Zero Trust | modernciso.com

Our top cybersecurity predictions for 2023

by Kudelski Security Team | Jan 10, 2023 | Advisory Services, Blockchain, Cyber Resilience, Cybersecurity, Quantum, Risk, Zero Trust

It’s the time of year when the industry begins making its top cybersecurity predictions for the year ahead. Gartner, among others, recently released their top 8 cybersecurity predictions for 2023, writing that supply chain and geopolitical issues will continue to dominate cybersecurity.

In this article, our team looks into the proverbial crystal ball to share their top cybersecurity predictions and what initiatives security leaders should prioritize for 2023.

What Cybersecurity Lessons Did We Learn in 2022?

The breaches, hacks, and cyber breakdowns in 2022 taught us many cybersecurity lessons that we can use to improve security in the new year. Lessons learned include:

You can’t rely on MFA.
Company stakeholders, including VCs and board members, must have insight into their company’s security stance.
Don’t sacrifice security for a 1% improvement of your product. Constant re-architecting creates numerous security holes.
Continuous security is mandatory for blockchain. Instead of one-time assessments at launch, teams should strive for continuous validation throughout the project lifecycle.

What Are the Top Cybersecurity Predictions for 2023?

The top cybersecurity predictions for 2023 identified by the team of experts at Kudelski security are:

Basic, human-targeted attacks will be the biggest risk to cyber defenses.
Zero trust will replace VPN.
Insider and third-party risk will rise.
Reliance on passwords will decline.
Skepticism around blockchain security and availability will continue.
Quantum-interested companies will need to start assessing risks.

Prediction #1: Basic, human-targeted attacks, like ransomware, phishing, and email attacks will be the biggest risk to cyber defenses.

In 2023, we will see the most basic security attacks — email compromise, active directory attacks, ransomware, phishing, and multi-factor authentication attacks — continue to be the most effective and lucrative for cybercriminals.

Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system. Phishing and emerging MFA bombing schemes are more sophisticated than ever and will render cybersecurity training ineffective.

“Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system.”

To combat these attacks, corporate security teams should not trust human factors. Instead, they should adopt an offensive security posture. Detection and response initiatives should focus on preventative features instead of reactive quick fixes.

Will your threat detection and response strategies stand up to advanced threats? Watch our webinar to learn how to improve program maturity.

Prediction #2: Zero trust will replace VPN to secure a distributed workforce.

In 2023, zero trust will replace virtual private networks completely as security teams adjust to a more dispersed workforce. With work-from-home here to stay, company network borders won’t look anything like they used to. Employees are accessing most work applications via SaaS, and IT teams are hesitant to inherit the risk of home networks. Mistrusting every device is the key to supporting and securing remote workforces.

Can zero trust be a business enabler? Read our take on this blog from Vincent Whaart.

Prediction #3: Insider and third-party risk will rise as attackers take advantage of vulnerable parties in the economic downturn.

The impending recession will loom even closer in 2023, and cybercriminals will take advantage of the dire economic situation to bribe their way into corporate systems. We predict that software hacking will decline in 2023 in favor of “insider risk.”

Attackers will set aside their hacking skills and instead single out vulnerable employees at third-party vendors, such as shipping authorities, supply chain companies, internet service providers, and software vendors.

Companies must remain vigilant to not only secure their own network perimeters but also build a strong vendor risk management program.

Prediction #4: Reliance on passwords will decline as the flimsiness of MFA is exposed.

While it’s unlikely that passwords will completely disappear in 2023, MFA fatigue could usher in a passwordless future in years to come. The recent Uber breach highlighted the flimsiness of MFA and left security teams searching for a better alternative. In 2023, we’ll see an emphasis on securing accounts with as many other safeguards as possible, including stronger passwords and password managers.

Prediction #5: Skepticism around blockchain security and availability will continue without more caution.

2023 will be another tumultuous year for blockchain technologies unless it shifts away from “point in time” security measures. Currently, too much trust is put into code to be perfect.

Blockchain security teams must layer in more robust controls, including detection and response capabilities, to deter threat actors. The billions of dollars of bridge hacks that occurred in 2022 put a huge dent in users’ confidence in blockchain security.

Luckily, blockchain enterprises and projects are aware that customers are just as concerned about their chosen blockchain’s security as its features. This will lead blockchains to apportion the appropriate resources to improve security in 2023.

In addition to cryptocurrency theft, blockchain availability and stability should be a priority in 2023. If outages and slowdowns continue, blockchains face user decline or even complete collapse.

Learn more about Kudelski Security’s portfolio of blockchain security services.

Prediction #6: Companies concerned about quantum computing should begin assessing risks now.

Controls to prepare for quantum computing are unlikely to see mass adoption in 2023, but keep an eye on it for 2024. The current risks of quantum computing don’t quite outweigh the incredible investment required yet. That said, companies that stand the most to lose from future quantum attacks — e.g., financial services, defense contractors, and companies that transmit extremely sensitive data especially — should begin assessing their risks now.

Are you ready for the era of quantum computing? Watch our webinar to know how to be better prepared.

What Impact Will the Recession Have on Security Teams in 2023?

The recession should have relatively little impact on security teams in 2023. We predict security teams are going to remain mostly untouched even as companies across industries are forced to make cuts to their budgets and workforce in response to the upcoming recession.

American privacy laws will likely elevate to reach current European standards, putting a renewed focus on security and compliance in boardrooms and C-suites.

Additionally, cybersecurity labeling for consumer products, especially on hardware, will further the importance of corporate security teams. Economic hardships will necessitate that security teams work smarter and consolidate to meet the evolving economic and tech landscape.

What Should Security Leaders Prioritize in 2023?

In response to these top cybersecurity predictions for 2023, security leaders should prioritize the following initiatives:

Adopting an offensive security posture rather than a defensive one.
Focusing detection and response initiatives on preventive features instead of reactive fixes.
Phasing out VPN in favor of zero trust strategies for the remote workforce.
Building out a strong vendor risk management program to protect against third-party risk.
Looking for alternatives to MFA while implementing stronger password requirements and account protections.
Working smarter and consolidating to meet the evolving economic and tech landscape.
Bolstering availability and security of blockchain-related services.
Assessing risks related to quantum computing, especially for those in financial services, defense, or other industries that deal with highly sensitive data.

Get in Touch

Kudelski Security can help you prepare for 2023 and beyond with a comprehensive suite of security advisory services. From MDR and zero trust to blockchain and quantum, our experts can assess, design, implement and manage a resilient cybersecurity strategy. Get in touch with our team here.

Can Zero Trust be a business enabler? It’s all about perception.

by Vincent Waart | Jun 23, 2022 | Zero Trust

It was back in 2017 that the Economist predicted data would replace crude oil as the world’s most valuable resource and that there would be a new “asset-light” economy built on digital rather than physical infrastructures. In hindsight, we could say, yes, of course that’s the case. We know the value of data and those digital infrastructures today, especially as we witnessed the exploding of remote work, online transactions, and virtual interactions brought about by the coronavirus pandemic.

We also know that data is not just a valuable resource. It can also be a liability. Bruce Schiener describes it as a “toxic asset.” The more data you have and the more accessible it becomes, the larger your attack surface. So while data is driving change in the business, it is also introducing risk. Our digital infrastructures and data, therefore, require a delicate balance of security and risk — and it’s a balance many organizations have yet to strike.

Zero Trust Architectures are a byproduct of this evolution, and, I’d argue, an enabler of future digital transformation. Because ultimately, a Zero Trust approach is about making business assets accessible to the right people at the right time regardless of where they or the asset reside. (If you’re looking for more information about Zero Trust Architectures and how to get started, I recommend this blog post by my colleague Bojan Zelic.)

Unfortunately, that’s not the way most people think about Zero Trust. They may think it’s another product they have to buy and configure. Or they may think Zero Trust is too restrictive and will inhibit business processes and operations. Fortunately, neither of those things is true. The right security measures, just like brakes on a car, can and will enable the business to move faster. But it will take a shift in perceptions across business, IT, and, yes, even security in order to make it possible.

Security needs to be perceived differently by Business owners, all the way up to the CEO

For many companies today, the C-suite will evaluate security based on the number of incidents that occur. If there are no security incidents, security must be doing a fantastic job! Incidents, as we know, do not represent the entire security picture.

Expanding on the car analogy above, when somebody wins a Formula 1 race, the press will talk about the driver and the engine. Was it a Red Bull or a Ferrari? What doesn’t get mentioned is the security that made the win possible — the brakes that worked correctly, the pit crew that changed out a worn tire. These security features are enablers of the car’s performance just as Zero Trust is an enabler of the business.

This is the type of shift in thinking that needs to happen in order for Zero Trust and security in general to be more accepted by the business. So how do you do this? Frame the conversation in terms of risk. If the car doesn’t have brakes, it will spin out on the turns. If medical data ends up in the wrong hands, what are the consequences? If we want to offer more personalized financial services, what data will we need and who will have access?

Security needs to be perceived differently by the IT Organization.

For many engineers and IT professionals, security is perceived as a checklist dictated from above. It’s another task added to an already long to-do list rather than something that can add value to the organization. There are a few strategies for changing this mindset.

First, security should be greatly incentivized with bonuses during the IT engineering processes. If someone in the company finds a bug or vulnerability, it should be rewarded.

Second, I recommend decoupling security goals from IT projects to avoid security becoming a roadblock. In other words, don’t make your goals as a security team someone else’s problem.

Finally, create a direct link between the CISO and the CEO. Oftentimes, the CISO will report into the IT organization. If it’s not possible to move this team out from under the CIO, at least ensure that there are strong communication lines between the CISO and the rest of the C-suite. If there is a risk that would impact the entire company financially or reputationally, the CEO should be aware.

Security needs to be perceived differently by Security professionals.

This one will hit a bit close to home, but stick with me. We as security professionals have gotten comfortable in one of two lanes. We either take a theoretical, top-down approach to security or a more practical, hands-on approach. Neither of these is inherently wrong, but ideally we’d have a blend of both.

In a theoretical, top-down approach, you spend a lot of time on documentation, assessments, and reviewing industry standards. These are all valuable exercises, but we come up short when we fail to turn these requirements into practices.

On the other hand, sometimes we leave security up to two highly skilled engineers who have no problem staying on top of day-to-day tasks but don’t necessarily have the 10,000-foot view of what the organization’s security needs are and how to standardize them.

To understand how both approaches can work together, let’s use a security monitoring scenario.

The MITRE ATT&CK framework is a widely known, comprehensive taxonomy of real-world use cases for how to monitor security incidents along the attack chain. This is a wonderful industry standard that applies to the majority of attacks security teams will encounter. And, better yet, managing security against this framework can be automated.

But, for more sophisticated attacks, there is still a need for a more practical, hands-on approach led by a seasoned security analyst. It requires someone with a lateral-thinking mindset, similar to experienced chess players. Even in chess, if you’re an expert in all the openings, the best players are the ones who can improvise to outsmart their adversary. Security teams will need to adopt this lateral-thinking approach to stay one step ahead of attackers.

Starting Your Zero Trust Journey

This post presented a high-level view of the changes that must take place culturally and politically in order for Zero Trust security to enable digital transformation for the business. Of course, there are many finer points to consider when it comes to implementing Zero Trust architectures and controls within your own organization. Kudelski Security’s Advisory team can help identify the right plan or evaluate programs that are already in place. Contact us here to learn more.