Back in January, few could have predicted the events that have unfolded this year. So trying to anticipate trends for the coming 12 months is always going to be fraught with risk. That said, we can point to some clear macro-trends in the cybersecurity and privacy sphere which will help IT decision makers to steer their ship to calmer waters in 2023.
As digital investments accelerate to cushion the blow from incoming recession, organizations will look to simplify security with a focus on data protection and more efficient cyber risk management.
Security comes first
We all know the macro-economic picture is unlikely to shift for much of 2023. The financial pressures caused by surging inflation, high energy prices, and potentially crimped budgets may force IT departments to focus more ruthlessly on what matters. That means digital transformation projects designed to help remote staff work more productively, and intelligent automation to eliminate repetitive manual work and free up talent to focus on higher value tasks. It should also mean a strategy of security-by-design in which mitigating cyber risk across the business is prioritized.
This will be more important than ever in 2023 because, in the process of digital transformation, organizations will also expand their corporate cyber-attack surface. There’ll be more remote working endpoints, more cloud servers and more IoT devices for the bad guys to target. As usual, what they’ll most likely be after is to steal or encrypt sensitive customer and corporate data. So what specific threat and industry trends can we expect?
What’s happening in 2023?
Over the coming year a lot of what we see will be a steady evolution of trends already familiar to many. That means:
The continued rise of ransomware: As long as hostile nations harbor threat actors, attacks continue to compromise victim organizations and they continue to pay their extorters, don’t expect ransomware to go away anytime soon. We’ll probably see more innovation on the part of threat actors, to stay ahead of defensive measures and ensure their business models are fit for purpose. Ransomware will therefore remain the number one risk to businesses in 2023 – both in their potential to cause major service outages and serious data theft/leakage.
A surging nation state threat: State-sponsored actors continue to flex their muscles in cyberspace, supporting geopolitical goals (China), generating illicit funds for isolated regimes (North Korea) and helping to achieve military objectives (Russia). Expect large-scale data theft (espionage), destructive malware, cryptocurrency heists and more.
Human error continues to be a top-tier threat: It’s hard to overstate the significance of human error to cyber risk. It’s the reason why phishing continues to be one of the top threat vectors for malicious actors. Accidental data leaks and misconfigurations will only grow as cloud complexity increases and skills shortages start to bite.
Supply chain risk soars: A recent report claimed that 98% of global organizations suffered a supply chain breach last year. It could come from software providers that are compromised to insert malware into updates, as per the SolarWinds attack. It could be managed service providers that are breached with a view to infect their downstream customers. Or it could be a solitary organization like a law firm targeted for the data it holds on its clients. The continued surge in risk to the supply chain will force CISOs to reappraise their vetting of partners and update risk management practices.
Compliance gets more onerous: Gartner predicts that by the end of 2024, 75% of the world’s population will have its personal data covered by privacy regulations. As more countries follow the GDPR’s lead, organizations will struggle to manage the complexity unless they find technology solutions like encryption to reduce the scope and costs of compliance.
Schrems 2 enforcement incoming: We’ve been waiting a while for GDPR regulators to get tough with transatlantic data flows following Schrems 2 and the death of the Privacy Shield agreement. Once again, encryption and similar technologies could help to reduce legal risk as enforcement action increases.
Simplicity and control
As finances come under greater pressure in 2023, CISOs may well be asked to find ways to be more efficient. With the average enterprise running 76 discrete security tools today, consolidation would seem like a no-brainer. Done right, it could help them to reduce licensing costs, visibility gaps and the management burden on stretched security teams.
This is the promise of a “cybersecurity mesh” architecture, which will be an increasingly popular way to mitigate the challenges posed by expansive cloud environments. This is also where data-centric security technologies like encryption and tokenization will play an important role, by reducing the risk of costly breaches and compliance fines. Whatever solutions CISOs choose going forward, they’ll need to put ease of integration and platform-based offerings at the top of their wish list.