to perform vulnerability checks and for better software integration.
Stanford said there will also be actions on a federal level, such as the requirement to establish software bill of materials (SBOMs) to ensure more secure software projects going forward — which will benefit companies using and committed to open-source and confirms its rightful place in the future of web development.
Over the next year, businesses will refine their testing process for data security, increasingly deploying chaos engineering to shore up enterprise resilience, according to Adrian Moir, technology strategist and principal engineer, Quest.
Originally built for developer testing, chaos engineering can help IT teams test recovery operations as well as the applications and pipelines data moves through. By testing each part of the company’s data protection apparatus regularly, teams will be able to confirm that recovery techniques, from immutable data stores to replicability, work effectively.
“Expect businesses to make this part of their regular data protection operations as the C-suite makes resilience and risk reduction a higher priority in light of ransomware, natural disasters, and other business disruptors,” Moir said.
Business email compromise (BEC) will continue to be a top attack method from cyberattackers and the easiest way into an organization.
With the increase in zero-day attacks, people are going to be looking at reducing their externally available footprint. Thus, BEC will drive adoption of multi-factor authentication (MFA).
“MFA will be ubiquitous and nothing should be externally available without it,” said Chip Gibbons, CISO at Thrive, a provider of next-gen managed services.
When it comes to the governance and oversight of cyber risk, Karen Worstell, senior cybersecurity strategist at VMware, thinks the system is broken, due to the higher stakes inherent in cyber risk as well as generally fragile corporate reputations.
“As a result, companies will double down on cyber risk management,” Worstell said.
“Boards will need to have a much clearer role and responsibility when it comes to the process of ensuring adequate controls and reporting cyberattacks. Cyber risk governance is not just the domain of the CISO. It is now clearly a director- and officer-level concern. When it comes to cyber, plausible deniability is dead.”
See more: What is Cybersecurity Risk Management?
The predictions above don’t make for light reading. They are not for the faint of heart.
Heed, therefore, some sensible advice from Satish Shetty, CEO of Codeproof. It will mitigate risk and help keep you out of the headlines:
- Train employees not to click on phishing links or download attachments from external emails
- Use applications such as Slack and Microsoft Teams for internal communications
- Use email primarily for external communications
- Migrate to cloud-based email services, such as Microsoft 365 or Google Workspace, rather than using on-premise email servers
- Deploy mobile device management (MDM) and mobile threat defense (MTD) software to protect mobile and portable devices, taking advantage of their ability to enforce security configurations
- Use strong passwords and two-factor authentication for online accounts