After another (nearly) action-packed 12 months it’s time to take stock. There have been breaches galore, new cybersecurity mandates and regulations, fascinating data points and the emergence of some industry trends which will shape the future of IT. Here’s our pick of the top five things we learned from 2023.
- Generative AI will turn up the heat on security teams
Generative AI (GenAI) had its breakout year in 2023, thanks to the extraordinary impact of ChatGPT. It has the potential to transform industries as diverse as customer service and software development. But from a cybersecurity perspective, there’s also a certain amount of understandable concern. That’s because the technology also has the potential to supercharge phishing campaigns, both in scale and sophistication, and potentially help threat actors write malware to evade defenses more easily. The appearance of WormGPT and FraudGPT reinforced these fears.
The AI models themselves and the companies that run them also emerged as potential targets for threat actors – potentially those who want to mine or corrupt training data. A quickly patched vulnerability at ChatGPT developer OpenAI highlighted the potential for unauthorized access. It all adds up to yet another compelling argument for data-centric security.
- Enterprise data is under attack from all angles
As if we needed any more convincing of the potential imbalance between threat actors and network defenders, Verizon’s annual Data Breach Investigations Report (DBIR) was on hand to remind us. This year distilled from 16,312 incidents and 5,199 data breaches, it offered up yet another fascinating snapshot of the global threat landscape.
We learned that most breaches over the past 12 months were external (83%) and stemmed from financial motives (95%), and were carried out by organized criminals. Threat actors gained access to networks primarily via stolen credentials (45%), phishing (12%) and vulnerability exploitation (5%). And the “human element” was responsible for a massive 74% of breaches – evidenced by social engineering, misconfiguration and other errors. Malicious insiders are also a growing threat – especially in the public sector where they were responsible for 30% of breaches, up from 22% the year before. Ransomware remains a potent threat for organizations of all shapes and sizes, responsible for a quarter (24%) of breaches.
- Bring-your-own-encryption goes mainstream as multi-cloud woes mount
First came the rush to migrate to the cloud. Now comes the reckoning. It’s claimed that 87% of organizations have now invested in public cloud infrastructure from multiple providers. But over the past year, organizations have become increasingly concerned about the implications for the security and compliance of data stored in these environments. That’s because, while the service provider (CSP) offers some protections, securing the data itself is the job of the customer. And with GDPR and the Californian CCPA leading similar legislation in the US, the stakes are higher than they’ve ever been. Security is now the number two cloud challenge for global organizations after spend management, cited by 79%.
This has made bring-your-own-encryption (BYOE) increasingly popular over the past 12 months. The idea is for cloud customers to use their preferred encryption solution, instead of, or in addition to, one offered by the CSP. It means that the generation of encryption keys and tokenization secrets are 100% in the control of the customer, so only protected data is ever allowed into the public cloud. It also helps deliver consistency across multiple clouds, and more flexibility to migrate data across these environments. Industry partnerships like comforte’s tie-up with Google and BigQuery show the direction of travel for 2024.
- Security will be key to compliance efforts in 2024
The past year has also seen organizations get serious about some big compliance mandates coming down the road in 2024. They include PCI DSS 4.0, which will partially go into effect in March 2024 and has a string of new requirements for organizations that handle cardholder data. It will make continuous data discovery, classification and protection an essential capability.
Also on the roadmap for operators of “essential services” in the EU will be NIS 2, which is also landing in 2024. That will make strong encryption a baseline requirement for all. And in the US there is President Biden’s National Cybersecurity Strategy, which will seek to promote the defense of critical infrastructure and the “privacy and the security of personal data” — by holding data stewards accountable and driving through legislation for a national data security standard. Watch this space.
- Security is about growth as much as risk mitigation
Finally, a more subtle lesson learned from 2023. Yes, we witnessed another cascade of damaging data breach stories — from Tesla and Discord.io to the Police Service of Northern Ireland. And yes, we read how breach costs have now reached an all-time high of $4.45m on average globally, rising to $10.9m in healthcare and $9.5m in the US. But the reality is that cybersecurity is increasingly being viewed as a business enabler rather than a reactive cost that is necessary to mitigate risk. In fact, one study claims the most cyber-mature organizations report a 43% higher average revenue growth rate than the least mature.
Effective data security can preserve IP, which is critical to growth plans. It can open up new markets by supporting regulatory compliance. And it can give businesses the confidence to invest in R&D and digital transformation, safe in the knowledge that these investments will be protected.
Expect more of the same next year, and no doubt one or two surprises.