By Stephanie Benoit Kurtz, Lead Cybersecurity Faculty, College of Business and Information Technology at University of Phoenix
As we near the end of 2022, IT professionals look back at one of the worst years on record for incidents. Cyber attacks and breaches continue to rise with no end in sight. Organizations continue to invest in technology at a record pace; however still continue to be at risk. During 2022 over 65% of organizations expected security budgets to expand. Gartner estimates that $172 billion will be spent this year, up from $155 billion in 2021. With this increased spending the attacks continue at an exponential rate. According to Check PointĀ by mid-year cyber attacks have risen 42% globally. From supply chain breaches to ransomware organizations continue to struggle with how to avoid becoming an eventual statistic of being attacked.
As we look forward to 2023 a number of emerging trends are top security areas that executives should focus.
User Awareness
User awareness is still the number one area where organizations must continue to invest. The theft of credentials to leverage access continues to be the number one threat to organizations. According to the Ponemon Institute, over 54% of security incidents result from credential theft. This report states that 59% of organizations fail to maintain strict user account lifecycle management, leaving credentials that are no longer needed in the environment that can be compromised. It is this type of failure in credential management that bad actors leverage to gain access to accounts, and data. Lifecycle management of identities must improve to avoid these types of breaches. This area will continue to be an ongoing challenge for organizations in 2023.
Ransomware
Ransomware, as projected would continue to be a leading way for bad actors to leverage control and data to monetize hacking organizations. According to the SonicWall Cyber Threat Report, the global volume of ransomware is increasing by 98%. Although this number is down from 105% increase in 2021 the frequency and dollars spent continue to grow. Globally, healthcare, financial services, manufacturing and state and local governments continue to see a rise in the frequency of attacks. What is interesting about these attacks is that according to Veeam in the 2022 Ransomware Trends Report documents that 76% of those that participated in the research had experienced an attack. Of those only 69% that paid the ransom were able to obtain their data. A growing trend in this game of cat and mouse is that you may pay the ransom and still not be set free from the hackers control.
Third-Party/Supply Chain Risk
From internet providers to manufacturers, this continues to be an issue. In 2022 we witnessed several third-party supply chain breaches. Forbes earlier this year outlined how this topic has hit prime time in the board room and it continues to plague organizations. Accenture also highlighted this area for concern and illustrated the disruption of the supply chain as also part of the risk. That is not only vulnerabilities due to third parties but the actual disruption of supplies as it relates to technology disruptions. This challenge will continue in 2023 and we expect that the growth in this area will be in the double digits.
IoT and DoS
IoT/OT and DoS attack vectors were key areas in 2022 for an attack. Organizations are still trying to get their arms around exactly what is on the network and how vulnerable the devices are. Meanwhile, bad actors are finding ways to exploit devices connected to the internet at a record pace. As organizations accelerate adoption, security is woefully an afterthought. Bad actors will continue to take advantage of weak security postures in this area to exploit security holes to break into secured networks.
Mobile Device Attack Vector
Issues in this area have just exploded in 2022. These issues range from everything from application security to privacy of personal data. Organizations that write apps have to secure code, keys, and personal data. Few are taking the necessary precautions to validate that all of these areas are covered at a comprehensive level. The other challenge is that applications intentionally share personal data about the users. From locator services information to text messages, users fail to understand exactly what data is being collected from mobile devices and then shared or sold on the open market. This area is going to just explode in 2023, with users now starting to become more aware of these risks.
Phishing Targeted Attacks
This vector is still the number one way that bad actors get into networks. Phishing, Smishing, and Social Engineering are still extremely popular and the bad actors are getting more sophisticated on the methods, approaches and techniques used to gain information and credentials to gain access to systems and data. F5 posted last year that there was a 45% increase in phishing emails from 2020-2021. Expect that the number has again increased when this report is published for 2022. Bad actors are now using automated tools to carry out these attacks; with these tools they can send millions of phishing messages with a single click. The trend for 2023 is that smishing and mobile device attacks are growing as users ditch standard email and move to text and SMS messaging.
Other Trends for 2023Ā Ā
Based on what is occurring in the market and the economy here are a few other items to consider as you look at trends in 2023. Resources are going to continue to be very difficult to retain, attract and find. With the changes that COVID-19 introduced into the workforce with remote work and just a large demand for few resources, it has been difficult this year to retain and attract talent. Workers are looking for big pay and larger flexibility in work locations and schedules. Organizations attempting to return to the office are finding that some of their best resources are not on board for that move. The resource constraints are going to continue in 2023, with security and cloud leading the way in highly sought-after talent.
Data security is going to be a big bet in 2023. Organizations have started figuring out that they have data everywhere and a lack of security controls to secure, encrypt and manage the data. This challenge and the compounding of third-party access and risk leave the board of directors and CIOs up at night. 2023 will be the year as some organizations start to admit their weaknesses internally and begin the process if identifying where data lives, how it is secured, who has access and complete lifecycle management.
The next area for 2023 trends is application security. In general, CI/CD pipeline and security around application development is a big area for concern. This in combination with Dev/Sec/Ops have operated in the WE DEVELOPERS WILL TAKE CARE OF SECURITY for years. This is the pandora’s box of items within an organization. Often, consistent controls are found, and a lack of auditing and identity lifecycle management is almost non-existent. Contractors, for example, who worked on last years development project, still have administrative rights to code and systems.
The last crystal ball item for next year is the rise in FINOPS. This is the awareness that security, development, and cloud all cost money and how FINOPS is the next big bet to analyze spend, trends, baselines and look for cost optimization, reductions, waste and abuse. From overspending in the cloud to shelfware, organizations have been on a spending spree and with the tightening of the economy and budgets, CIOs are going to be looking for every dime that can be saved or shaved off the budget.
2022 is not over, but there are ways to start looking forward to your 2023 strategy and how your organization and improve security without breaking the bank. How your organization prepares for some of these trends could be the difference between a better-layered defense strategy or the next headline in the local paper about a breach of your network.
About the Author:
Stephanie Benoit Kurtz is Lead Cybersecurity Faculty, College of Business and Information Technology at University of Phoenix and has taught IT-related courses over the past 20 years.Ā She is also Principal Security Consultant at Trace3. Stephanie has over 25 years of industry experience in Information Technology and Security Solutions and Consulting.