Making predictions for the year to come is often a fool’s errand since no one holds a functional crystal ball (that we know of). But making good cybersecurity predictions is a fairly easy (and important) task. It’s going to be more of the same from last year. But likely worse! (Or at least more creative, slick, sneaky, damaging, and expensive.) In this month’s post, we’re looking back at the trends from 2022 and ahead at what’s likely to happen in 2023.
2022
Last year was an expensive year for cyberattacks. Hackers went for big targets and asked for big ransoms.
Ransomware peaked early, then ebbed in the third and fourth quarters. Attackers went after massive targets like the entire country of Costa Rica where 50% of data stolen from the government was published online, including 850 gigabytes of material from the Finance Ministry. CommonSpirit Health–a Chicago based health system with 142 hospitals and over 150,000 employees–was breached and its EHR system was taken offline. Patient care was impacted due to a lack of access to health records. The company is now being sued for negligence.
Email compromise grew more sophisticated but still most commonly involved phishing. The phishing messages were just that much better–more slick and realistic. Asylas worked with several clients on invoice fraud attacks that came in via very sophisticated phishing emails. The UK’s National Health Service was compromised when phishing emails were sent to over 100 employee accounts. The campaign was attempting to steal Microsoft credentials.
Uber suffered a social engineering attack when an employee clicked on a fake two-factor authentication request. The attackers used the compromised account to gain access to an internal network and a variety of internal systems.
Finally, IoT device attacks remained a rich target for hackers. Veridify Security found that there was a 77% increase in malware attacks on IoT/connected devices in the first half of 2022. Ransomware attacks through these devices were actually down, but they are increasingly a popular target for cryptojacking. Malicious cryptomining is estimated to cost victims $53 for every $1 the attacker makes, leading to massive cloud bills and financial losses.
CES
Early January is an exciting time to work in technology. This year, the Consumer Electronics Show returned in full force for the first time since the pandemic started. It’s thrilling to see what cutting edge technologies companies are dreaming up. Unfortunately, the show is also a preview for all the ways consumers (and the companies who make products) are willing to open themselves up to threats.
Though manufacturers are poised to flood the market with wearables and other home-based devices, few, if any, addressed the security concerns of these sometimes hasty-to-market products. Biological tracking devices were a big category at CES. The Withings U-Scan got a lot of hype but did not advise potential users on how such personal data as what you are eating, drinking, smoking, or otherwise ingesting might get treated once it’s uploaded to a server somewhere. Smart TVs also want to continue gobbling up our data with no signs (at CES anyway) of cybersecurity maturity among their developers.
2023
So, what, other than more doodads to connect us to the internet of things, does 2023 hold in terms of cyber threats?
We definitely expect to see more targeted, specific ransomware. Attackers are getting better at what they do and looking for bigger scores. They are likely to hit multi-national targets with critical systems whose business integrity will suffer from long outages. But little guys are not immune either!
As a result of rising ransomware threats, we also expect the costs of cyber insurance to soar. Agreements will also carry stricter pre-policy standards. Claims and deductibles will increase and payouts will decrease. We may even see sectors excluded from cyber insurance eligibility altogether. In short, it’s going to be very hard to get covered and very hard to get paid.
Watch for an increase in insider threats. The employment landscape is in a strange place right now. Employees who are worried about recession or downsizing (see all the big tech firms) are ripe targets for outsiders looking to leverage ill will for their gain. Disgruntled employees who have been laid off also need to be monitored as they exit the company–removing access to all systems in a timely manner will be critical.
On the tech side, experts are predicting a massive push for SASE (secure access service edge) to address the needs of a more diverse, widely distributed networks of users. We will also see more adoption of Zero Trust principles which are currently underutilized.
Defenses
As always, the best defenses against cyber threats are preparation, prevention, and employee education. Stick to these fundamentals and execute them well.
For security professionals, segment your network, set up reliable backups, and have a solid incident response strategy.
You also have to make employees aware of the threat–education is a must. Teach everyone (even executives) at your company how to recognize and avoid phishing scams. Require strong, frequently changed passwords with multi-factor authentication.
Defend IoT devices in your office and home by keeping software updated at all times. Use strong encryption on WiFi and 5G networks.
If you need help preparing your defenses in the year ahead, call 615-622-4591 or email info@asylas.com. Or complete our contact form.
