Why Businesses Need to Think Like Hackers This Year

Security professionals must update their skill sets and be proactive to stay ahead of cybercriminals. It's time to learn to think and act like an attacker to cope with the cyber "new normal."

Haris Pylarinos, Founder and CEO, Hack The Box

January 17, 2023

5 Min Read
Cybersecurity concept art
Source: vska via Alamy Stock Photo

2022 was a turbulent year for cybersecurity teams. Through the pandemic, cybercriminals took advantage of misaligned networks as businesses moved to remote work environments. Attacks globally increased by 125% through 2021 and continued upward in 2022. 

It's clear old practices are no longer working. Defensive, reactive, and recovery postures aren't fit-for-purpose in the face of an ever-evolving wave of sophisticated attacks. Outmanned, underskilled, and overwhelmed security teams are at the breaking point as they struggle to cope with this cyber "new normal."

A new proactive offensive approach is needed to take the fight to cybercriminals rather than waiting to be hit. For security professionals, this means learning to think and act like a hacker.

Only by understanding the latest techniques and methods being used by bad actors, and continuously updating your skill set accordingly, can you hope to stay ahead of cybercriminals and find system vulnerabilities before they do.

The hacker mindset isn't just for frontline security teams, though. It should be an organizational-wide shift in approach that's all about looking ahead, using out-of-the-box thinking, and responding to threats creatively.

So this could be the HR team "hacking" its recruitment process by removing restrictive hiring criteria to unlock a new pool of cyber talent, just as much as it could be the cybersecurity team hacking its own network to find flaws in the code.

I've identified several potential danger areas that I believe will present challenges to businesses this year.

AI Algorithms

AI has made it onto the front pages recently with the success of ChatGPT and social media users sharing their new Lensa avatars across platforms. It's safe to say that AI has reached consumers on all fronts and mass adoption isn't unrealistic. At the same time, AI adoption within businesses has skyrocketed and will continue to do so. The cyber-risk with AI is that it's an algorithm and, like any algorithm, it can be manipulated and hacked into.

Even a tiny change to AI can affect the output, and, generally, AI algorithms aren't able to provide the reasoning behind their conclusions. Therefore, any manipulation to AI can be very difficult to detect. On a small scale, this means tampered algorithms could overwhelm companies relying on AI-generated insights. On a larger, more dramatic scale, if cybercriminals learn how to hack into Facebook, Instagram, or Alexa algorithms, they could manipulate individuals.

Targeting of On-Premises Data Centers

2022 was a tough year for businesses, with the cost-of-living crisis crippling companies worldwide. One of the ways businesses are trying to cut costs is by moving back from cloud to on-premises storage. Cloud infrastructure on its own can be relatively affordable for businesses, but the cloud, configuration, architecture, and security skills required to run the infrastructure can be expensive.

However, for most smaller companies, the cloud can be more secure than on-premises data centers. But for these same companies, properly securing on-premises data centers can be overlooked, and if businesses are vulnerable, hackers will pounce. The reverse cloud migration means businesses will also need to dust off old security skills.

This year, I expect to see a growing demand for retro cybersecurity skills, as businesses revert to old, cheaper ways of working while cybercriminals use modern skills to hack into legacy technology.

Internet of Things Devices: A Cybercriminal Playground

This year, the number of IoT-connected devices is expected to increase to 43 billion worldwide, up by over 13% from 2022. This rate of growth is due to new sensors, more computing power, and reliable mobile connectivity across the world creating greater accessibility. In the UK alone, the average home has 10 connected IoT devices, and as adoption soars, security risks swell. This growth isn't only in the home with smart TVs, speakers, and cameras. Increasingly, business leaders are noting the power of IoT and embracing a number of new connected devices.

Yet, IoT devices are an easy target for cybercriminals, as they're vulnerable to network attacks. A threat actor could exploit an IoT device as an entry point, using it as a stepping-stone to launch a more sophisticated ransomware attack. More worryingly, cybercriminals could use IoT devices to inflict physical harm. For example, if solutions like smart locks or electronic doors are tampered with, this could represent a real risk to human life.

In short, if left unprotected, IoT devices could become a cybercriminal playground in 2023. That's why we'll see the emergence of IoT penetration testing and a greater effort to educate consumers on the vulnerability of their own devices.

Cyberattacks Will Focus on Smaller Enterprises

While high-profile ransomware attacks always make the headlines, I believe small to midsize enterprises (SMEs) will bear the brunt of cybercriminals' malice this year. The fact is many SMEs lack the budget for standard enterprise security practices. As recession looms, it's unlikely there will be further investment to resolve it this year, leaving businesses more vulnerable than ever.

SMEs are already an easy target for socially engineered phishing attacks, but this year cybercriminals will spot the weak links. This could cripple SMEs and lead to a domino effect among smaller businesses.

Staff Training Is Key

2023 has the potential to be a dark year for cybersecurity, which is why it's important for companies of all sizes to make sure their teams are trained with the latest skills (old and new) to fight cybercriminals. As the cyber-professional shortfall stands at 3.4 million, businesses must focus on reskilling and upskilling existing as well as new staff, and this training needs to be practical. Cybersecurity professionals must prevent and respond to attacks with real-life experience to be prompt and effective in their work. With hands-on training that goes beyond theory, they can evaluate attacks in real time, and know what needs to be done to prevent it.

Although budgets are tight, this isn't the time to cut back on security. Instead, more investment is desperately needed to prepare the cyber workforce of the future and protect businesses now.

About the Author(s)

Haris Pylarinos

Founder and CEO, Hack The Box

Haris Pylarinos is skilled in systems engineering due to his many years of experience as a sysadmin in the maritime and is a security expert with over 15 years of experience in the IT and cybersecurity industry.

Haris is an experienced professional in networking and software architecture. In 2017 he founded Hack The Box and has since scaled to more than 170 employees and 1.6 million users. He actively designs Hack The Box products and infrastructure, consults and manages the team across all topics, and stays up to date with the latest cyber security tactics, techniques, and procedures. His vision for the company and the Hack The Box Academy is to make cyber security training accessible to everyone via a gamified, fun, and innovative environment. 

Industry certifications: OSCP, MCSA, MCTS, CEI, CEH.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights