2022 was a turbulent year for cybersecurity teams. Through the pandemic, cybercriminals took advantage of misaligned networks as businesses moved to remote work environments. Attacks globally increased by 125% through 2021 and continued upward in 2022.
It's clear old practices are no longer working. Defensive, reactive, and recovery postures aren't fit-for-purpose in the face of an ever-evolving wave of sophisticated attacks. Outmanned, underskilled, and overwhelmed security teams are at the breaking point as they struggle to cope with this cyber "new normal."
A new proactive offensive approach is needed to take the fight to cybercriminals rather than waiting to be hit. For security professionals, this means learning to think and act like a hacker.
Only by understanding the latest techniques and methods being used by bad actors, and continuously updating your skill set accordingly, can you hope to stay ahead of cybercriminals and find system vulnerabilities before they do.
The hacker mindset isn't just for frontline security teams, though. It should be an organizational-wide shift in approach that's all about looking ahead, using out-of-the-box thinking, and responding to threats creatively.
So this could be the HR team "hacking" its recruitment process by removing restrictive hiring criteria to unlock a new pool of cyber talent, just as much as it could be the cybersecurity team hacking its own network to find flaws in the code.
I've identified several potential danger areas that I believe will present challenges to businesses this year.
AI has made it onto the front pages recently with the success of ChatGPT and social media users sharing their new Lensa avatars across platforms. It's safe to say that AI has reached consumers on all fronts and mass adoption isn't unrealistic. At the same time, AI adoption within businesses has skyrocketed and will continue to do so. The cyber-risk with AI is that it's an algorithm and, like any algorithm, it can be manipulated and hacked into.
Even a tiny change to AI can affect the output, and, generally, AI algorithms aren't able to provide the reasoning behind their conclusions. Therefore, any manipulation to AI can be very difficult to detect. On a small scale, this means tampered algorithms could overwhelm companies relying on AI-generated insights. On a larger, more dramatic scale, if cybercriminals learn how to hack into Facebook, Instagram, or Alexa algorithms, they could manipulate individuals.
Targeting of On-Premises Data Centers
2022 was a tough year for businesses, with the cost-of-living crisis crippling companies worldwide. One of the ways businesses are trying to cut costs is by moving back from cloud to on-premises storage. Cloud infrastructure on its own can be relatively affordable for businesses, but the cloud, configuration, architecture, and security skills required to run the infrastructure can be expensive.
However, for most smaller companies, the cloud can be more secure than on-premises data centers. But for these same companies, properly securing on-premises data centers can be overlooked, and if businesses are vulnerable, hackers will pounce. The reverse cloud migration means businesses will also need to dust off old security skills.
This year, I expect to see a growing demand for retro cybersecurity skills, as businesses revert to old, cheaper ways of working while cybercriminals use modern skills to hack into legacy technology.
Internet of Things Devices: A Cybercriminal Playground
This year, the number of IoT-connected devices is expected to increase to 43 billion worldwide, up by over 13% from 2022. This rate of growth is due to new sensors, more computing power, and reliable mobile connectivity across the world creating greater accessibility. In the UK alone, the average home has 10 connected IoT devices, and as adoption soars, security risks swell. This growth isn't only in the home with smart TVs, speakers, and cameras. Increasingly, business leaders are noting the power of IoT and embracing a number of new connected devices.
Yet, IoT devices are an easy target for cybercriminals, as they're vulnerable to network attacks. A threat actor could exploit an IoT device as an entry point, using it as a stepping-stone to launch a more sophisticated ransomware attack. More worryingly, cybercriminals could use IoT devices to inflict physical harm. For example, if solutions like smart locks or electronic doors are tampered with, this could represent a real risk to human life.
In short, if left unprotected, IoT devices could become a cybercriminal playground in 2023. That's why we'll see the emergence of IoT penetration testing and a greater effort to educate consumers on the vulnerability of their own devices.
Cyberattacks Will Focus on Smaller Enterprises
While high-profile ransomware attacks always make the headlines, I believe small to midsize enterprises (SMEs) will bear the brunt of cybercriminals' malice this year. The fact is many SMEs lack the budget for standard enterprise security practices. As recession looms, it's unlikely there will be further investment to resolve it this year, leaving businesses more vulnerable than ever.
SMEs are already an easy target for socially engineered phishing attacks, but this year cybercriminals will spot the weak links. This could cripple SMEs and lead to a domino effect among smaller businesses.
Staff Training Is Key
2023 has the potential to be a dark year for cybersecurity, which is why it's important for companies of all sizes to make sure their teams are trained with the latest skills (old and new) to fight cybercriminals. As the cyber-professional shortfall stands at 3.4 million, businesses must focus on reskilling and upskilling existing as well as new staff, and this training needs to be practical. Cybersecurity professionals must prevent and respond to attacks with real-life experience to be prompt and effective in their work. With hands-on training that goes beyond theory, they can evaluate attacks in real time, and know what needs to be done to prevent it.
Although budgets are tight, this isn't the time to cut back on security. Instead, more investment is desperately needed to prepare the cyber workforce of the future and protect businesses now.