This post is part of our 2023 cybersecurity predictions series.
Kevin Kirkwood, Deputy CISO
Supply chain attacks will continue to be one of the biggest threats to enterprises using open-source software.
Organizations should be on high alert for supply chain attacks if they use open-source software. In recent years, hackers have become more strategic when it comes to exploiting open-source software and code. 2023 will be no different. Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.
Most folks think of ‘supply chain attacks’ as an attack on the physical pipeline that will keep folks from being able to produce physical products. Software supply chain attacks are similar in nature to the physical world. Developers use libraries, executable code and code snippets to complete their software products. If those elements are compromised and malicious code is inserted into those elements, the end product that the developer has produced becomes a vehicle for threat actors to compromise the product and potentially gain entry to the system that houses the software.
In 2023, we’ll see bad actors attack vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that utilizes third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins. Without a robust scanning program and a ‘curated zone’ for source code and plugins, companies will continue to be at risk.
During a time of economic downturn, cyberattacks will flourish.
When it comes to malicious attackers, organizations need to be acutely aware that we’re not talking about machines or software programs being at the other end of this, we're talking about creative human beings who are motivated and will do whatever it takes to achieve their goal of receiving more money. As organizations balance international turning points with Russia’s war in Ukraine while scaling down operations, threats will inevitably continue to evolve as cybercriminals take this chance to up their attack game during the recession. Therefore, it’s crucial that all organizations are proactive with their security strategies and adopt endpoint technologies and other security solutions that provide preemptive capabilities.
Andrew Hollister, CISO
Ransomware operators will stop encrypting in favor of corrupting files.
Ransomware has been an attack vector in continual development over the years and is perhaps the one common threat that keeps all CISOs awake at night. In 2023, we’ll see ransomware attacks focusing on corrupting data rather than encrypting it. Data corruption is faster than full encryption and the code is immensely easier to write since you don’t need to deal with complex public-private key handling as well as delivering complex decryption code to reverse the damage once the victim pays up. Since almost all ransomware operators already engage in double extortion, meaning they exfiltrate the data before encrypting it, the option of corrupting the data rather than going to the effort of encryption has many attractions. If the data is corrupted and the organization has no backup, it puts the ransomware operators in a stronger position because then the organization must either pay up or lose the data. Therefore, the importance of backing up critical business data has never been higher.
Cybersecurity budget conversations will focus on securing critical business assets.
In tough economic times, an organization's c-suite will be focused on cutting what they perceive as non-essential costs. It's exceptionally important that when leadership thinks about cybersecurity budgets, they take the time to carefully analyze and understand what they are protecting from a business perspective.
As cyberattacks continue to rise, I anticipate more organizations will be doubling down on frontline prevention and detection technologies to stay secure and aiming to consolidate cybersecurity tools where possible.
Eric Hart, Manager, Subscription Services
Organizations will reassess and expand end-user awareness training.
Coming to the end of a year in which so many organizations fell victim to social engineering attacks, more organizations will look to invest in training their end users to better detect threats. The past year has seen some big names – the likes of Microsoft, Cisco and Uber – suffer breaches by way of multi-factor authentication (MFA) fatigue, phishing and other social engineering tactics.
With threat groups like Lapsus$ introducing bribery tactics to lure credentials from internal users, many of today’s attacks have evolved beyond the basic phishing techniques that end users are trained to recognize. Organizations will look to reassess their training programs to ensure that users are familiar with the bribery and extortion tactics associated with the latest social engineering schemes. Threat actors are constantly searching for new inroads into networks. Organizations concerned with their security postures will be sure to educate their users on emerging threats.
Organizations will feel the pressure of impending security standards.
The combined efforts of the Cybersecurity & Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) in recent years have led to a series of new cross-sector cybersecurity performance goals (CPGs) that organizations have already begun to implement. The NIST is constantly workshopping its cybersecurity framework with the goal of helping organizations manage and minimize risk. While these standards are designed to strengthen organizations, the process of reaching full regulatory compliance can be tricky. The complexity, along with the growing push for federally enforced compliance, suggests we could see a flurry of activity in 2023 as more organizations seek to adopt these new security standards.
Charles Talley, Senior Director of Services
Competitors within industries will model security strategies of their peers.
Each industry tends to consider itself to be the most threatened by malicious actors. While each sector can surely argue its case, one trend we’re seeing across the board is stagnation in security maturity. So how do organizations determine upgrades to their security approaches? For most, it starts with a close look at the competition. No one wants to feel less secure or equipped than their competitors, so within individual industries, we’re seeing a pattern of organizations comparing themselves to their industry counterparts. Just as competition drives evolution in products or services, it will serve as a catalyst for security upgrades in the year ahead. The ever-looming threat of security incidents will push organizations across industries to reevaluate their security maturity and IT budgets in 2023.
Organizations will turn to subscription and managed services to better manage security.
Developing an IT budget has grown increasingly complex over the last few years – amplified by the industry’s skill shortage – and 2023 looks to be no different. General feelings of economic uncertainty have swept through nearly every sector, leaving executives with a bevy of difficult budgeting decisions. Ultimately, organizations will be looking to do more with less in 2023 – or more with the same, in many instances. One way organizations are hoping to accomplish this is through the prioritization of subscription and managed services in their security budgets. Lean IT teams will turn towards these services to fill internal skill gaps and help achieve organizational security goals, like improving maturity, unlocking 24x7 visibility and optimizing threat detection and response.