There are a few certainties in cybersecurity: ransomware will cause headaches for companies; third parties will spark cyber incidents; and every December, cybersecurity analysts will put together lists of their predictions and trends they believe will have an impact in the coming year.
Most of the predictions are designed to help organizations build out their security programs, but every so often a trend will build slowly over time until its impact is clear.
Sometimes these trends will reach far beyond an individual company and impact society at large.
Here are some of the biggest trends Cybersecurity Dive is watching this year. Are there any security patterns you are watching closely? Email us at [email protected].
The global impact of state-sponsored activities
State-sponsored threats trend every year, but as we begin 2023, those threats have a different, more menacing, feel to them. The countries responsible for much of the state-sponsored activity — Russia, China and Iran — are embroiled in conflict.
“In the past year, we’ve seen [Russia's] invasion of Ukraine; a worsening of the relationship between China and the West combined with tightening control by Xi Jinping and further pressure on Taiwan; and a growing concern in Iran about dissident activity and pressures on the regime both internally and abroad,” said Mike McLellan, director of intelligence for the Secureworks Counter Threat Unit.
All those factors affect state-sponsored threat group tasking and activities and will be reflected in what they do in the coming year.
“While cybercriminal threats such as ransomware are an ‘equal opportunity’ risk for organizations lacking robust cybersecurity defenses in all sectors, state-sponsored threats can be more targeted,” said McLellan.
As political tensions rise in these countries, it is expected that nation-state actors will use that to their advantage to broaden their attacks.
China, for example, is often interested in obtaining intellectual property from high-tech targets, and there is concern that other Russian groups will carry out large-scale covert foreign intelligence gathering activities, spurred by concerns about Russia’s general standing in the world.
Certain sectors or countries have always been at greater risk of state-sponsored attacks, but 2023 may be the year that risk against critical infrastructure sectors, government, and high-tech companies escalates — especially if a nation-state sees outside interference.
Consumers will drive security and privacy measures
Consumers have made the digital transformation, with nearly three-quarters of their interactions with a company happening digitally. They are also becoming more concerned with how a company treats their personal data.
That’s why Criss Bradbury, Deloitte’s US Data and Privacy leader for cyber and strategic risk, believes in 2023 data centric security and privacy will be the foundation for how businesses build their brand.
“Digitization of business means that organizations are increasingly having more direct relationships with consumers — and as a result, are collecting more data across various channels,” said Bradbury.
With new and upcoming laws/regulations and increasing scrutiny by authorities and alarming headlines over recent years, consumers are becoming more aware about what organizations do with their data and how they respect consumers’ privacy and choices.
Consumers will begin to demand transparency surrounding their data security and privacy programs, eventually making their choices based on which company is doing the most to protect their personal information.
“We see trusted data use as being one of the primary ways that organizations can either build or lose consumer trust,” said Bradbury.
If organizations don’t have a strong grasp of how consumers’ data is processed, they will struggle to protect or enhance consumer trust and they will eventually risk harming their corporate brand.
“Organizations should define what trust means to them, develop key metrics to track customer sentiment related to trust, and measure how their actions and initiatives impact that sentiment over time,” said Bradbury.
Final notes on the board
These are trends with very human costs, whether it be potential cyberattacks from state-sponsored threat actors who want to take down critical infrastructure or consumers who fear becoming the victim of identity theft due to a company taking shortcuts with their security.
Michael Mumcuoglu, CEO and co-founder at CardinalOps, thinks 2023 is likely to be the year executives, boards, and auditors demand better cyber reporting around business risk.
“These critical stakeholders will increasingly be asking CISOs to report on their defensive posture with respect to attacks that can have a material impact on the organization,” said Mumcuoglu.