Jon France, Chief Information Security Officer of (ISC)²
Demand for cyber insurance is going to increase, but it's going to become harder to get.
Cybersecurity awareness has its benefits and drawbacks…one of those drawbacks is higher premiums for cyber insurance. In Q1 2022 alone, premiums for cyber insurance rose nearly 28% compared with Q4 2021. This is largely due to heightened awareness of the financial and reputational risks of cyber incidents such as ransomware attacks, data breaches, vulnerability exploitation and more. At the same time, underwriters are also making requirements for obtaining cyber insurance much more strict, requiring things like two-factor authentication and the adoption of specific technologies like EDR, XDR and more. In fact, these documents used to be two-page questionnaires…now they're full audits and 12+ pages long. So, increasing cyber insurance premiums and stricter requirements to obtain insurance will be interesting hurdles to watch in 2023.
On the flip side, we will likely also see an increase in demand stemming from the rising incidence of supply chain issues. Because of these issues, companies will likely start requiring more and more that any vendor or third party they work with must-have cyber insurance. As we're already starting to see, with geopolitical issues spilling out across borders, in addition to the cyber threats companies are constantly facing, companies are going to prioritize protecting their most critical assets (including their reputation). In 2023, demand for cyber insurance will continue to increase, as will prices and requirements for obtaining these policies.
Quantum implications are here and will be painful to adapt to in 2023.
Making infrastructures quantum-resilient is going to be more difficult than imagined, both for the public and private sectors. One major area of concern when it comes to quantum is national security. Governments have secrecy policies that last for decades…those policies are going to be threatened by quantum computing as the technology evolves, with much of the information under these policies being transmitted (and potentially captured in encrypted form) with algorithms that may not be quantum safe. Within the next 5-10 years, quantum technology will likely become commercially available, making it a very real threat to past and outdated encryption algorithms - many of which are used to conceal the nation's top secrets. Quantum computing is going to be able to overcome complex roadblocks at speeds that will render multiple forms of current encryption useless. For the private sector, trade secrets, intellectual property, financial data and more are at the same risk if a bad actor gets their hands on quantum computing capabilities and breaks the encryption keeping critical assets under lock and key. Building cyber resilience in preparation for quantum technology should have been an effort started a decade ago…but now is the second best time. In 2023, we'll see both the private and public sector's increased awareness around the challenges associated with quantum resilience, and we'll see efforts begin to take hold more significantly to prepare for quantum computing. Much of the encryption infrastructure in communication networks that keeps information safe now is deeply embedded, i.e., certificates, and will take years to transition to quantum resilient algorithms, posing a timeline issue for changeover before the general availability of quantum computing.
Wiperware attacks will increase.
Although wiperware, ransomware's close cousin, has been around for nearly a decade now, we saw a drastic increase in the number of wiperware attacks in 2022. The motivation behind wiperware is almost always to sabotage victims, especially during times of war, as we see with Russia and Ukraine. Seven different types of wiperware have been used to attack Ukrainian organizations in attempts to weaken their abilities to conquer Russia. We can anticipate a rise in nation-state-motivated wiperware attacks in 2023 as the Russia/Ukraine conflict continues, and we can expect to see other nations utilize these attacks in future conflicts now that they've become more prevalent on the global scene. Additionally, with the rise in wiperware, there's likely to be a rise in phishing attacks, given that it's the most common vector for distributing ransomware and wiperware.
The industry will continue to underestimate the importance of securing OT infrastructure.
Operational technology is one of the highest-targeted and lowest-prioritized technology areas out there. OT is low-hanging fruit for attacks and is so ingrained in the critical infrastructure systems that are struggling to keep up with the pace of change in cybersecurity. These systems have more tangible, real-world impacts on broader populations than traditional IT systems do, yet often they're built on legacy systems that have long life/replacement cycles and are outdated quickly, and are often dangerous to patch or "unpatchable" in the first place. This is an obvious attack surface for hackers, especially nation-state actors because incidents can have far-reaching, physical effects. The tensions rising in the Russo-Ukrainian war and in China and Taiwan only exacerbate the potential threat against OT systems. Securing these systems doesn't mean forcing "new" technology onto the systems – it's not about zero trust or having more regulations or more patching requirements. It's about increasing visibility into assets, implementing mitigating controls and building resiliency plans so that if the worst comes, downtime and impact can be mitigated. In 2023, we're likely to see the industry continue to misconceive what is needed to secure these systems, and we'll likely see a major attack on critical infrastructure because of it.
The recession will cause a reduction in spending on training programs.
Despite the idea that cybersecurity may be a recession-proof industry, it's likely that personnel and quality will take a hit during the economic downturn. We're not seeing core budgets for cybersecurity being cut as of now, but the more 'discretionary' areas, such as training budgets, are likely to see scalebacks. This goes for both security awareness training at companies of all sizes and training cybersecurity professionals on how to adequately protect their critical assets. The industry is already facing a skills shortage, and unfortunately, we're likely to see that skills shortage worsen as the recession takes hold in 2023 due to the increased demand for skilled cybersecurity workers.