2022 is the first year since 2019 that could be described as anything close to “normal.” It’s been a year for taking stock and right-sizing rushed pandemic-driven implementations that prioritized business continuity over security concerns.
2023 will see the end of the pandemic-era triage and catch-up period. For the foreseeable future, organizations will work to prepare for the next disruption, whatever shape it may take.
But even without a full-blown crisis like a global pandemic, the landscape remains complicated. From expanding security-focused legislation to the well-documented cybersecurity labor shortage, CISOs and other security leaders have their work cut out for them.
In 2023, we predict these priorities will rise to the top.
This year, we’ve seen several high-profile breaches involving vendors and contractors that underscore a big truth: their lax security controls and hygiene can compromise your security posture.
In September, an Uber EXT contractor’s login credentials were purchased on the dark web, likely stolen by infecting the contractor’s personal device with malware. The perpetrator then “MFA-bombed” the contractor with authentication requests until the contractor finally accepted one, granting access to Uber’s systems.
Once on the network, the attacker exploited hardcoded domain admin credentials for Uber’s privileged access management (PAM) solution. With these good-as-gold credentials in hand, the perpetrator could then access practically all of Uber’s internal systems, from AWS to Slack, from employee dashboards to code repositories.
In January, a support engineer with Okta’s third-party customer support vendor, Sitel, accepted an MFA request that gave a threat actor access to the engineer’s workstation. From there, the attacker could access Okta’s customer support panel, local applications like Slack and Jira, and data for several of Okta’s customers.
Sitel blamed the breach on the legacy systems of a company it had recently acquired. The breach did not stem from Okta’s security controls but from Sitel’s; however, the consequences were very real for both companies.
In both of these cases, the damage was minimal. The Uber attacker seemed motivated by the notoriety of breaching a big-name target, while the Okta attacker only had access for 25 minutes or so. Still, you don’t want to find yourself at the mercy of a bad actor or a vulnerable vendor for even 5 minutes.
The use of third-party vendors and contractors is simply a reality for modern businesses. However, breaches like these will cause CISOs and company leaders to vet their partners’ security controls more thoroughly before entering a business relationship. We’ll see leaders pay closer attention to details within their security audits and reports, including remote connectivity protocols, internal security policies, and the level of access their partners need.
Organizations will no longer assume vendors have proper security hygiene, and blind implicit trust will (rightly) become a thing of the past. The industry will begin implementing more secure architectures that tailor access for third parties and other high risk users with more granularity and precision. Although budgets aren’t likely to increase, leaders will grow more diligent with lower-cost activities like reviewing access policies, de-duplicating user accounts, and emphasizing better security hygiene. These practices will help insulate against third-party vulnerabilities and better protect organizations’ expanded networks.
There’s light at the end of the tunnel regarding the cybersecurity labor shortage, but it remains distant. According to Cybersecurity Ventures, the workforce gap has stopped growing – but it won’t start shrinking until 2026.
To fill the gap in the meantime, many leaders in the security world suggest widening the net of potential talent. Traditionally, the highest-level roles require credentials above and beyond education, even a master’s degree. While organizations remain slow to lower the standards of expertise for hiring cybersecurity talent, they are exploring ways to transition technical team members into security functions.
In 2023, educational pathways to the cybersecurity field will grow more popular and expand as the need and potential wages increase. In time, this will stock the pipeline of cybersecurity workers, but until then, organizations will build internal training programs to transform IT generalists into security professionals.
Consulting giant Deloitte is already pursuing this strategy with a train-to-hire initiative that prepares candidates to fill jobs they wouldn’t normally qualify for. In 2023, we’ll see more boot camps and training programs to ramp up software engineers, data scientists, and even UI/UX designers and other non-traditional experts into the security space.
According to Gartner, 30% of nation-states plan to pass legislation in 2023 regulating ransomware payments, fines, and negotiations. This marks a significant 29% increase since 2021, and it will lead businesses to approach their security strategies with compliance in mind.
In 2023, federal regulations will most impact industries like healthcare, financial services, and utilities. Still, we predict general regulations will retain some flexibility. Given the various needs of organizations and the rapidly changing threat landscape, regulations cannot be “one size fits all.” Overly rigid regulations would entangle organizations’ in red tape and hinder their ability to adapt and respond quickly to incidents.
Forward-thinking organizations will use compliance standards as a starting point for their security strategies rather than the end goal. They will find ways to bake compliance into their processes instead of regarding it as a speed bump to innovation. Organizations that neglect to do so will suffer in terms of agility, reputation, and bottom line.
According to Gartner, 88% of boards of directors view cybersecurity as a business risk. Through the pandemic, many security teams enjoyed larger budgets to secure the “new normal,” but Gartner predicts the pace of investment will cool in 2023. While non-technical leaders in the C-suite are coming around to the fact that cybersecurity is no longer just an IT problem, they’re also assessing the ROI of the past few years of heavy spending.
This growing acceptance of the fact that IT and security are business risks marks an important change for the enterprise world. Thanks to digital transformation, every business is now a software business at some level. And as such, IT and security leaders must develop the business acumen to articulate the ROI on their initiatives, build interdepartmental relationships, and extend accountability for security across the enterprise.
As cybersecurity increasingly impacts the organization’s bottom line, CISOs and other security leaders will be expected to help lower cybersecurity insurance premiums. They’ll work to extend controls like multi-factor authentication and single sign-on to every part of the organization. They’ll also endeavor to secure legacy applications and the “last mile” of their systems.
In 2023, security leaders who possess the soft skills necessary for building buy-in and creating a culture of security will rise to the top of the industry.
As in the case of the Uber breach, hacker groups will continue to hunt the “whales,” growing their reputation by taking on the giants in technology and other industries. Any company that people use regularly on a personal or corporate basis will become a major target.
In addition, threat actors will focus on users rather than systems. IBM estimates that 48% of compromises arise from users. This means more phishing, more social engineering, and more overall efforts to steal or otherwise obtain user credentials. With users’ being relentlessly targeted in this way, IT and security teams must work to take the burden of security out of the hands of business users. Doing so will afford a more seamless workflow for business users and, crucially, will help ensure that security protocols are actually followed.
The pandemic brought to light several major gaps that the security world had simply avoided talking about. Heading into 2023, the stakes around legacy systems, over-permissioned users, misconfigured networks, and other common vulnerabilities are simply too high to put off any longer. Bridging the gap between legacy and modern systems will be a challenge that looks different for every organization – but it should be a priority for all.
Likewise, in a work landscape where remote and hybrid arrangements have become permanent, adopting the zero-trust security framework will become a top priority for organizations across industries. This “never trust, always verify” approach means that no user or device will be inherently trusted. In addition, companies must implement stronger authentication controls, manage continuous authorization, and enforce the principle of least privilege to create an environment where identities are verified on an ongoing basis.
Whether you’re just beginning your zero-trust journey or looking for a partner to help you across the finish line, Cyolo is here to help. Our one-of-a-kind zero-trust access platform retrofits your existing infrastructure to secure everyone and everything — everywhere — with minimal disruption. Schedule a consultation to tell us more about your biggest challenges and see the Cyolo platform in action.
Samuel is the Director of Product Marketing at Cyolo. Before cybersecurity, he spent 7 years working in the ER and loves to tell stories. He is the husband to one, father to four, lives in Bozeman, MT, and would rather be outside. He holds an M.A. in Strategic Leadership from Life Pacific University.