Businesses can no longer take an ostrich approach to cybersecurity.
If business leaders expect post-pandemic operations to be back to normal by 2023, they will be disappointed. The new normal will be continued disruption, resource shortages and growing cybercrime. Consequently, security managers will find themselves in the spotlight, and risk will be the watchword for 2023. We see businesses at risk from exposed data and external threats every day. Many have no idea their organisation is a target. Yet they could reduce risk or eliminate it with one change to their security posture. By looking externally for data leaks and threats, your business could reduce the threat posed by these trends. Here are five key trends that underscore the need for Digital Risk Protection over the next twelve months.
1. Remote working simply isn’t going away
Businesses have tried a variety of tactics to encourage staff back into the office without success. Staff are resistant to giving up the flexibility and financial advantages of home working. IT and security leaders must develop security strategies that assume remote working is here for the long haul. In particular, security teams should keep tight control over BYOD and company device usage policies. We have seen a trend in the exposure of credentials harvested by malware on individual devices. This type of data is much less likely to be compiled into reported breaches. So, specialist monitoring is required to detect them.
2. Business leaders continue to prioritise digital transformation and the cloud
Digital transformation strategies are now relied on to solve multiple problems. From competition, productivity, supply chain disruption, carbon footprint reduction, using new channels to reach customers and plugging hiring shortfalls. Security leaders must support businesses to expand transformation plans by enabling them to manage risk effectively. Failure to do this will result in the continued use of shadow IT. But an open approach to digital transformation is the key to unlocking increased security budget and resources. Organisations should also be aware of threats associated with transformation initiatives rushed through during the pandemic. This legacy risk could surface in cyber-attacks that use historic data leaks or misconfigured equipment from hurried deployments.
3. The supply chain will be your weakest link in 2023
With continued transformation and supply chain disruption – organisations that can manage security assessments and ongoing monitoring for 3rd party providers efficiently are more likely to avoid incidents next year. The most successful cyberattacks of 2022 included examples of 3rd party and even 4th party incidents. A phishing campaign targeted at users of Okta resulted in data breaches at Twilio and Mailchimp that led to further attacks on their service users. Security leaders should add supplier monitoring to their intelligence requirements for next year. Indeed, recent updates to the ISO27001 information security management standards require organisations to have a threat intelligence capability. Businesses are more likely to require IS27001 accreditation of their suppliers with this added condition.
4. The hunt continues to bridge the talent gap
According to the fifth annual (ISC)² Cybersecurity Workforce Study, the unmet need for cybersecurity professionals grew by 25% in 2022, with an estimated shortage of 3.43 million staff globally. IT and security leaders will continue to solve talent issues in creative ways. One option is to offer a better work-life balance to help recruit and retain security staff. IT and security teams can improve their posture and make the most of existing resources by using security solutions that do not require extensive experience or skills. Increasing automation is another strategy. Organisations new to cybersecurity should consider using a managed service as MSSPs expand their offerings with affordable digital risk protection and threat intelligence solutions.
5. Hackers and cybercriminals will continue to outsmart businesses with their automation initiatives
Cybercrime is big business. Gangs have found that monetising cyber-attacks can be less risky and just as lucrative as mounting them – with Ransomware-as-a-Service just one example. Automation means attacks can be mounted at scale, putting more businesses in the crosshairs. One trend is for hackers to use artificial intelligence to simulate their malware performance against defences that also use AI. The key takeaway from this trend is to recognise that all businesses with a digital footprint have a digital risk exposure. Smaller organisations are at risk of automated (spray and pray) attacks, often based on historically breached credentials. Businesses with sophisticated defences cannot afford to be complacent. They could find the cybercriminals targeting them have comparable, if not better, technology on their side.
Additional resources:
https://technative.io/cyber-security-needs-makeover-skills-demand/
https://www.tripwire.com/state-of-security/brace-yourself-iso27001-changes-are-coming
