Yes, we are all still reeling from the topsy turvy nature of the last two years but … 2023 is not showing any indication of being a year of respite. With another recession all but certain this year, both organisations and cyber criminals will be picking up the ante – organisations will be fortifying their cyber security, whilst threat actors increase their rate of attack.
Knowing what sort of cyber security threats and actions threat actors may turn to in 2023, could help organisations and employees stay safe and secure. To that end, we will be running through the most pertinent cyber security risks you will see in 2023!
Accenture’s Global Quantum and Space Cyber Security Lead Tom Patterson believes that “progress in quantum computing is bringing adversaries ever closer to a cryptographically relevant quantum computer that is able to crack all of the public key encryptions that protect most everything in government, industry and the internet.” This is a worrying prediction as it points towards a massive leap in the quality and strength of threat actors in 2023.
Patterson argues that with quantum hacks, threat actors can steal a much greater quantity of information as they can simply decrypt the data later. Due to the speed of quantum computing, more data can be scraped in a shorter amount of time.
However, Patterson also reveals that with quantum attacks, comes quantum encrypted algorithms which will, hopefully, keep data encrypted even as cybercrime takes a quantum leap.
Cyber security has been around for decades now. As a result, many organisations will have found and put in place strong endpoint security such as firewalls, antivirus and detect and report systems to deal with cyber threats. Due to this, cyber criminals will be moving away from malware and easy-to-detect cyber risks and towards social engineering tactics to steal identities and login credentials.
As an organisation, you need to ensure professional accounts are password protected well, 2FA locked, and identities are authenticated before access is granted. If not, then a threat actor could use a legitimate corporate account on your professional network to cause financial and reputational damage.
A Typetec survey reveals the average cyber security budget for small businesses is set to halve this year even though 79% of SMEs experienced a cyber attack in the past 12 months. Unfortunately for these SMEs, a pandemic followed by a global recession is not good for the books and cyber security priorities will be paired back to just the fundamentals for organisations of this size.
This will prove to be a costly decision for many SMEs as they have not considered how much more veracious threat actors will be this year. The Typetec survey also reveals that whilst 64% of SMEs feel fully prepared for cyber security threats in 2023, over 30% do not have a recovery plan in place!
Not all SMEs are taking their eye off the ball however with the same survey also noting that 37% of SMEs have increased cyber security awareness training for staff. But do we know why many SMEs will be lowering their budgets other than budget cuts? Typetec’s survey has further answers for this with survey responders stating they believe SMEs should receive funding and support from the state to help against a rising global cybercrime level.
Typetec’s CTO, Trevor Coyle, said “We understand that many smaller businesses are dealing with inflationary pressures at this time and have to make difficult investment decisions. However, it is important that they make smart choices and do not leave their data and systems more vulnerable and easier to attach, which will ultimately be so much more costly if it happens.”
At TSC (The Security Company), we have always championed the notion of security behaviour change from the top down. When we work with our clients, we recommend getting the board members and management to buy into the same cyber security ideals we teach and communicate out to employees at every level of their business. The sentiment being that if those at the top follow and respect the rules, those below them have no excuse but to do the same.
As the rate of cyber attacks increase and the financial/reputational damage becomes clear and a present danger, we will see those at the top get far more hands-on with cyber security awareness. As cyber threats can now affect the standing and international reputation of a whole company, CISOs and DPOs should expect and want their board to ask for monthly/quarterly cyber security awareness updates and refreshers.
C-suite cyber security awareness has always been a priority for TSC, and it seems in 2023, executives are waking up to the importance of employee security awareness at the very top of an organisation.
Last year, in a special series on Ukraine and Russia, TSC highlighted the increasing geopolitical tension between allies and the primary nations of Russia and Ukraine. A large part of our coverage focused on the heightened levels of cyber attacks being committed against officials and governmental authorities by well-funded and organised hacker groups. On the BBC, this analyst stated that: “Digital is as important a part of this war as the fighting on the ground.”
For example, The Mail on Sunday reported last year that former UK PM Liz Truss’s phone was hacked while she was foreign secretary, leading to private messages between Truss and foreign individuals to be accessed by nefarious individuals.
Attacks such as this not only work on a political espionage level but are instigated not for financial reasons but reputational damage instead. The rate of these attacks is expected to exponentially increase as proxy wars not only continue to be fought on the ground but in the digital cloud as well.
Accenture data reveals a significant increase in hacktivist activity against Ukraine’s Western allies. Microsoft have also tracked 250 unique nation-state attacks (cyber attacks backed by a country’s official authorities), 35 organised ransomware gangs and are processing more than 1,200 password attacks a second.
Interestingly, Accenture analysts also argue that increased geopolitical attacks will, in the long term, help improve cross-country security and internal government security for these nations – something that they have left unrefreshed for a while.
Furthermore, in 2023, we are expected to see more than 70 countries holding elections – events that invite outside interference and cybercrime in the form of hacking, social engineering tactics and social media disinformation.
Tangentially to the geopolitically motivated attacks mentioned above, 2023 will also see an increase in cyber attacks against key infrastructure by threat actors. Cyber criminals understand that governmental organisations that monitor and run key infrastructure projects will be lacking in a cyber security budget and may therefore have vulnerabilities to exploit.
In these instances, cyber criminals will not only be after finances to cripple said infrastructure, but they will also be after the massive amounts of data these organisations hold. For instance, last year, we saw a 62% increase in cyber-attacks against higher education providers. This year, we will see further attacks against the education sector, civil service, energy providers and the medicinal community.
Organisations are waking up to the reality that one size does not fit all. TSC have been shouting from the top of the mountain about the many benefits of bespoke, tailored cyber security awareness and training for employees – and now people are listening!
The way to build a healthy security culture in an organisation is to make sure every single cog and gear is well maintained and oiled. When we tailor our security learning to your employees – whether this considers age, language, or generational differences – we increase the chances of knowledge retention and recall, which is only good news for CISOs and their security culture.
When you analyse your own security culture (using a tool like TSC’s SABR (Security Awareness and Behaviour Research)), you can pinpoint where your security is strong and where it is porous. You can then avoid any friction and time-wasting in areas of your organisation that appreciate security awareness and instead focus on tailoring your programme to more pertinent cyber risks.
Gartner analysts predict that there will be 43 billion ‘Internet of Things’-connected devices in 2023. As more devices are connected on mutual networks and the line between personal and professional devices becomes blurred, the attack surface and potential for cyber criminals will increase. Threat actors can use IoT devices, which do not necessarily hold the data they are after, as a gateway to access other devices and networks that might.
The White House National Security Council sees this as a massive issue and has gathered representatives from consumer product associations, tech-specific think tanks and manufacturers to produce cyber security standards for IoT devices, to minimise user risk.
The goal of the joint project is to come up with labelling standards for devices that can warn consumers, of any cyber security knowledge level, of the threats they face. Think of the ‘Smoking Kills’ label we have now mandated on cigarette boxes – similar labels will be attached to IoT devices to ensure consumers are aware of how the device will alter their online security.
If it is not abundantly clear already, 2023 will see an increase in cyber attacks and attempts. This is where artificial intelligence and machine learning is being deployed by organisations to monitor network activity in real time. Cyber Security Hub research reveals that 19% of cyber security professionals are investing in cyber security through AI and automation.
It just is not realistic or even possible to have humans monitor every single request and action on a given network. An AI can do all of this in real time and flag actions/patterns it has identified as a threat through machine learning. IBM data revealed that companies that already use AI in their automation process have saved an average of $3 million a year compared to those who do not.
Considering the savings here, more organisations are expected to invest in AI detection and reporting tools to fortify their constant security. In fact, according to Acumen Research and Consulting, a market research firm, the global market for AI-based cyber security products will be worth $133.8 billion by 2023, a staggering 798% increase from the market’s $14.9 billion in 2021.
There is only one place to be for cyber security news and awareness tips in 2023 and that is with TSC and The Insider. Make sure you are subscribed to The Insider for weekly insights and analysis on the industry as well as freebies for you to use around the office!
If you would like more information about how The Security Company can help your organisation stay safe and deliver security awareness training and development for you in 2023 or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
