by Kudelski Security Team | Jan 10, 2023 | Advisory Services, Blockchain, Cyber Resilience, Cybersecurity, Quantum, Risk, Zero Trust
It’s the time of year when the industry begins making its top cybersecurity predictions for the year ahead. Gartner, among others, recently released their top 8 cybersecurity predictions for 2023, writing that supply chain and geopolitical issues will continue to dominate cybersecurity.
In this article, our team looks into the proverbial crystal ball to share their top cybersecurity predictions and what initiatives security leaders should prioritize for 2023.
What Cybersecurity Lessons Did We Learn in 2022?
The breaches, hacks, and cyber breakdowns in 2022 taught us many cybersecurity lessons that we can use to improve security in the new year. Lessons learned include:
- You can’t rely on MFA.
- Company stakeholders, including VCs and board members, must have insight into their company’s security stance.
- Don’t sacrifice security for a 1% improvement of your product. Constant re-architecting creates numerous security holes.
- Continuous security is mandatory for blockchain. Instead of one-time assessments at launch, teams should strive for continuous validation throughout the project lifecycle.
What Are the Top Cybersecurity Predictions for 2023?
The top cybersecurity predictions for 2023 identified by the team of experts at Kudelski security are:
- Basic, human-targeted attacks will be the biggest risk to cyber defenses.
- Zero trust will replace VPN.
- Insider and third-party risk will rise.
- Reliance on passwords will decline.
- Skepticism around blockchain security and availability will continue.
- Quantum-interested companies will need to start assessing risks.
Prediction #1: Basic, human-targeted attacks, like ransomware, phishing, and email attacks will be the biggest risk to cyber defenses.
In 2023, we will see the most basic security attacks — email compromise, active directory attacks, ransomware, phishing, and multi-factor authentication attacks — continue to be the most effective and lucrative for cybercriminals.
Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system. Phishing and emerging MFA bombing schemes are more sophisticated than ever and will render cybersecurity training ineffective.
“Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system.”
To combat these attacks, corporate security teams should not trust human factors. Instead, they should adopt an offensive security posture. Detection and response initiatives should focus on preventative features instead of reactive quick fixes.
Will your threat detection and response strategies stand up to advanced threats? Watch our webinar to learn how to improve program maturity.
Prediction #2: Zero trust will replace VPN to secure a distributed workforce.
In 2023, zero trust will replace virtual private networks completely as security teams adjust to a more dispersed workforce. With work-from-home here to stay, company network borders won’t look anything like they used to. Employees are accessing most work applications via SaaS, and IT teams are hesitant to inherit the risk of home networks. Mistrusting every device is the key to supporting and securing remote workforces.
Can zero trust be a business enabler? Read our take on this blog from Vincent Whaart.
Prediction #3: Insider and third-party risk will rise as attackers take advantage of vulnerable parties in the economic downturn.
The impending recession will loom even closer in 2023, and cybercriminals will take advantage of the dire economic situation to bribe their way into corporate systems. We predict that software hacking will decline in 2023 in favor of “insider risk.”
Attackers will set aside their hacking skills and instead single out vulnerable employees at third-party vendors, such as shipping authorities, supply chain companies, internet service providers, and software vendors.
Companies must remain vigilant to not only secure their own network perimeters but also build a strong vendor risk management program.
Prediction #4: Reliance on passwords will decline as the flimsiness of MFA is exposed.
While it’s unlikely that passwords will completely disappear in 2023, MFA fatigue could usher in a passwordless future in years to come. The recent Uber breach highlighted the flimsiness of MFA and left security teams searching for a better alternative. In 2023, we’ll see an emphasis on securing accounts with as many other safeguards as possible, including stronger passwords and password managers.
Prediction #5: Skepticism around blockchain security and availability will continue without more caution.
2023 will be another tumultuous year for blockchain technologies unless it shifts away from “point in time” security measures. Currently, too much trust is put into code to be perfect.
Blockchain security teams must layer in more robust controls, including detection and response capabilities, to deter threat actors. The billions of dollars of bridge hacks that occurred in 2022 put a huge dent in users’ confidence in blockchain security.
Luckily, blockchain enterprises and projects are aware that customers are just as concerned about their chosen blockchain’s security as its features. This will lead blockchains to apportion the appropriate resources to improve security in 2023.
In addition to cryptocurrency theft, blockchain availability and stability should be a priority in 2023. If outages and slowdowns continue, blockchains face user decline or even complete collapse.
Learn more about Kudelski Security’s portfolio of blockchain security services.
Prediction #6: Companies concerned about quantum computing should begin assessing risks now.
Controls to prepare for quantum computing are unlikely to see mass adoption in 2023, but keep an eye on it for 2024. The current risks of quantum computing don’t quite outweigh the incredible investment required yet. That said, companies that stand the most to lose from future quantum attacks — e.g., financial services, defense contractors, and companies that transmit extremely sensitive data especially — should begin assessing their risks now.
Are you ready for the era of quantum computing? Watch our webinar to know how to be better prepared.
What Impact Will the Recession Have on Security Teams in 2023?
The recession should have relatively little impact on security teams in 2023. We predict security teams are going to remain mostly untouched even as companies across industries are forced to make cuts to their budgets and workforce in response to the upcoming recession.
American privacy laws will likely elevate to reach current European standards, putting a renewed focus on security and compliance in boardrooms and C-suites.
Additionally, cybersecurity labeling for consumer products, especially on hardware, will further the importance of corporate security teams. Economic hardships will necessitate that security teams work smarter and consolidate to meet the evolving economic and tech landscape.
What Should Security Leaders Prioritize in 2023?
In response to these top cybersecurity predictions for 2023, security leaders should prioritize the following initiatives:
- Adopting an offensive security posture rather than a defensive one.
- Focusing detection and response initiatives on preventive features instead of reactive fixes.
- Phasing out VPN in favor of zero trust strategies for the remote workforce.
- Building out a strong vendor risk management program to protect against third-party risk.
- Looking for alternatives to MFA while implementing stronger password requirements and account protections.
- Working smarter and consolidating to meet the evolving economic and tech landscape.
- Bolstering availability and security of blockchain-related services.
- Assessing risks related to quantum computing, especially for those in financial services, defense, or other industries that deal with highly sensitive data.
Get in Touch
Kudelski Security can help you prepare for 2023 and beyond with a comprehensive suite of security advisory services. From MDR and zero trust to blockchain and quantum, our experts can assess, design, implement and manage a resilient cybersecurity strategy. Get in touch with our team here.
by Graeme Payne | Oct 19, 2020 | Risk
Time to update your vendor risk management program? In this article, Graeme Payne, Kudelski Security’s practice leader for strategy, risk, and compliance, covers the four essential areas for consideration in building a robust VRM.
You may have a grasp on your own organization’s security and have good data and threat visibility, but beyond your environment, you are blind. You have limited control over the security measures taken by external service providers, IT vendors, and related third parties. Their vulnerabilities become your vulnerabilities. Any breach they experience becomes a potential breach of your environment, too.
In short, their risk is yours.
You may be able to surface, assess, and mitigate their risks, if it’s just a question of a few vendors, but most businesses have a vendor list that can reach thousands — from parts suppliers, cloud solutions providers, law firms, to call centers, consultants, and human resource benefit providers. The list of data they potentially have access to is equally long — from trade secrets and IP, to personal data and company policies. All this is at risk if your vendors do not have adequate security and privacy protections in place.
So, how, as a security leader, should you design, establish, and maintain a vendor risk management program that will help you sleep better at night? You start with the following objectives:
- Identify the cybersecurity risks within the supply chain and business vendor landscape
- Continuously evaluate and monitor the effectiveness of vendors in managing cybersecurity risk to an acceptable level
- Provide a mechanism to respond to a vendor’s security failures that impact your business
- Provide awareness to senior management and Board regarding vendor risks
As you consider these objectives, build out your vendor risk management program based on industry best practices. The following best practices should be considered as you design your program:
Identifying risks within your supply chain and business vendor landscape starts with building an inventory of vendors and placing them into risk tiers. A good place to start is your vendor master within the organization’s accounts payable system. This will identify all the vendors that you are paying for goods and services. Once you have the inventory, you can place them in risk tiers. Your risk modeling approach should consider the type of data accessed by the vendor, the criticality of the vendor to your business process, the connectivity of the vendor to your data, systems and networks, and any recently observed experiences with the vendor. Creating risk tiers will allow you to build a program that is responsive to the risk in each tier and to focus your limited resources on the areas of greatest risk.
As you build your vendor risk program, you should work closely with procurement, legal, and other functions. Your cybersecurity vendor risk program should integrate with your organization’s vendor life cycle processes. Security requirements should be defined and utilized in new vendor identification. Selection, negotiation and contracting should include security and privacy protections in contracts- Onboarding and implementation should include appropriate security review, and termination processes should ensure destruction or removal of sensitive data. With strong collaboration across functions a more unified vendor risk program can be implemented that addresses all key risk areas including financial viability, safety, and legal compliance.
There are many approaches to evaluating and monitoring vendors. Popular techniques to evaluate how vendors are addressing their cybersecurity risk include: surveys and questionnaires; review of third-party audits and certifications; onsite visits; technical testing; and continuous monitoring. As you design your program include flexibility in your approach to evaluating and monitoring vendors. A risk-based approach should be used to determine the extent and frequency of evaluation. Higher risk vendors will need higher levels of assurance such as completion of security questionnaires, onsite visits or audits, security certification, or ongoing intelligence monitoring. Lower risk vendors might need to complete a simplified questionnaire or be subject to less frequent review. Also be reasonable in what you expect from vendors; don’t ask for information that you are not using to evaluate risk. Far too many vendor questionnaires request data that is never used in the risk management process.
Your vendor risk program should use automation to help efficiently manage many of the vendor risk processes. Over the last several years there has been a significant growth in the number of tools that can help automate aspects of your vendor risk management program. Gartner now tracks this as a separate category of software. Many of the integrated risk management or governance risk and compliance tools provide third party risk management modules. There are also many solutions that just focus on vendor risk. Most of these solutions now run in a software-as-a-service mode. Many include the ingestion of intelligence about a vendor’s cybersecurity profiles, financial condition, and business conduct to complement other frequently used evaluation methods (such as security questionnaires and onsite visits). Integration with procurement, ERP and service management tools is also becoming common place.
Vendor risk management is still a relatively new field and continues to evolve. VRM-as-a-service offerings are emerging to help offload some of the “heavy lifting” in managing a vendor risk program. Several exchanges and shared assessment programs are now in place to reduce the burden on vendors completing literally hundreds of questionnaires. Security certification programs are gaining more prominence as vendors seeks to provide assurance that their security programs meet acceptable industry standards.
When a vendor suffers a data breach or significant security incident, your business may also be impacted. Your program design should integrate vendor risk management into your incident response process. Studies indicate that 60% of data breaches involve a third party. Your vendor cybersecurity requirements should stipulate how soon you should be notified of a potential security breach or incident. Your incident response playbooks should address the actions your incident response team should take when a vendor incident occurs. Critical vendors should be included in your incident response tabletops and simulations.
Boards of Directors are increasingly asking security leaders about third party risks. Your program should include dashboards and metrics that measure and report on third party risk. Senior leaders and governance boards want to know how third-party risk is being addressed. Your program should capture and report on key metrics such as the percentage of vendors included in the program, the percentage of higher risk vendors evaluated or under continuous monitoring, exception rates, and the reduction of risk achieved.
*****
As a security leader you need to develop and continuously evolve your vendor risk management program. Just like most things on cybersecurity this is not a “one and done effort”. Continue to find ways to build in more continuous monitoring and alerting to augment your periodic reviews. Monitor your coverage and risk profile over time and periodically refer to your objectives and validate your program is appropriately focused and resourced. Keep senior management and the Board updated on vendor risk. Ask yourself: “Do I know who my high-risk vendors are and am I comfortable about the cyber risk we are accepting”? If the answer is “no”, it is time to update your vendor risk program.
Join our webinar on the 21st to hear Graeme discuss your vendor risk management questions. Click here to register.
