What might 2023 bring in term of cyber?

Our experts found consensus on a few areas. First, boardroom metrics will become more important as senior execs demand transparency through quantified insights on the company’s security posture. Quarterly reports and PDFs are no longer sufficient given the intense scrutiny companies face over their security-related activities.

And second, our expert panel thinks the energy sector will be a prime target this year, with hackers applying economic pressure on local and national governments as the public worries about being able to keep their heating and lights on.

Increasing reliance on cloud vendors could expand companies’ attack surfaces, says Michael Adams, CISO, Zoom:

“With the flexibility offered by the cloud, more organizations are layering cloud technology into new places and enabling unique use cases with cloud technologies. However, in doing so, they’re also expanding their attack surfaces and will also need to come up with new strategies to deploy cloud security technologies and protection strategies. IT leaders will also need to have a strong process in place to evaluate these vendors and understand the technologies they use on the backend.”

Board members will demand timely and actionable security metrics, says Omer Singer, head of cybersecurity strategy, Snowflake:

“The rise of security data lakes in the cloud will make it much easier to generate near-real-time reports around critical security metrics. We’ve already seen increased interest at the executive level in this type of data, and in 2023 board members will demand transparency through quantified insights on the company’s security posture, areas of weakness, and rate of improvement. While standard in other departments, cybersecurity has been late to provide this kind of visibility.”

The looming energy crisis may become a subject of cyberattacks, says Jens Monrad, head of Mandiant Threat Intelligence EMEA:

“With the looming energy crisis in Europe, there is a high likelihood that cyber threat actors could shift their campaigns towards a critical component for most of Europe, regardless of their motivation. Critical infrastructure is always at risk of destructive cyberattacks by nations in conflict. 

Still, it might become even worse as many European governments and the EU are discussing how to best deal with the energy crisis caused by the war in Ukraine. Even worse, they might focus on critical infrastructure with ransomware campaigns focusing on disrupting energy and power supply.”

Supply chain security will gain increasing attention, says Tola Sargeant, managing director at TechMarketView:

“Relatively few businesses are taking steps to formally review the risks posed by their immediate suppliers and wider supply chain. With the number of suppliers organisations interact with now higher than ever, it is important to ensure that third party organisations, and any system or data connections with them, are secure and resilient against a range of cyber threats. UK organisations will increasingly place more importance on security as a determinant of doing business with suppliers and will need to invest more in technology solutions to review and monitor supplier security risks.”

2023 is going to be about the ‘three Rs’: regulation, regulation and relationships, says Jordan Schroeder, managing CISO at Barrier Networks:

We are likely to see the UK draft new regulation to hammer down on SBOMs (software bill of materials) in a GDPR-level style. This will be built on the American Executive Order from 2021 and the subsequent work by NIST to support it. What’s more,

some sectors, like industrial organisations, are going to work together to build on existing standards and regulation and make even more improvements to their security defences, as a sector.”

Developments within the cyber insurance market will have serious, knock-on effects, says James Muir, threat intelligence research lead, BAE Systems:

“In 2022, the rising threat of ransomware attacks led many insurers to raise premiums and reassess coverage. Going into 2023, Lloyd’s of London announced that its insurance policies will no longer cover losses from state-sponsored cyberattacks, effective from March. We can expect these dynamics to heavily impact organisations. Many will find themselves without appropriate coverage and be required to use emergency incident response services outside of their existing arrangements.”

Regulation is one compelling reason to change, insurance premiums are another, says Dr. Jason Nurse, director of science and research, CybSafe

“Progressive organisations—often led by transformational CISOs—make changes because they are enlightened. Everyone else changes because they are compelled! Regulation is one compelling reason to change. Insurance premiums are another. Additional responsibility will be placed on organisations to show they are reducing risk, and not just ticking compliance boxes. We’re already seeing instances of organisations being denied payouts from their insurers. This will continue. Insurers will stop covering for cyber negligence. The industry is too volatile to keep paying out to organisations that are not doing enough to protect their data.”

Organisations will continue to invest in cybersecurity awareness training and continue to see almost zero proveable risk reduction, says Oz Alashe MBE, CEO, CybSafe

Organisations will continue to invest in traditional cybersecurity awareness training, and continue to see almost zero proven risk reduction. As the realisation dawns, a greater emphasis will be placed on people’s behaviour. Progressive security teams will start asking how they can help people improve their security behaviours. A key part of any organisation’s cybersecurity defence is also its people. When people feel empowered to identify and report security incidents— they do. But that kind of culture change doesn’t come from security awareness training. It’s the product of management taking time to understand security behaviours—why people do what they do, or don’t do what they’re supposed to—and how to influence them.”

 Cyber career opportunities will grow, says Mark Hughes, president of security at DXC Technology:

“The numbers vary, but some estimates suggest that the cybersecurity industry globally is short of 3.4 million workers. With growing threats from advanced technologies, the number is only likely to increase. The cyber skills gap creates career opportunities for people of all ages and backgrounds. In the UK alone, there are currently over 1,100 cybersecurity opportunities for graduates listed on the careers portal GradCracker. But it’s not just graduates who can benefit. Many companies offer the chance for adults to retrain in cybersecurity - a popular option for veterans who are often well suited to be the boots on the ground in our frontline defence against cybercrime.”

International cyber collaboration will increase, says Steve Forbes, government cyber security expert at Nominet:

“Governments will continue to collaborate with allies on cyber, but we likely won’t see this happening in an offensive cyber security sense. Instead, major nations like the US and UK will continue to share intelligence and strategies on cyber threats. The success of the collaboration between these nations on threat intelligence will help to foster similar relationships through other allied nations. In 2023, we will also certainly see more attribution and the calling out of malicious cyber behaviour from governments going on the offensive against threat actors, and continued collaboration from law enforcement to arrest and take these cyber gangs down.”

Financial institutions will prioritise security investments, says Brett Beranek, general manager, security and biometrics, Nuance:

"Traditional authentication methods – such as PINs and passwords – are archaic and no longer fit for purpose. Passwords are being sold on the dark web, exploited for fraudulent activity and have even cost unfortunate individuals vast sums of money in terms of recovery if lost or stolen. In 2023, an increasing number of banks will turn to modern technologies – such as biometrics – to robustly safeguard customers.”

Vishing will fool the world with increasingly realistic deceptions, says Dr Niklas Hellemann, CEO at SoSafe:

“While currently viewed as mostly harmless fun, cybercriminals have quickly realized that deepfakes can be used for social engineering attacks as a prime opportunity to maximize profits. ‘Vishing’ (voice phishing) for example is already being used as a deepfake technology to successfully dupe employees into believing they’re speaking with members of their own organisations. As the quality of deepfake and vishing technology improves and they become even easier to create, cybercriminals are sure to conduct more believable and successful attacks in 2023.”

‘Scamdemic’ will continue in 2023, says Michal Salat, threat intelligence director, Avast:

“We’ve been living in a scamdemic for some time now, and there are no signs of a slow-down. Next year, we expect to see attacks playing with people’s economic and environmental concerns. Scams are not just flooding people’s inboxes in the form of phishing emails, but are bombarding people’s text messaging apps, and are keeping their phones ringing. One trend expected for 2023 is social media account takeovers leading to impersonation attacks on online friends.”