A year is a long time in cybersecurity.
Certainly, there are some constants. Ransomware has been a major cybersecurity issue for years, but shows no signs of going away as cyber criminals continue to evolve their attacks. And significant numbers of enterprise networks remain vulnerable, often as a result of security flaws for which updates have long been available.
But even if you think you’re on top of every software vulnerability in your network, new security flaws are always appearing – and some of them can have a big impact.
Take the Log4j flaw: a year ago it was completely unknown, lurking within the code. But after it came to light in December, it was described by the head of CISA as one of the most serious flaws around. Late in 2022, it’s still an often unmediated security flaw hidden within many organisations’ code – something that is likely to continue far into the future.
Security skills shortages
Whatever the latest hacker trick or security hole discovered by researchers, people – and not technology – are always at the core of cybersecurity, for good and for ill.
That focus starts with, at the basic level, employees being able to identify a phishing link or a business email compromise scam, as well as bosses employing the right information security team, which helps set out and monitor corporate defenses.
But cybersecurity skills are in high demand, to the extent that there simply aren’t enough staff to go around.
“As cyber threats become more sophisticated, we need to have the resources and the right skillsets to combat them. Because without specialized talent, organizations are really at risk,” says Kelly Rozumalski, senior vice president and lead for national cyber defense at Booz Allen Hamilton.
“We need to encourage people from a variety of different backgrounds – from computer engineering and coding to psychology – to explore cybersecurity because for us to really win the war on talent we need to be committed to not just hiring but to building, retaining and investing in our talent,” she says.
It’s vital that organisations have the people and processes in place to prevent or detect cyberattacks. Not only is there the continued day-to-day risk of phishing, malware attacks or ransomware campaigns from cyber-criminal gangs, there’s also the threat from hackers and hostile nation states.
New and bigger supply chain threats
While cyberspace has been an arena for international espionage and other campaigns for some time, the current global geopolitical environment is creating additional threats.
“We’re going back to a geopolitical paradigm that features great power competition, a place we haven’t been in a number of decades,” says Matt Gorham, cyber and privacy innovation institute leader at PwC and former assistant director of the FBI’s Cyber Division.
“And we’re doing that when there’s no true consensus, red lines or norms in cyberspace,” he adds.
For example, technology involved in running critical infrastructure has been targeted by Russia in its ongoing invasion of Ukraine.
In the hours running up to the start of the invasion, satellite communications provider Viasat was affected by an outage that disrupted broadband connections in Ukraine and across other countries in Europe – an incident that Western intelligence agencies have attributed to Russia. Elon Musk has also said that Russia has tried to hack the systems of Starlink, the satellite communications network run by his SpaceX rocket firm that is supplying internet access to Ukraine.
But it isn’t just in a war zone where hostile states are looking to cause disruption with cyberattacks: organizations, particularly those involved in criticial supply chains, are finding themselves being targeted by state-backed hackers too.
Just look at how Russian hackers compromised a large software provider with malware, which pushed a malicious update out, providing a backdoor into the networks of several US government agencies.
“Concerns are always driven by real-world events. And so, for the last couple of years, we’ve seen nation-state supply chain attacks that caused everyone to think about the supply chain risk associated with that,” says Gorham, who urges organizations to think about not just how they can prevent cyberattacks, but also how to detect malicious intrusions into the network and deal with them appropriately.
“If a state is determined to get on your systems, they have the resources and the capacity to do so – so it’s about detecting them and evicting them,” he adds.
Often, it isn’t advanced techniques that allow attackers to enter networks, it’s common vulnerabilities such as having weak passwords, not applying security updates or a lack of two-factor authentication (2FA). And sometimes, especially in the case of critical infrastructure and industrial networks, the software running those systems can be many years old.
Web3 and IoT: New problems or back to basics?
But just because something is new, that doesn’t mean it’s automatically secure either – and as technologies such as Web3 and the Internet of Things (IoT) continue to make headway in 2023, they’ll become an even bigger target for cyberattacks and hackers.
There continues to be a lot of hype about the potential of Web3 – a vision of the web that takes control away from big companies and decentralizes power among users by using blockchain, cryptocurrency and token-based economics.
But like any new technology, especially one that comes with a lot of excitement and hype, security is often forgotten about as software development rushes to release products and services – as demonstrated by various hacks against crypto exchanges where attackers have stolen millions in crypto.
“People get really excited about new technology. Then they forget to consider the security flaws because they’re in such a rush to implement it. With Web3, we’re seeing that kind of situation, where people have been hyped to get started – but security gets left behind,” says Katie Paxton-Fear, lecturer in cybersecurity at Manchester Metropolitan University and a bug bounty hunter for HackerOne.
Because of this situation, bug bounty hunters are finding many vulnerabilities in Web3 applications and services. They’re often major vulnerabilities that could be extremely lucrative for malicious hackers if they discover them first – and potentially costly for users.
But while some of these vulnerabilities are novel and complex, many of the security breaches that have hit cryptocurrency exchanges and other Web3 services have been down to misconfigured services or phishing attacks, where criminals got hold of passwords.
So, while experimental and unusual vulnerabilities are an issue, putting cybersecurity basics in place can help stop Web3 breaches, particularly as the technology becomes more popular – and a more attractive target for cyber criminals.
“It’s almost like we’re kind of looking at these really cool new vulnerabilities and getting hyped by them – but we forget things like access control,” says Paxton-Fear.
While blockchain and Web3 might still be considered niche technologies for now, the Internet of Things isn’t, with billions of devices in homes and workplaces installed around the world, including some that help power critical infrastructure and healthcare.
But as with other new technologies, there’s the risk that if these connected devices are not secured properly, then they could be disrupted, or even leave whole networks vulnerable. That’s a gap that needs to be considered as connected devices become ever-more prevalent in all our lives.
“It’s a really hard predicament that we’re in. But we have to pay attention to it,” says Rozumalski at Booz Allen Hamilton. “Right now, bad actors can get in through a medical device and use that as a pivot point to take down the entire hospital network – that could obviously have an impact on patient care.”
What’s key, she argues, is that it’s imperative for hospitals, critical infrastructure providers of any other organizations to recognize that cybersecurity has a key role in planning and decision-making processes in 2023 to help ensure that networks are as secure against threats as possible.
The 2023 cybersecurity outlook
“Security has to have a seat at the table, and it’s very, very critical. But you need to think through strategically how to mitigate those risks, because these devices are important,” Rozumalski says – and she believes that progress is being made, with boardrooms becoming more aware about cybersecurity issues. However, there’s still much work to do.
“I think we’ve taken a lot of steps over the past year that are going to start to put us in a better and a better light and be able to really combat some of these threats in the future”.
And she’s not the only one who thinks that, while cybersecurity and cybersecurity budgets still need more attention, things are moving in the right direction generally.
“There’s an increasing realization that it’s a significant and broad threat and there is significant risk out there – that makes me have some optimism,” says PwC’s Gorham, although he’s aware that cybersecurity isn’t suddenly going to be perfect. As the world moves into 2023, there’s still going to be plenty of challenges to deal with.
“The threat’s not going away – it’s significant and going to only become more significant as we continue to transform digitally. But I think the fact that we’re coming to terms with it today is a good sign for the future,” he says.