Will the majority of attacks really become more advanced in 2023? Probably not
Press releases around security breaches tend to follow the same pattern.
“Some of our data has been compromised by ‘Advanced adversaries’ using ’ state of the art‘ techniques to steal data.”
Whilst in some cases this has been the case, ( e.g. the supply chain attack of the SolarWinds software platform) these should be considered more of the exception than the rule. Whilst state sponsored attackers and advanced cyber criminal groups have access to innovative exploits and potentially Zero-Day attacks, these are expensive. In short, why would a cyber criminal use an expensive Zero Day when simply accessing the data via a poorly configured admin account will achieve the same goal?
If you leave the vault door wide open there is no need to bring a safe cracking expert along on the heist! The same is true for attacks on sensitive data within organisations. Organisations should absolutely focus on protecting their data from advanced attacks however this should not be at the expense of addressing the basics of cyber security. These include (but are not limited to ), training users in secure practices, strong pass phrases, multi-factor authentication and implementing principles of least privilege.
Cyber Security Insurance
2023 will begin with some definite questions from CISOs and insurance companies alike around the viability and usefulness of cyber insurance as a concept.
2022 saw some drastic geopolitical developments which have led to some significant changes within the cyber insurance market which will have definite repercussions in 2023. The notion of 'insuring away cyber risk' will become (and arguably always was) somewhat unrealistic. Insurance premiums, prerequisites and policy exclusions will no doubt continue to increase in 2023 which will have the effect of narrowing the actual scope of what is really covered as well as increasing the overall cost.
A prime example was the announcement this year by Lloyds of London that they would not cover incidents representing collateral damage in a "Nation-State cyber war." Whilst this clause may, at first, appear to be relatively simple, it has an immense knock on effect as to what is covered and what is not. The issue here lies in the murky waters of attribution. Was the attack "state-conducted?" Was it "state sponsored?" Was it "state inspired?" or was it simply a criminal organisation piggybacking an existing conflict for financial gain? Even if a policy pays out, does this payment cover the true cost of a cyber event? Yes, maybe a ransom payment would be covered and money to cover initial incident response and recovery but what about the greater losses of public confidence, revenue or even company valuation?
Add to this the many geopolitical uncertainties as we go into 2023 and cyber insurance becomes not only difficult for organisations to gain real reassurance from but also equally difficult for insurance companies to effectively underwrite.
They say "the devil is in the detail" and in these details lay only uncertainty.
Will Cyber insurance become an expensive "tick in a box" or will it deliver real value? Will it even remain a viable offering from insurance companies in 2023? Whilst carrying cyber insurance is rapidly becoming a "security prerequisite" for many organisations, its benefit in relation to cost and cover remain uncertain as we move into 2023.
Attackers will continue to jump on vulnerabilities that remain unpatched
Patch Tuesday causes mixed feelings for many IT teams. Whilst the temptation will be to apply these security updates immediately upon release the simple truth is that many organisations are not in a position to do this. Whether it be unpredictable interactions of software patches with legacy or bespoke technology or a lack of a means to deploy patching at scale, it is often not as simple as pushing a button.
Whilst a lot of value is gained from the processes of public vulnerability disclosure and documented patch release these can ( and are ) often used to inform attackers and the means and targets of attacks that are “known to work.”
In 2023 attention needs to be given to shortening the time it takes for organisations to be able to apply critical security patches but also improving visibility and detection of anomalous activities. This will enable corporations to determine if an unpatched system is being attacked or compromised.
The conversations around privacy and security of sensitive personal information will draw closer to one another in 2023
Previously we have had conversations around whether (and how) organisations should capture sensitive personal information. Almost separately the same organisations have been considering the retention and security of this data once it has been captured.
With GDPR in the back of everyone’s mind and the and the revised ISO27001 requirements around data leakage at the front, 2023 will usher in a more unified conversation around capturing as little data as possible whilst protecting that data as much as possible.