Why will it be so important for businesses to understand these trends heading into the new year?
Strategic planning and resourcing take time to turn into operational excellence. The process of establishing a baseline capability, understanding current vs. future state requirements is complex. The journey may not be an easy one. To be successful business buy-in is needed from the C suite down.
This is often most effectively carried out in conjunction with an expert 3rd party who can offer support and advice in the most appropriate form. This can be provided in simple terms around thought leadership, or as paid engagements.
What processes should be implemented in 2023 to ensure businesses are not prone to these cyber threats.
A clear plan relating to Governance, Risk and Compliance must be developed, reviewed, and evolved. This must include people and resource planning as well as strategic service providers. As these are themselves clear risks. Tracking milestones on the journey ensures progress can be reported back to the business sponsors.
My top tip is to ensure that the senior leadership team is bought into the need for effective cyber security.
Insurance for cyber security to address the costs of a breach or compromise is getting increasingly difficult to acquire and maintain. Most insurers will now insist on a minimum standard of cyber security, which must be demonstrated.
Top six cyber security trends for 2023 according to SCC Cyber
1. People – Recruiting and retaining quality staff for an increasing number of cyber roles.
People are the greatest asset in any organisation. This is especially important within cyber security.
Cyber threats are evolving and become more difficult to spot. This applies to professionals, and end users. As such, organisations need skilled and motivated staff – importantly – who are listened too and engaged with, to counter threats.
In any skills shortage salaries go up as demand increases. If an organisation does not embrace the need for effective governance and practical application of cyber security, then staff become demotivated and have no problems finding a new job where they are valued.
Cyber Security is a team sport!
Much is made of Machine Learning (ML) and Artificial Intelligence (AI). However, it’s worth remembering that both capabilities are also used by attackers. So, it’s not all good.
The fundamental creation of effective cyber security defences is based on people, process, and then technology. Vendors will wish to say it’s all about technology, but that would be too easy.
In my experience, getting the people and process right is harder and more important. Working with a managed service provider allows for the augmentation of people and processes to achieve maturity much more quickly.
This need for skills staff will impact all sectors, especially those who have difficulty justifying higher salaries for their cyber security staff.
Building a strategic plan that specifically addresses cyber security resource requirements over a two year period will prove an important tool, this should be reviewed and updated quarterly.
This plan will enable you to assess areas for internal growth and development, and the need for external recruitment to augment the skills and experiences you have or are building. This longer-term view is needed to ensure resilience in your teams, and responsiveness to evolving business risks.
Cyber professionals are increasingly seen as highly valuable, and as such want to feel valued. So, training and development plans help to reinforce that perception of value.
It’s also worth considering business continuity or succession planning for roles with skills that are particularly hard to find. Building strategic relationships with a service provider, who can take on responsibility for specific tasks or services is a good way to mitigate risk.
2. Ransomware / Extortion
While ransomware is still at the top of the trends, or risks within 2022, attackers are increasingly resorting to more extortion-based attacks and missing out data encryption. As this saves time, reduces complexity, and speeds up getting paid.
Extortion is a Ransomware attack – without the encryption element. The data is exfiltrated and the owner threatened with exposure unless they pay a fee. Extortion is becoming more common as it’s easier to carry out and requires the attacker to spend less time dwelling inside the victims’ network.
For attackers, they also work in teams. With many experts in initial access passing off their success to those who want to buy an open door into a business’ data repository. Extortion is just the same approach as Ransomware, but without the data encryption. The feedback I’ve had from Incident Response teams is that in this way it’s easier for the attacker. They have proof they have a copy of your data they can release. By not encrypting you, it’s easier to pay them quickly.
Risk of ransomware and extortion can be reduced with a structured and consistent approach to cyber security. This must be as part of a maturity plan, with a method of tracking progress against defined objectives.
Staff training is at the centre of any plan, as should be appropriate internal processes aimed at mitigating the risks of an attack.
Lastly technology, looking at email security, internal governance and backup to ensure the confidentiality, integrity, and availability of data.
3. Artificial Intelligence, and Machine Learning
Skilled staff are in short supply and are expensive to recruit and retain. There is a huge pressure to defend better and be more dynamic and agile in our methods of cyber security. Using ML and AI (if you have the appropriate specialist skills and data to create the data models) can be a game changer.
The downside is you need people with the skills and defined governance (People & Process). This direction of travel is for organisations with mature policies and governance. Not those chasing a quick win. The whole engagement must be about reducing business risk, with clear outcomes. Otherwise, you will end up with expensive technology to implement and maintain, and no credible benefits.
So, my first recommendation is to ensure you have a firm foundation of cyber security governance and capability. (Do the simpler things well).
By using a framework such as NIST it’s possible to understand internal maturity and capability, onto which more advanced capabilities can be applied.
4. Can Intelligence and Automation reduce the pressure on people?
Working smarter with machine learning (ML) and artificial intelligence (AI) can address the challenges of staff recruitment and burn out due to a high workload.
ML and AI enables huge volumes of data to be analysed on a continual basis looking for anomalous activity. Data models are created that enable accurate searching of potentially huge data lakes of data to present results. Some things that might be out of the normal, that might be indicative of a threat.
Decisions will be made based on thousands of elements, with risk scoring presented back to the analyst. This analytical process can be built into products or carried out as aggregated actions across multiple products.
With the addition of automation, it’s possible to condense the amount of work analysts must carry out to get the information and context they need. The results have the potential to be highly effective.
5. The expansion of IoT
The internet of things, or IoT, is an object that contains software, sensors, and a connection to a network or the internet. As you can imagine this encompasses a huge array of technology at home and the workplace.
Almost everything you can buy in the consumer world has internet connectivity now. The connected world is upon us. Security by design for many is severely lacking. Manufacturers are looking to mass produce at the lowest possible cost of sale. As such common hardware and software is likely to be widespread. This is likely to mean that a single vulnerability can impact a wide range of products, including those that are totally unexpected.
This has been highlighted in a range of published vulnerabilities and will continue to be an ongoing challenge in the commercial and public sectors, when it’s possible to introduce organisational risk very easily.
Given that wide array of capability and the speed of development, IoT security standards and governance need to catch up with the reality from vendors. Governance will be addressed in forthcoming legislation.
Common risks and vulnerabilities can be outlined as:
- Based on ineffective software development practice and version controls. Poor design standards and quality can mean it’s easier for an attacker to compromise the device.
- Lack of physical hardening.
- Insecure storage and transmission of data
- Due to the relative low cost of many IoT devices they are often unmanaged, untracked, and isolated.
- With the potential volume of mass produced and insecure IoT devices, malware can compromise huge volumes of devices to create botnets of infected assets.
Specific IoT security tooling is available to firstly understand what devices exist within an organisation setting, and then considering what risk those assets pose. Building on this and integrating the capability into a wider monitoring solution allows for an ongoing view of threats.
6. Legislation – both in the UK & EU
Due to the identification of IoT concerns, national and regional governments are working together to drive accountability for OT/IoT technology, hence new legislation in both the UK and EU that is coming soon.
Both of these pieces of legislation are designed to codify the roles and responsibilities that technology manufacturers will have in the future. Those responsibilities will legally extend to the ongoing support of devices with regards to their operational security. Functions such as device patching are explicitly called out.
The aim of the legislation is to drive maturity and increased consumer confidence. By holding manufacturers and vendors to account, standards can be enforced.
In the event of a problem or threat being discovered, the law will also require companies to notify the European Union Agency for Cybersecurity (ENISA) within 24 hours.