As our home networks continue to merge with the enterprise, and as enterprises across all industries become more dispersed, cybersecurity threats increase. Along with ongoing digital transformation and the proliferation of cloud, that dispersal introduces new challenges for the cybersecurity community. The past 12 months have proven that adapting hasn’t been easy.
According to Gartner, last year there were “sustained big game ransomware attacks, multiple attacks on the digital supply chain, deeply embedded vulnerabilities, and increasing attacks on identity systems.”
With that in mind, I wanted to take a moment to look back on some cybersecurity trends from 2022 that surprised me — while looking ahead to what we can expect from the industry in 2023 and beyond.
This shocked me the most, especially given how important they both are, and how long the cybersecurity industry has been banging its drum about tackling these issues. Implementing more robust security measures around remote access and supply chain have been priorities for a decade now, and I really thought we’d see broader adoption across industries as things began to return to (some version of) normal as COVID restrictions began easing. Everyone was going to address these problems. But no one did.
According to The 2022 Ponemon Institute State of Cybersecurity and Third-Party Remote Access Risk Report, 54% of organizations experienced a cyberattack in the last 12 months, while 75% of respondents said they’ve experienced a significant increase in security incidents — most often due to credential theft, ransomware, DDoS, and lost or stolen devices. We clearly have a lot of work to do to make enterprise environments — both remote and brick and mortar — more secure.
When President Joe Biden issued an executive order in May 2021 to improve the nation’s cybersecurity, it was a huge win for enterprises across all industries. The executive order stated that the country “faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” All true, and all vitally important to discuss, especially at the federal level. However, policies and regulations (especially surrounding cybersecurity) rarely function as an immediate salve. They set the floor, not the ceiling.
The executive order — which improves baseline cybersecurity measures, and even mentions things like zero trust and supply chain security by name — is unquestionably a boon for the cybersecurity community and enterprises across industries. But setting broad policies for the entire country doesn’t translate to the swift, sudden, and widespread adoption of bleeding edge cybersecurity technologies across the board, either. It’s about reasonable expectation setting. Broad regulatory intervention won’t take immediate effect or have an immediate impact — so the sooner enterprises take their cybersecurity into their own hands, the better.
That doesn’t mean we shouldn’t celebrate this executive order, by the way — we absolutely should — or shy away from future conversations involving policy and regulation. But it is important to be realistic about what to expect from such policies and regulations: The Biden administration’s executive order was an important first step, but it doesn’t mean that we should expect to see a 50 percent decrease in supply chain breaches within six months either. These things take time. (Again, as I mentioned up top: We should really be taking supply chain security more seriously in the coming years.)
According to the US Census Bureau, the number of people working primarily from home tripled between 2019 and 2021, from roughly 9 million to just under 27 million — the uptick accelerated significantly by the pandemic. While there’s been a lot of noise in 2022 about employers suggesting (or outright demanding) their workers return to the office, data suggests that remote work is here to stay. In fact, remote work is actually likely to increase going forward, especially for those working professional jobs.
This shift has major implications for cyber professionals across all industries. For starters, the attack surface has massively expanded since the onset of the pandemic. Dispersed workforces, increased use of the cloud, interconnected digital supply chains, the advancement of public-facing digital assets, and more widespread use of operational technology outside traditional work environments has been hugely difficult to cope with. I expect that will continue to be the case, which is why it’s critical that enterprises act now, and not after they’ve experienced a breach or an attack.
And even if the traditional work environment wasn’t completely turned on its head by the pandemic, hybrid work was already on the march, and would have continued to advance. Maybe not at the rate it has in the past three years, but hybrid enterprise environments were inevitable, which means businesses would have had to prepare for these kinds of cybersecurity threats sooner or later. There is too much intrinsic organizational value in a distributed workforce — from diversity of talent to efficiency of capital — to go back to the way things were before 2020.
Of course, with that intrinsic organizational value comes considerable (and inevitable) cybersecurity risks, especially around identity, permissions, and rights distribution. So, the big question becomes “How, with a workforce that is distributed across the country (or the globe), do we ensure everyone has the access they need to do their jobs effectively in a hybrid environment, but doesn’t have access to anything more than they need?”
When enterprises were less dispersed — for example, when critical infrastructure and information systems were locked behind your castle doors, and your castle was surrounded by a moat, so to speak — there was an assumption (even if not always correct) that security wasn’t an enterprise’s top priority. Breaching a physical location is, after all, more difficult than attacking critical infrastructure that exists in, and relies on, the cloud. A remote employees’ laptop can be more easily breached by a malicious actor than a server inside a physical building without internet access.
Clearly, hybrid work is not going away, and the implications of a breach are something the modern enterprise cannot afford, especially in today’s economy. Building robust protocols that tackle security at the core (specifically around remote access and digital identity management) is more essential now than ever.
Manufacturing was impacted enormously by the pandemic. As the sector continues to recover, it will look to digital transformation to find efficiencies and solve resource shortages. Indeed, we’re already witnessing manufacturers adopt state-of-the-art interconnected technology, like various industrial IoT solutions. This ongoing modernization will no doubt be beneficial for the industry (supply chain headaches should ease, for example), but with the implementation of new and novel technologies comes new and novel challenges — not least of which will be cybersecurity.
In addition, although many modern smart factories can move forward with advanced innovations, there are still several small and mid-sized manufacturers grappling with the complexities posed by their hybrid environments. Finding security solutions compatible with patchwork infrastructure, often composed of decades old on-premises technology alongside the cloud, will be another major cybersecurity hurdle facing the manufacturing industry.
Take identity access and permissions, for example (which are, to be sure, mission critical components of sound cybersecurity practices for any enterprise). As it stands, just 36 percent of organizations have visibility into the level of access and permissions both internal and external users have to their systems. That’s a lot of access that’s unaccounted for. Letting users into your organization’s systems should not be taken lightly. If an organization doesn’t know who’s accessing its systems, it’s ignoring risk — and a potential attack of their network, data, and assets. Instituting more robust privileged and third-party access controls, along with other zero trust policies, can help organizations bolster their cybersecurity defenses.
Ultimately, Gartner nailed it when they predicted in 2022 that attack surface expansion (caused by the dispersal of enterprises), supply chain risk, and identity threat detection and response would be three of the biggest cybersecurity trends in 2022. In many ways, I think the same goes for 2023. Regulation certainly helps move the needle, but cybersecurity best practices are always evolving because threats are always evolving. Businesses across industries need to understand this — and take the initiative to ensure malicious actors can’t gain access to their systems.