With the worst of the global pandemic now thankfully in the rear-vision mirror, Australian businesses are trying to figure out how to emerge stronger in the year ahead and what 2023 might have in store.
There are a range of factors that need to be considered. Ongoing hybrid work practices disrupted supply chains, and uncertain economic conditions make crystal ball gazing a somewhat challenging task.
When it comes to cybersecurity, however, things are much clearer. As a result of recent high-profile data breaches, businesses are acutely aware that their IT infrastructures need to be fully protected.
There are nine key trends that will shape the cybersecurity landscape during the coming 12 months. They are:
- The evolution of Zero Trust:
Zero Trust will continue being adopted by increasing numbers of organisations and will evolve throughout 2023. Some cybersecurity product vendors will incorporate positive authentication and behavioural monitoring, while others will offer a closed security model to demonstrate what should happen when a negative zero trust event occurs, expanding the messages that they use around Zero Trust.There will therefore be positive Zero Trust solutions that manage authentication workflows and also negative Zero Trust solutions that dive in deep when malicious activity is detected. There will also be the emergence of complete end-to-end solutions that cover use cases for both appropriate and inappropriate Zero Trust behaviour.
- The rise of camera-based malware:
Mobile phone cameras have evolved rapidly during the past few years. During 2023, there are likely to be the first of many exploits that use these cameras and the technology embedded within them to leverage vulnerabilities.Many mobile phone cameras have been augmented with algorithms to recognize QR codes and artificial intelligence to enhance pictures. These capabilities will be targeted by cybercriminals who will aim to use them to cause disruption or gain access to sensitive data.
- The appearance of ‘ransom vapourware’:
Another cybercrime tactic that will be used during 2023 is so-called ransom vapourware. This involves the attempted extortion of money based purely on the threat of publicising a fictional data breach. The general public readily accepts the veracity of breaches reported in the news, often without evidence. For a cybercriminal, this could mean that the need to perpetrate an actual breach is removed, and the threat alone becomes an attack vector. We have already seen a similar situation where an attacker purported to have significant customer data of Okta when they had instead breached a third-party supplier.
- Multi-Factor Authentication (MFA) will come under fire:
During the past 12 months, terms such as MFA bombing, MFA bypass, and MFA fatigue became more widely used as the weaknesses of MFA were recognised. In 2023, a new round of attack vectors that successfully bypass multifactor authentication strategies will emerge.The risks of using SMS as part of an MFA strategy are already understood. However, alternatives, such as push notifications, will also become more widely exploited. Businesses need to consider moving away from these methods and making wider use of biometrics or FIDO2 compliant technologies.
- Cyber insurance will become unattainable:
The cost of cyber insurance policies continued to rise during 2022, and next year an increasing number of businesses will find they can’t obtain coverage at all as insurers deem them too great a risk.Many insurance companies are demanding more detail from businesses about their cybersecurity measures and, if they are deemed insufficient, coverage is not offered. Businesses may find their only options are to self-insure or purchase cyber insurance with an extremely limited scope and a long list of exceptions.
- The death of the personal password:
The coming 12 months could well see the end of personal passwords as a key security device. Instead, increasing numbers of applications and services will start to use advanced, non-password technologies such as biometrics to authorise access.Personal accounts are still usually backed by passwords as the ultimate fallback, but the need to remember and type passwords is going to rapidly decline as the more robust alternatives evolve.
- Ransomware payments will be banned:
There will be moves by many governments to introduce legislation that bans businesses from paying ransomware demands. The logic is that, if payments cannot be made, cybercriminals will see no point in mounting attacks.The process of putting such legislation in place is already underway in the United States, and other countries are likely to follow a similar path.
- Social engineering attacks will continue to increase:
Attacks using social engineering techniques have been popular with cybercriminals for some time. However, they will increase even further in number during 2023. Many attacks will use fake social media profiles, such as LinkedIn, to try to obtain details from legitimate users that can then be used against them.It’s important for businesses to realise they cannot rely on social media for any form of identity validation. Doing so can result in access to resources being unknowingly granted to criminals who can then cause widespread disruption and loss.
- The number of breaches will rise dramatically:
Unfortunately, 2023 will bring with it a record-breaking number of cyberattacks against organisations of all sizes. While not all will be of the prominence of the recent Medibank and Optus incidents, many will still cause significant problems for victims.
Faced with these trends, it is vital that businesses carefully review the security measures they have in place and work to address any weaknesses that might exist. With the cyber threat landscape constantly changing, delaying these steps could be extremely costly.