As this year comes to a close, many people in the cyber security industry have been sharing their opinions on what is going to happen in the coming year. Here we break down the top ten most popular predictions we have found and share some of Chris’s takes on each one.
1. Zero Trust Adoption
Overview: Many security tools and experts are moving to adopt Zero Trust integration, and it would appear this could become the new norm in the year ahead. Zero Trust is not necessarily the "silver bullet" of cybersecurity, but it is key in the evolution of the industry as that strives to authenticate users everywhere possible in a modern cloud infrastructure.
Chris’s Thoughts: Something to watch out for here are vendor-based solutions that promise an “out of the box” or “turn-key” solution for zero trust. If you don’t have a policy to govern the implementation, the vendor’s solution will be useless.
2. Data privacy laws will get stricter
Overview: Many new data privacy laws are set to go into effect across several different states in the coming year, so many organizations will need to begin assessing their current procedures and systems to ensure they will comply. It is likely more states will follow suit when it comes to updating their own security laws, so we recommend everyone, regardless of location, is staying up to date with their compliance.
Chris’s Thoughts: The key here is to create a single security program with policies, procedures, etc. that will help you comply with all applicable laws without chasing each one individually. Should you need any help in doing this, look no further than CGSC and be sure to reach out to us with any questions you may have.
3. Need for Cyber Insurance will Increase but Also Become Harder to Get
Overview: As the rise in cyber-attacks continued throughout 2022, we saw many cyber insurance companies take major cost hits. As a result, we will see premiums for the coming year start to skyrocket. We will also see these companies requiring organizations seeking their services to meet certain compliance requirements before being able to obtain a policy at all.
Chris’s Thoughts: One thing that we’ve seen in Incident Response engagements is that the insurance company will recommend a law firm to help. Don't fall for this trap! If the attorney is in cahoots with the insurance company, they won’t be acting in your best interest. However, we at CGSC can help ensure you are all up to speed before you aim to get your insurance policy, and can continue to keep you and your organization within compliance standards.
4. Recession will Affect the Industry
Overview: This recession has certainly hit us all, whether it be at our organizations or in the grocery store, and the cyber security industry is far from immune to its influence. As security budgets tighten in 2023, we will see a decline in overall security posture. That means cutting corners when it comes to training, overloading small teams with work, and overall neglect when it comes to security, which will ultimately leave organizations more vulnerable to attacks that could hurt their companies far worse than the fluctuating economy.
Chris’s Thoughts: Honestly, I disagree with this prediction. In my experience, the security industry has been almost immune to the ups and downs of the economy. I think this is because most rational people understand that during bad economic times, the threat of cybercrime will increase, and thus the need for security spending increases, too. If you are, however, worried about the cost of cybersecurity, reach out to CGSC to discuss our services so we can find the perfect plan of action for you.
5. Organizations will Begin to Double Down on Cloud Security
Overview: As cloud-based activities continue to rise, companies will need to prioritize cloud security. Cyber criminals are always adapting to the latest security practices, and it is imperative to keep at least two steps ahead.
Chris’s Thoughts: This is another prediction that I disagree with. While there are many free and cheap resources available to secure cloud environments, I still see most clients assuming that cloud security “is someone else’s problem.” I do hope to be proven wrong, however, and we would be more than happy to give some consultation for anyone looking to find a reliable cloud security program.
6. Insider Risk will Increase as Threat Actors Target Trusted Employees
Overview: As attackers seemingly love to use employees to gain inside access, we will likely be seeing a continued rise in insider risk. Whether the attack method is coercion or advanced phishing schemes, the number one way to minimize insider risk is through security education.
Chris’s Thoughts: I see this as a growing risk at an increasing rate because more and more companies are finally implementing effective technology to thwart most “technology-only” threats. With more advanced endpoint security, next-gen firewalls, etc., attackers are crafting their attacks to ONLY require human error and not rely on technology-based vulnerabilities, which is why regular security training is so important.
7. Password Alternatives will Gain Popularity but Not Become the New Norm Yet
Overview: Passwords are so last year, and many security experts are excited to see the rise in their alternatives in the coming year even if they won’t entirely replace the password. Biometrics will certainly see a rise, and we know for a fact Apple and Google are making the move to passkeys/Fido.
Chris’s Thoughts: This progress is so overdue! I can remember wanting to eliminate passwords within the first couple of years as a security practitioner and really hope that this prediction is true. One of the issues I see with biometrics is the inability to “reset” your credential. After all, most people only have one face, 2 eyes, 10 fingers, etc. Hopefully, as the push for password alternatives continues, the alternative options will become more user-friendly to avoid issues like this.
8. AI Will be used to Enhance Cyber Security
Overview: AI is already being used as a means to detect and respond to cyber threats. It is very likely that 2023 will see AI take an even larger role in the fight against cybercrime. The detection and response rates to attacks can be caught in record times with extreme accuracy, which will surely contribute to the rise of AI’s popularity in the future.
Chris’s Thoughts: While I agree that AI can be useful in detection and response, it can also be useful in attacking companies. The question with AI is just like any other technological innovation, “Who will use it most effectively and the soonest?”. Until the “good guys” can collaborate as well as the bad guys, we will always be behind the curve when it comes to adopting new technologies for our purposes.
9. Attack Paths will Broaden as the Popularity of Email Alternative Communication Channels Broaden
Overview: Social media marketing is the future of the entirety of the marketing industry, whether its TikTok, LinkedIn, Signal, Discord, or any of the other platforms rapidly gaining popularity. This also means that attack paths for cyber criminals are multiplying. An attacker only needs to gain access to one account to then move laterally across a company, and since email security has grown so much in recent years other platforms will be where attackers are looking for easy picking vulnerabilities.
Chris’s Thoughts: One activity we include in our external network penetration tests is an analysis of data breach results to see if any of our clients’ employees have their work email accounts included, especially if the data that was breached included passwords. This activity illustrates the real-world feasibility of this type of risk specific to our clients. Whether you use CGSC for this service or not, I highly recommend you have it completed, at least annually, as the world of breaches changes often.
10. The Year of Crypto
Overview: Cryptocurrency has been gaining popularity for years now, but it has just recently become a part of common speech for most people. 2023 will see the continued rise in its popularity, which also means the rise in crypto theft will continue to rise. Just this year Binance lost $100 million in a cyberattack on cryptocurrency, which begs the question as to if this will ever become a viable alternative for currency.
Chris’s Thoughts: While I haven’t invested in cryptocurrency, I've always been curious about the societal effect of its existence. The hacker in me loves the idea of a more “democratic” currency for use in trading items of value. The business side of me sees great risk in purchasing something that has no intrinsic value (yes, I know, money has no intrinsic value. I guess I'm just too much of a ‘merican to slam our dollar). As volatile as the dollar is, crypto currency bears much more risk. I'm really on the fence with this prediction, but I am interested to see how it develops in the coming year.