As we inch closer to 2023, learn from Patrick Harr a few trends and predictions related to security.
Companies are facing new and more sophisticated cyber threats from bad actors that could threaten their security posture. As we slowly head toward 2023, Patrick Harr, chief executive officer, SlashNext, shares a few security trends organizations should look out for.
New and more sophisticated cyberattacks are threatening organizations’ security postures. As we inch closer to a new year, here are a few trends and predictions about cyber threats companies should watch out for to improve their security posture.
Personal communication channels will play a much bigger role in the attack paths that bad actors engineer to target businesses. Once an individual user is compromised, the bad guys can move laterally to get to the business. And because email has at least some protections in place today, cybercriminals are turning more attention to these other communications channels instead and seeing much higher success rates.
The biggest gaps in security postures come from employees’ personal data in the new hybrid workforce. These blind spots are becoming more apparent as organizations adopt new channels for personal messaging, communications, and collaboration. Attackers are targeting employees through less protected personal communication channels, like WhatsApp, Signal, Gmail, Facebook Messenger, Snapchat, and gaming, to perpetrate an attack. Then it just becomes a matter of penetrating laterally through the organization from its external foothold.
Also, more people are working on the same device for their business tasks and their personal life at the same time now, which is a significant blind spot. I only see that trend accelerating in this coming year. It all comes back to “how do I validate that you really are the person I am communicating with?” Or is this the trusted file or corporate website link that I assumed it was?
The single biggest threat to any company is not machine security anymore — it is truly the human security factor. That is why these attacks on humans will continue to increase because humans are fallible and get distracted, and many threats are not easily identified as malicious.
See More: A Playbook for Better Incident Response: Learnings from Major Security Trends
Don’t expect major cuts to security budgets in the coming year as the risks from cyberattacks continue to rise.
At a high level, we should expect a downturn in overall IT spending as the economy tightens. But despite the downturn, security is so important that it will continue to drive its current spending levels to combat the risks from increasing threats.
One of the key security challenges involves ransomware, which remains a board-level topic. With ransomware, it is not a matter of if it will strike — it is only a matter of when. Solving this problem will require putting more proactive mitigation controls in place to be prepared before an attack occurs. In fact, the number one cause of ransomware starts with phishing at the user level. Protecting the human element from spear phishing, credential stealing, and business email compromises can greatly reduce the chances of ransomware.
Another critical area of concern involves the danger of an insider threat, which is even more problematic in a downturn. CISA defines an insider threat as the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities. Disgruntled employees may gain access to protected information before leaving their company and then take the data or credentials home with them. However, insider threats do not always come from disgruntled employees, as they often stem from unintentional mistakes. At the end of the day, the security policy should always be not to trust anything and to verify everything.
Also, in addition to building better security controls, security teams should emphasize the need for security insurance policies. Most companies are given almost unlimited budgets to react to cyberattacks after the fact. But they get much smaller budgets to put proactive security measures in place before an attack occurs. Taking a proactive approach is comparable to preventing a heart attack before it happens by eating well and exercising.
One final point about security in a downturn — we will see more cases of fraud and scams attempted on the personal side of communications and the business side through business email compromises and business text compromises. This could involve asking users to change their personal bank account info or call a toll-free line to give up protected information. We expect these attacks to become more weaponized in the coming year.
Phishing scams increasingly target seniors to take advantage of their relative lack of technical computer skills and limited awareness about this new wave of security threats.
The FBI recently published a significant scam report about cryptocurrency frauds targeting seniors. We expect to see this trend accelerate in the coming year as we move into an economic downturn and recession, leading to more desperation. Unfortunately, more seniors will fall prey to these kinds of get-rich-quick schemes as crypto scams from bad actors become more prevalent.
Additionally, service providers like GoFundMe will have an increased responsibility to verify the legitimacy of campaigns on their sites by putting in more brand protection controls. This goes back to “how do you verify and validate if this is a real user, real campaign, or real piece of information on the site?” We may even see government regulation start taking shape to enforce this responsibility.
Organizations that fail to address the human element of security will suffer because security training is not effective enough to protect users from all types of unrecognizable attacks.
My advice is to protect the human side of your security posture because the most unprotected part of your IT stack involves your employees and partners, including third-party contractors. Security training is focused on the people’s side of the business. But these attacks are now so sophisticated that it’s unrealistic to expect users to detect malicious intent with training alone. Training is necessary, but it should not be the only line of defense. That’s why we need to augment user security training by putting stronger AI controls. Remember that your people are your most attacked vector and the most unprotected aspect of your security posture. You simply cannot train these kinds of attacks out of users.
See More: Publishing in the Metaverse: Back to the Future or 2008 All Over Again?
The metaverse, digital twins, and similar advanced technologies will present new security challenges for organizations and individual users. Artificial intelligence solutions will be needed to validate the legitimacy of identities and controls.
When we think of the metaverse today, we often envision immersive gaming environments such as Fortnite. However, the metaverse will eventually reach beyond gaming into nearly all aspects of business and society. This new digital interface will present unforeseen security risks when avatars impersonate other people and trick users into giving away personal data.
We already see significant attack patterns that compromise users who click on a bad file or a malicious link. It could be a credential-harvesting ploy conducted through a spoofed URL or a social engineering attack launched through a natural language message that triggers malware or ransomware. Then there are doctored videos of synthetic media “deep fakes,” which can cause viewers to question whether someone or something they see is real or fake. We also find this trend with digital twins that allow users to conduct physical facility maintenance remotely through a digital environment. We can expect to see more of these holographic-type phishing attacks and fraud scams as the metaverse develops. In turn, folks will have to fight AI with stronger AI because we can no longer rely solely on the naked eye or human intuition to solve these complex security problems.
Cyberattacks from nation-states are accelerating and adding a dangerous new element to the security landscape, while threats from independent hackers are also becoming more perilous.
We see a growing concern from Russian state actors as they become more desperate in their ongoing war against Ukraine. They will likely try to inflict greater pain, so the best security strategy is to reinforce the protection of the most critical infrastructure against attacks.
However, the biggest U.S. nation-state cyberattack threat comes from China, which aims to dominate 20 major global industries. The fastest way to achieve that goal is through cyber espionage to gain access to intellectual property, chip designs, healthcare information, and more. That is something we must pay attention to.
At the other end of the spectrum from the threat of nation-states, don’t underestimate a 14-year-old lone wolf hacker who can also infiltrate and compromise your environment and cause lasting damage. We have already seen this play out through social engineering attacks at Uber, Twitter, and elsewhere. With the proliferation of access to the cloud, automation, and shared software repositories, it has never been easier to be a successful bad actor.
Blockchain may become a valuable tool to help authenticate open-source software and validate the identities of open-source programmers.
There is a growing dependency on open-source code and tools among businesses of all sizes. Based on this shift, we expect a need for improved validation methods to verify that contributors in the open-source community are really who they say they are. Going forward, blockchain ledgers could be used to validate the integrity of open-source contributors and help increase public trust in open-source platforms and tools.
Staying abreast of these trends helps strengthen your security posture against possible future threats.
What steps have you taken to strengthen your security posture in the coming year? Share with us on Facebook, Twitter, and LinkedIn.
CEO , SlashNext
On June 22, Toolbox will become Spiceworks News & Insights