Ransomware – a highly scalable attack where criminals lock up crucial files and demand payment to release them – has been cited as the number one threat to businesses for years. The resulting impact can be financially destructive.
Aaron Rosenmund, Director of Security Research and Curriculum at Pluralsight, sees this trend continuing into 2023. “Ransomware “as a service” organisations are commodifying the software and malware required for successfully executing attacks, and as a result the technical bar of entry for criminal groups lowers. This means we will see an increasing number of smaller criminal groups targeting the industries’ critical infrastructure.”
For Lavi Lazarovitz, Head of Security Research at CyberArk Labs, threat actors revisit familiar tricks, such as phishing, credential theft and social engineering. “The next “big thing” isn’t likely to be a massive zero day — especially as prices for these coveted vulnerabilities reach upwards of $10 million on darknets and other underground marketplaces, and well-resourced groups and nation-states compete fiercely. Most threat actors will use alternative ways to infiltrate organisations and move laterally toward their targets.”
Another rising route of attack is that on national infrastructure, including supply chains. Dr Sebastian Schmerl, Director of Security Services EMEA at Arctic Wolf, notes, “As we enter a new cold war, we can expect to see increased offensive and defensive cyber capabilities from governments around the globe. This will result in more threats to national infrastructure, and an expanded definition of what is included in this group.”
The metaverse ushers in a new era of cyber threats, unleashing opportunities for new types of cybercrime. For Derek Manky, Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs, the threat to personal information in Web3 is clear: “An individual’s avatar is essentially a gateway to their personally identifiable information, making them prime targets for attackers. Individuals can purchase goods and services in virtual cities, meaning digital wallets, crypto exchanges, NFTs and any currencies used to transact all present new attack surfaces to threat actors.”
As more businesses begin to interact in Web3 environments, Daniel McLoughlin, Field CTO at OneSpan, expects the threat of deepfake scams to become a mainstream security issue for enterprises in 2023. “Organisations need to take a step back and develop a strategy that prioritises secure interactions between people and customers. At a minimum, businesses should be verifying the identity of online meeting participants by scanning official ID documents, before allowing them to join online interactions.”
Priorities in 2023
Businesses are increasingly moving operations to the cloud in a bid to increase efficiency and reduce costs. According to Gartner, the global spend on public cloud will reach $600 billion next year. However, for successful migration, Jeff Bennison, Director of Security Consulting, Professional Services EMEA at Rackspace Technology, believes cloud security will need to be top of the agenda. “While cloud security was once considered a dedicated cyber discipline, it is now completely synonymous with basic cybersecurity – and organisations are leveraging the intersectionality of cloud-based architectures to ensure greater confidence.”
The proliferation of highly sophisticated and intricately rehearsed ransomware attacks highlights the need for businesses to be one step ahead. Indeed, Paulo Henriques, Head of Cyber Security Operations at Exponential-e expects to see “concerted efforts to break down the billion-dollar ransomware business model in the year ahead”. Taking a proactive security approach means consistently monitoring for emerging threats to pre-empt security weaknesses and implementing controls before they occur. Henriques adds: “Defence strategies are likely to be more geared towards proactively removing vulnerabilities, anticipating cyber attacks, cutting off successful ones at the source.”
Some, such as Karen Worstell, Senior Cybersecurity Strategist at VMWare, argue that cyber risk governance will be a top priority for business leaders “dealing with higher stakes and fragile corporate reputations”. Worstell believes that cyber risk governance is now a Director and Officer level concern, instead of purely in the hands of the CISO: “Boards will need to have a much clearer role and responsibility when it comes to the process of ensuring adequate controls and reporting cyber attacks. When it comes to cyber, plausible deniability is dead.”
Nick Wood, Executive Chairman at Com Laude, says businesses will be prioritising how they can hold their data as securely as possible. “Web domains are one of an organisation’s most valuable assets – often holding the keys to the entire company’s data and information… Portfolios must be audited to identify risk, and any domain name that carries business infrastructure, such as client data, must have the appropriate security measures in place to protect assets from a data breach or attack.”
Defences
Malicious activity is often hidden within encrypted traffic on networks, making it more challenging for teams to identify and respond to cyber-crime at speed. However, Simon Mullis, CTO at Venari Security, sees opportunity for a more nuanced defence: “As these attacks continue to rise, and encryption becomes fundamentally integrated into complex organisational networks, enterprises will be compelled to change their approach from decryption towards behavioural analysis for detection.”
One easy way to boost cyber defences is to ensure cybersecurity professionals are equipped with up-to-date skills. Tom Clowes, Head of Technology at Grayce, says businesses need to empower employees and close gaps in security systems in 2023 through “continuous learning opportunities to keep their IT teams up to date with the latest cyber threats. A robust training programme needs to teach the fundamentals of endpoint security, data security, network security, identity management and application security.”
The year 2023 will be challenging for many businesses – economic pressures and the rising level of criminals looking to prey on the vulnerable heighten the need for strong cyber security defences. Cyber responsibility spans the whole organisation, from board level to the employees on the ground. Those companies that prioritise education, constant re-evaluation of defences and new attack vectors will be ready to intercept attacks, protect their corporate reputation and mitigate costly financial penalties.
