Is your Organisation Ready?
As we welcome the year of 2023, cybersecurity is still topping the list of CIO concerns. This comes as no surprise. In the first half of 2022, there were 2.8 billion worldwide malware attacks and 236.1 millionransomware attacks. By the end of 2022, six billions phishing attacks has been launched.
In a new survey from IEEE polling 350 chief technology officers, chief information officers and IT directors, 51% of respondents mentioned cloud vulnerability as a top concern (up from 35% in 2022) and 43% mentioned data center vulnerability as a top concern (up from 27% in 2022).
Other areas of concern for cybersecurity professionals include:
- Ransomware attacks (30%)
- Coordinated attacks on an organization’s network (30%)
- Lack of investment in security solutions (26%)
Here are 10 top security threats that IT is likely to see in 2023.
Top 10 security threats in 2023
Malware is malicious software, including viruses and worms, injected into networks and systems with the intention of causing disruption. Malware can extract confidential information, deny service and gain access to systems.
IT departments use antivirus software and firewalls to monitor and intercept malware before it gains entry to networks and systems, but bad actors continue to evolve their malware to elude these defenses. That makes maintaining current updates to security software and firewalls essential. There are also hardware solutions for thwarting malware, such as Gryphon’s Guardian mesh router, which handles a variety of threats.
Ransomware is a type of malware. It blocks access to a system or threatens to publish proprietary information. Ransomware perpetrators demand that their victims’ companies pay them cash ransoms to unlock systems or return information.
So far in 2022, ransomware attacks on companies are 33% higher than they were in 2021. Many companies agree to pay ransoms to get their systems back only to be hit again by the same ransomware perpetrators.
Rob Floretta, cybersecurity manager for a large utility provider, warned that bad actors, whether they are deploying malware, spyware, exfiltrating valuable data or deploying other varieties of attack, can hide within a company’s network. Reducing their dwell time “inside” corporate systems is key.
“Dwell time is how long someone lives off your land before you detect them,” he said. “That has dropped significantly in recent years but there is still work to be done.”
Mandiant reported that global median dwell time for intrusions identified by external third parties and disclosed to the victims dropped to 28 days from 73 days in 2020. Meanwhile, in 2021, 55% of investigations had dwell times of 30 days or fewer, with 67% of these (37% of total intrusions) being discovered in one week or less. However, the report also showed that supply chain compromise accounted for 17% of intrusions in 2021 compared to less than 1% in 2020.
3. Supply chain vulnerabilities
Supply chain hacks, which include the infamous SolarWinds attack that found its way to several government agencies and perhaps lesser known exploits involving JS.node vulnerabilities, are especially pernicious because the size of the threat surface is basically wherever tainted software goes.
In the case of SolarWinds’ Orion update, that surface included hundreds of consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.
One step companies can take is to audit the security measures that their suppliers and vendors use to ensure that the end-to-end supply chain is secure.
Justin Cappos, a professor of computer science at NYU who created the open-source security protocol called in-toto, explained that people typically rely SBOM (software bill of materials) to “know” what’s in their software supply chain.
“These are a little like nutrition labels on food,” he explained. “If you can’t attest to the accuracy of these labels, you have a problem. That’s where things like in-toto come in: You create essentially signed statements, or attestations, that certain people, and only those people, took legitimate actions like checking code or doing things with dependencies.”
Software can do only so much to defend against social engineering. Almost everyone has received a suspicious email — or worse yet, an email that appears to be legitimate and from a trusted party but isn’t. This email trickery is known as phishing.
Phishing is a major threat to companies because it’s easy for unsuspecting employees to open bogus emails and unleash viruses. Employee training on how to recognize phony emails, report them and never open them can really help. IT should team with HR to ensure that sound email habits are taught.
There are many vendors who offer training and packaged solutions for companies looking for something approaching a turnkey solution. There are also tech solutions.
Cappos said password managers are a critical first line of defense.
“There’s never any reason why you should ever share a verification code with anyone,” he said. “You should use authenticator apps, and not ones that send you a text message.”
He also noted that Android and iPhone have improved protective measures, such as lockdown mode on iPhone and features in the open-source GrapheneOS for Pixel.
In 2020, 61% of companies were using IoT, and this percentage only continues to increase. With the expansion of IoT, security risks also grow, particularly with the advent of 5G telecommunications, the de facto communications network for connected devices.
IoT vendors are notorious for implementing little to no security on their devices, a threat that can be ameliorated through stronger vetting of IoT vendors upfront in the RFP process for security and by resetting IoT security defaults on devices so they conform to corporate standards.
SEE: A brief history of industrial IoT (TechRepublic)
“IoT devices generally contain simple-to-guess credentials, or their default passwords are readily available on the internet,” Floretta said. “Following simple cybersecurity best practices, such as changing passwords after installation, will make it much more difficult for compromise by bad actors.”
If your organization is looking for more guidance on IoT security, the experts at TechRepublic Premium have put together an ebook for IT leaders that is filled with what to look out for and strategies to deal with threats.
6. Internal employees
Disgruntled employees can sabotage networks or make off with intellectual property and proprietary information, and employees who practice poor security habits can inadvertently share passwords and leave equipment unprotected. This is why there has been an uptick in the number of companies that use social engineering audits to check how well employee security policies and procedures are working.
In 2023, social engineering audits will continue to be used so IT can check the robustness of its workforce security policies and practices.
7. Data poisoning
An IBM 2022 study found that 35% of companies were using AI in their business and 42% were exploring it. Artificial intelligence is going to open up new possibilities for companies in every industry. Unfortunately, the bad actors know this too.
One need look no further than the Log4J Log4Shell bug for proof that data poisoning in AI systems is ascendant. In a data poisoning, a malicious actor finds a way to inject corrupted data into an AI system that will skew the results of an AI inquiry, potentially returning an AI result to company decision makers that is false.
Data poisoning is a new attack vector into corporate systems. One way to protect against it is to continuously monitor your AI results. If you suddenly see a system trending significantly away from what it has revealed in the past, it’s time to look at the integrity of the data.
8. New technology
Organizations are adopting new technology like biometrics. These technologies yield enormous benefits, but they also introduce new security risks since IT has limited experience with them. One step IT can take is to carefully vet each new technology and its vendors before signing a purchase agreement.
“Biometrics encompasses a range of technologies: It could be voice, retinal scanning and even behavior,” said Floretta.
A major benefit is that some biometrics are immutable, unlike passwords.
Contextual authentication (or adaptive authentication) is a behavior-based authentication, the essence of which is: “I’m pretty sure I know who you are based on your behavior, but if I’m seeing something not normal for you, I need to act.”
9. Multi-layer security
How much security is enough? If you’ve firewalled your network, installed security monitoring and interception software, secured your servers, issued multi-factor identification sign-ons to employees and implemented data encryption, but you forgot to lock physical facilities containing servers or to install the latest security updates on smartphones, are you covered?
There are many layers of security that IT must batten down and monitor. IT can tighten up security by creating a checklist for every security breach point in a workflow.
SEE: Two-factor authentication evaluation guide (TechRepublic Academy)
“Multiple levels of defense are critical,” said Ed Amoroso, CEO of TAGCyber and former CISO of AT&T. “Passwords are one critical layer, but data encryption at both ends is the next, and so forth. The bottom line: Just because you got in doesn’t mean I trust you. The only barrier to multiple layers of security, frankly, is just cost.”
10. Cloud security
Yes, the 2019 data breach by a Seattle hacker resulted in the theft of some 100 million credit applications, but the exfiltration of a misconfigured AWS storage bucket in the cloud led to something else — regulatory headaches for the company.
Potential fines from the regulatory oversight of containers is, paradoxically, one of the major cyber challenges experts are pointing to for 2023. When it comes to corporate reputation and pocketbook, the blowback could be as bad as the break-in.
In the above case, a federal court found Capital One negligent for failing to secure financial data. That came with an $80 million fine, plus customer lawsuits for $190 million.
“There is risk for companies if they are not doing their configuration management and tracking their regulatory compliance they are required to follow,” said Kayne McGladrey, field CISO for Hyperproof and a senior member of the IEEE.
He explained that modern cybersecurity and associated regulatory frameworks require data encryption at rest and in transit.
“If companies are encrypting, it’s an easy day, and there’s no problem,” he said. “The real risk I’m starting to see in such vendor negotiations as B-to-B purchasing agreements is that companies want an attestation that the [vendor] is monitoring encryption of all their cloud storage. Companies are asking one another: Can you verify, and do you regularly check that your cloud storage is encrypted?”
From a technology perspective, that’s fairly easy to do, but as Mcgladrey noted, anybody in an organization who has permissions on cloud computing platforms like AWS, Microsoft Azure or Google Cloud can stand up a storage bucket. They can create a storage location in the cloud, but they don’t necessarily have to encrypt them.
“Out of all the CISO’s and security leaders I’ve spoken with over the last three months, the main theme of 2023 is going to be ‘the year of risk,’ and a lot of that risk we’re talking about at this level is regulatory,” said Mcgladrey.