As we near the end of 2022, IT professionals are looking back at one of the worst years on record for incidents. Cyberattacks and breaches are rising with no end in sight. Organizations continue to invest in technology at a record pace; however, they still continue to be at risk.
During 2022, over 65% of organizations expected cybersecurity budgets to expand. Gartner estimated that $172 billion will be spent this year, up from $155 billion in 2021. Even with this increased spending, the cyberattacks continue at an exponential rate. According to Check Point, by mid-year cyberattacks had risen 42% globally.
From supply chain breaches to ransomware, organizations continue to struggle with how to avoid becoming an eventual statistic of being attacked.
As we look forward to 2023, several emerging trends are top security areas that executives should focus on.
User awareness is still the No. 1 area where organizations must continue to invest. The theft of credentials to leverage access remains the largest threat to organizations. According to the Ponemon Institute, over 54% of security incidents result from credential theft. This report states that 59% of organizations fail to maintain strict user account lifecycle management, leaving credentials that are no longer needed in the environment that can be compromised. It is this type of failure in credential management that bad actors leverage to gain access to accounts and data. Lifecycle management of identities must improve to avoid these types of breaches. This area will continue to be an ongoing challenge for organizations in 2023.
Ransomware will continue to be a leading way for bad actors to leverage control and data to monetize hacking organizations. According to the SonicWall Cyber Threat Report, the global volume of ransomware is increasing by 98%. Although this number is down from a 105% increase in 2021, the frequency and dollars spent continue to grow. Globally, healthcare, financial services, manufacturing, and state and local governments continue to see a rise in the frequency of attacks. Interestingly, a growing trend in this game of cat and mouse is that you may pay the ransom and still not be set free from the hacker’s control. According to Veeam’s 2022 Ransomware Trends Report, 76% of surveyed organizations had experienced a ransomware attack. Of those, only 69% that paid the ransom were able to obtain their data.
Third-Party/Supply Chain Risk
From internet providers to manufacturers, this continues to be an issue. In 2022, we witnessed several third-party supply chain breaches. Forbes earlier this year outlined how this topic has hit prime time in the board room and continues to plague organizations. Accenture also highlighted this area for concern and illustrated the disruption of the supply chain as part of the risk—that is, not only vulnerabilities due to third parties, but the actual disruption of supplies as it relates to technology disruptions. This challenge will continue in 2023, with growth in this area expected to be in the double digits.
IoT and DoS
IoT/OT and DoS attack vectors were key areas in 2022 for an attack. Organizations are still trying to get their arms around exactly what is on the network and how vulnerable the devices are. Meanwhile, bad actors are finding ways to exploit devices connected to the internet at a record pace. As organizations accelerate adoption, security is woefully an afterthought. Bad actors will continue to take advantage of weak security postures in this area to exploit security holes to break into networks.
Mobile Device Attack Vector
Issues in this area have just exploded in 2022. These issues range from everything from application security to privacy of personal data. Organizations that write apps must secure code, keys, and personal data. Few are taking the necessary precautions to validate that all these areas are covered at a comprehensive level. The other challenge is that applications intentionally share personal data about the users. From locator services information to text messages, users fail to understand exactly what data is being collected from mobile devices and then shared or sold on the open market. This area is going to just explode in 2023, with users now starting to become more aware of these risks.
Phishing Targeted Attacks
This vector is still the No. 1 way that bad actors get into networks. Phishing, smishing, and social engineering are still extremely popular, and the bad actors are getting more sophisticated on the methods, approaches, and techniques used to gain information and credentials to gain access to systems and data. F5 posted last year that there was a 45% increase in phishing emails from 2020 to 2021. That number will undoubtedly increase again when the new figures are released for the 2021-2022 period. Bad actors are now using automated tools to carry out these attacks; with these tools, they can send millions of phishing messages with a single click. The trend for 2023 is that smishing and mobile device attacks are growing as users ditch standard email and move to text and SMS messaging.
Other Trends for 2023
Based on what is occurring in the market and the economy, here are a few other items to consider as you look at trends in 2023.
Resources are going to continue to be very difficult to retain, attract, and find. With the changes that COVID-19 introduced into the workforce with remote work and just a large demand for few resources, it has been difficult this year to retain and attract talent. Workers are looking for big pay and larger flexibility in work locations and schedules. Organizations attempting to return to the office are finding that some of their best talent resources are not on board for that move. The resource constraints are going to continue in 2023, with security and cloud leading the way in highly sought-after talent.
Data security is going to be a big bet in 2023. Organizations have started figuring out that they have data everywhere and a lack of security controls to secure, encrypt, and manage the data. This challenge and the compounding of third-party access and risk leave the board of directors and CIOs up at night. 2023 will be the year that more organizations start to admit their weaknesses internally and begin the process of identifying where data lives, how it is secured, who has access, and complete lifecycle management.
The next area for 2023 trends is application security. In general, CI/CD pipeline and security around application development is a big area for concern. Development teams in a number of organizations have operated independently from cybersecurity. Dev/Sec/Ops has been held at arm’s length with the statement that developers own security in the development environment. Without specific oversite and auditing, development teams often leave access and environments insufficiently managed and protected. This is the Pandora’s box within an organization. Often, inconsistent controls are found, there is a lack of auditing, and identity lifecycle management is almost non-existent. For example, contractors who worked on last year’s development project still have administrative rights to code and systems. Libraries and other resources are stored in places like unsecured box accounts. These types of habits require organizations to look closer at development organizations’ security practices, standards, auditing, and procedures.
The last crystal-ball item for next year is the rise in FINOPS. This is the awareness that security, development, and cloud all cost money and how FINOPS is the next big bet to analyze spend, trends, and baselines and look for cost optimization, reductions, waste, and abuse. From overspending in the cloud to shelfware, organizations have been on a spending spree, and with the tightening of the economy and budgets, CIOs are going to be looking for every dime that can be saved or shaved off the budget.
Although 2022 is not completely over yet, it’s imperative to start looking forward to your 2023 strategy and how your organization can improve security without breaking the bank. How your organization prepares for some of these trends could be the difference between a better-layered defense strategy or the next headline in the local paper about a breach of your network.
Stephanie Benoit Kurtz is Lead Faculty for the College of Information Systems and Technology at University of Phoenix and has taught IT-related courses over the past 20 years. She is also Principal Security Consultant at Trace3. Stephanie has over 25 years of industry experience in Information Technology and Security Solutions and Consulting.