As businesses digitize and become more interconnected, and attackers grow more sophisticated, cybersecurity risk is evolving in novel ways.
But what lies ahead for security and risk management leaders as we welcome 2023?
In a recent online event, Bitsight teamed with Moody’s Investors Service to discuss the cybersecurity trends to watch in 2023 – both good and not so good – and how security leaders can adapt their programs to increase preparedness.
1. Economic uncertainty hits the SOC
Cybersecurity has historically been a challenging area to staff and largely spared the job cuts that impact other IT functions. But, in the face of strong economic headwinds, layoffs in the security operations center (SOC) are mounting, reducing defenders’ ability to prevent and respond to cyber incidents.
As organizations try to figure out how to prioritize resources this year, they must find ways to do more with less both to improve internal security performance and secure their supply chains.
2. Ransomware goes global
The globalization of ransomware attacks will accelerate in 2023. Until now, large-scale attacks have generally been concentrated in the United States. But, as a result of increased regulations and protections following the 2021 Colonial Pipeline hack, opportunistic hackers are exploring new targets.
In the first half of 2022, global ransomware attacks increased significantly, with the highest risk ratio occurring in Argentina (+56%), U.K. (+55%), Brazil (+50%), France (+42%), and India (+37%).
Businesses, governments, and critical infrastructure providers – in the U.S. and globally – must continue to be on their guard. To learn more about best practices for protecting against ransomware attacks, download our eBook.
3. Increased executive oversight of cyber risk
In the fight against cyber crime, one of the most significant positives is that business leaders now equate cyber risk with enterprise risk, rather than just a technical issue.
This is reflected in a new study by Gartner which finds that, by 2026, 50% of executives will have performance requirements related to cyber risk built into their employment contracts.
This is a positive trend that will continue in 2023. Learn more about how CISOs can help business leaders succeed in this new world order.
4. Greater regulatory scrutiny
2022 bore witness to a flurry of cybersecurity regulations and directives from agencies including the SEC and CISA, as well as The White House Cybersecurity Executive Order. Although distinct, each reflects a growing mandate for government agencies and certain business sectors to maintain a baseline security posture and accelerate the disclosure process for “material” cyber incidents. Similar requirements exist globally, including GDPR and UK data protection laws.
However, there are still things we don’t know, such as what constitutes a “material” cyber incident. Plus, compliance is complicated by the fact that organizations must navigate different global reporting standards and variations in-country.
2023 should bring clarity, but organizations subject to these regulations should prepare now. Check out these resources, including information on cybersecurity frameworks that can reduce risk and ensure compliance.
5. Supply chain risk
To digitally transform, organizations must rely on a widening ecosystem of software providers. However, this interconnected and interdependent digital world increases cyber risk.
To reduce this risk, many large tech vendors have committed to developing and distributing their software according to higher security standards. Security software practices are also being advanced by initiatives like the Open Source Software Foundation.
Still, the risk of being the victim of a third-party data breach is rising – 73% of organizations have experienced at least one significant disruption caused by a third-party.
Given this, organizations must step up their third- and fourth-party risk management programs and ensure they have continuous visibility into cyber risks lurking in their extended supply chains – during onboarding and for the life of those relationships.
6. Social media upheaval
Social media platforms already had a history of data security problems, but dwindling staff numbers at Twitter – from the CISO down – has raised fresh concerns that mass layoffs have left the company and its users vulnerable to attacks including phishing schemes and executive or brand impersonation.
Security leaders should continue to monitor the situation and have clear rules around who has access to the corporate social media account. They should also strengthen security controls, such as avoiding sharing credentials and auditing the account to ensure it is not being abused.
7. Cyber insurers get tough on underwriting
Cyber insurance can limit the financial impacts of a security incident. But, as the number of attacks increases, insurers will continue to step up their scrutiny of policyholders’ security postures.
In addition to evidencing basic cybersecurity hygiene measures, such as multi-factor authentication and secure remote access controls, insurers will increasingly require organizations to provide technical telemetry and data points that validate the insured’s security performance. These could include insights into security control implementation, anomalous network activity, cloud configurations, and other indicators of risk (such as those monitored by Bitsight) that enable insurers to assess risk in a more proactive way.
8. Quantifying cyber losses takes center stage
As cyber risk grows, executives, board members, credit agencies, and insurers want to know what losses a business may face in the event of an attack.
Historically, this was a highly manual process that required significant time and resources. But, today, companies can streamline the process with automated, scenario-based loss estimates.
For example, Bitsight Financial Quantification for Enterprise Cyber Risk combines data from across the business to quickly and easily simulate financial exposure across multiple scenarios, including ransomware, data breaches, supply chain hacks, and regulatory compliance issues.
Running these simulations will only grow in importance as security and risk leaders are required to lead meaningful conversations with the board and other stakeholders on the impact of cyber risk.
How can organizations prepare for 2023?
The panel ended with this advice for security and risk management leaders:
1. Put people first
As organizations emerge from the COVID-19 pandemic only to face potentially tough economic times, business leaders must ensure that security and risk management teams receive the care they need to overcome the challenges that 2023 brings.
2. Collaborate with insurers and credit agencies
Cyber risk has the potential to cause significant financial disruption. Simultaneously, there’s a growing intersection between cyber risk and credit risk. If the C-suite is having conversations with insurance companies or credit agencies (like Moody’s), without engaging the company’s security professionals and engineers, they are doing it wrong.
Insurers and credit rating agencies can only accurately measure and quantify an organization's cyber risk exposure when all parties are involved in the process.
3. Monitor and visualize risk across the digital ecosystem
Security pros can leverage tools like Bitsight to gain real-time and actionable insight into their organizations’ security postures and potential risk exposure. They can then share that information using a common language that facilitates a two-way conversation between the security team and executive leadership about the best strategy to reduce cyber risk.