We asked some of our team for thoughts on what they think will be the key trends in security and technology risk in 2023.
From the risks associated with the continued adoption of the Metaverse to the impact of the global economic downturn on technology spending and recruitment, 2023 will continue to create complex challenges for technology and risk professionals.
In this article, our team provide short summaries of their views on the following interesting trends:
- Internet of Things (IoT) security regulation will increase;
- The metaverse will increase opportunities for cybercriminals;
- The threat from ransomware will continue;
- The economic crisis will increase the threat from insiders;
- Technology implemented during Covid to enable remote working will continue to create security and operational concerns; and
- The demand for security and technology risk jobs will continue to outstrip supply.
6 Interesting trends for technology risk and security in 2023
The rapid adoption of IoT will continue in 2023, increasing the opportunities for threat actors to exploit organisations and individuals.
However, given the risks associated with IoT, governments and regulators are expected to ramp up their efforts to standardise security for IoT devices in 2023. Some of the key regulations to look out for include:
- The US will be looking to introduce standardised security labelling to communicate the risks that come along with using internet-connected devices;
- The UK will launch the Product Security and Telecommunications Infrastructure (PSTI) legislation to address connected device security; and
- The European Union’s Cyber Resilience Act will introduce strict IoT security requirements, which include notifying the European Union Agency for Cybersecurity (ENISA) within 24 hours of any actively exploited vulnerability contained in the product.
We expect that cyber security within the metaverse will be one of the hot topics for discussion in 2023, driven by a sharp uptake in adoption by both companies and consumers alike.
One of the major downsides of the development of an emergent technology, such as the metaverse, is that it also creates increased opportunities for criminals; particularly in a space where regulation, consumer protection and privacy rules are still being developed.
The very nature of the metaverse provides cyber criminals with additional opportunities to interact with unsuspecting victims.
For example, a cyber-criminal may conduct reconnaissance for an attack or use social engineering to gather information about an intended target using avatars, which provide an even greater level of anonymity to criminals.
This is compounded by consumers generally not being experienced in the platform, often they are unaware of what data is being shared during their virtual or augmented reality (VR/AR) experience. Much of it is highly sensitive and personally identifiable, and therefore exceptionally valuable to criminals operating in a data-heavy environment like VR/AR.
Since the metaverse is a relatively new area of technology that is still being refined, there are bound to be new undetected vulnerabilities and criminals will look to exploit these emergent threats before they can be remediated.
Concerns related to privacy within the metaverse are also likely to increase due to the sensitive nature of the data that can be collected by using connected devices, such as virtual reality headsets using facial or retina recognition.
Educating companies and consumers on the cybersecurity risks when using the metaverse, and how to address them, will be key to ensuring that we don’t also see a similarly sharp uptake in cyber-criminal activity.
Yes, even though we may be tired of hearing about it, ransomware will remain high on the list of risks for organisations in 2023.
We are likely to see more intrusions conducted by non-organised attackers and non-nation states, with the goal to boost their “brand”.
In Europe, the number of victims of ransomware is increasing, and if that increase continues, Europe will likely become the most targeted region in 2023. This is in comparison with the US, where policymakers and law enforcement are driving a safer environment. The US is currently doing more than the UK as they are heavily focussed on the enforcement of security through proactive assessment of critical national infrastructure by 5 different government agencies.
The use of Ransomware-as-a-service (RaaS) platforms targeting data exfiltration are also likely to grow due to their increased availability, ease of use and higher returns for attackers. Data exfiltration as part of a ransomware attack offers attackers the opportunity to multiply their financial rewards by not only relying on ransom payments, but also selling the data.
In times of economic crisis, the risk posed by insiders increases because people are more vulnerable and at risk of being exploited by new forms of phishing or related scams.
Employees and staff remain the most popular route for attackers to gain illicit access to an organisation’s systems and data. In times of economic crisis, threat actors will look to expose the economic vulnerability of employees to offer them bribes, or trick them into providing credentials or critical information using offers of discounts or financial rewards.
When preparing your business against this risk in 2023, it is important to consider all the different types of insiders. This means that both those that may be purposefully malicious, but also those that just didn’t know what they were doing.
Protecting against insider threats is more than just deploying the latest technology, it requires a cross-functional approach from various parts of the business to help create a security-conscious culture. This can be achieved through the use of security awareness and training campaigns tailored to specific internal roles, threat actors and real-life examples.
The move to home working necessitated by the 2020 Covid pandemic compelled organisations to take drastic steps.
Organisations took shortcuts and in a lot of cases, rapid deployment of remote working technology was placed ahead of security. These technologies will continue to pose a significant risk to organisations as they may have become redundant and poorly maintained with the return to normality.
As people continue to return to the office, organisations need to ensure that any new “emergency” technology rolled out in 2020-1 to accommodate the significant increase in remote working, is reviewed, maintained, or decommissioned, to reduce the risk of potential exposure and vulnerabilities. If they don’t, 2023 may well be the year in which these technologies are the root cause of significant cyber security incidents.
In 2023, the security and technology risk job market will continue to be a very competitive environment for both candidates and companies.
- The increase in the cost of living will drive-up salary expectations. In addition, increased competitive benefits introduced by start-ups and fintech companies, such as increased paid annual leave, fully paid maternity leave and extended paid paternity leave will continue to make it difficult for ‘traditional’ organisations to attract and retain talent.
- Organisations not wishing to take on long-term salary commitments may consequently turn to service providers and outcome-based engagements, with firms such as ThreeTwoFour, to achieve their security operating requirements.
- Young workers, especially in technology, embraced remote working necessitated by the pandemic. However, as organisations are starting to return to the office, they will struggle to convince new recruits of doing the same. As ThreeTwoFour is a remote-first business, we have the advantage of being able to offer this set-up already. We have not only built our client delivery capability on a remote first basis, but we have learnt to evolve and manage our culture within a remote environment.
Follow ThreeTwoFour on LinkedIn for the latest trends and team updates.
To join our InfoSec Leaders Events (where we focus on what every InfoSec Leader needs to know to manage Tech Risk) – subscribe to our newsletter below.