Things change fast in cybersecurity, but there are lessons and trends we can take from 2022 into next year. We’ve been speaking to Egress VP of Threat Intelligence, Jack Chapman, to learn more about four areas he sees as ones to watch in 2023. Here’s what he had to say:
1. Humans are still the weakest link and MFA will be targeted
“Hackers, cybersecurity professionals, and vendors are locked in a constant battle, with each pushing to get the upper hand. The good news is that organizations are rapidly becoming more cyber-mature and this is making hackers' jobs more difficult.
“CISOs, for example, are now budget holders, and software and SaaS companies are getting better at quality assurance and dynamic static application testing. This combination has made finding vulnerabilities harder, more costly, and ultimately, less profitable.
“The vast majority of hackers are out to make money and, in turn, are focusing on low-effort, high-reward efforts – which these days inevitably involves hacking people rather than networks and applications. In particular, cybercriminals are focusing on getting their hands on log-in credentials.
“If hackers can trick just one employee into giving up their password, it's like getting the magic key to someone's life and business. MFA has made this process harder for hackers, but they are quick to adapt. As a result, we are seeing a lot of criminal R&D focused on bypassing MFA.”
2. The cybersecurity insurance space will start to look vastly different
“We’ve already seen companies that entered the cybersecurity insurance space early on start to exit. Those that have stayed in are offering much more caveated policies. The industry is experiencing growing pains, and changes need to be made for the industry to mature.
“Currently, too many companies with insurance are being targeted, and when they pay out, they are more likely to be targeted again. It's a vicious cycle. To break this, I'd like insurers not to pay out ransomware payments themselves but rather focus on the mediation and mitigation costs. I guarantee if every organization in the world pledged to not paying ransomware tomorrow (and backed the promise up!), the number of attacks would drop significantly overnight.
“Another point is the number of insurance agencies removing nation-state attacks from their coverage area. However, I’m incredibly interested, and concerned, to see how this plays out. Attribution is one of the most challenging things to prove, and if that is necessary to get a payout, we can expect to see a lot of litigation.
“Small and medium-sized organizations may well find themselves unable to afford the legal fees or forensic investigations to try to prove attribution. This means they’ll bear the brunt of this policy change, which may prove unsustainable for them.”
3. Prepare for a rise in recession-related attacks.
“As a society, we're worried and stressed about the high cost of living. This is fantastic from a hacker's point of view. When we're in an emotional, tense state, we're more likely to make mistakes or fall for a scam, even if there are red flags. That's why attackers will continue to craft scams specifically designed to prey on the cost of living crisis.
“We saw it during COVID when there were a lot of scams around mail delivery as most shopping was done online. Now, we are seeing scammers pretending to be from retail companies such as supermarket chains and saying they’re giving out shopping vouchers – such as this impersonation attack of major UK supermarket Tesco.”
4. Biometrics won’t be replacing passwords
“Biometrics are sometimes seen as a potential replacement for passwords, but they have drawbacks too. Biometrics are immutable as your fingerprint, iris, and other biological features cannot be changed. However, if another person has created an accurate replica of a biometric feature, there is pretty much nothing you can do to be on the safe side except opt for passwords or security tokens.
“You’re the only one with your ears, eyes, and fingerprints but that doesn't necessarily mean biometrics are totally private. These can easily be copied without your knowledge. A password is inherently more private as you're the only individual which knows it, plus it’s fast and simple to change a password in the event that it’s stolen.
“A serious caveat regarding biometric security is that it’s impossible to modify such authentication data remotely. If you’re using a password, you can easily resort to a recovery option in case you forgot it, or your account was compromised. Therefore, if your smartphone is taken, a determined burglar might be able deceive the fingerprint reader and unlock the device using a fake silicon finger or one that was 3D printed.
“Stolen biometrics can cause greater consequences than a stolen password (especially if people follow best practice and use different passwords for different applications). Depending on the level of biometric authentication, faked biometrics could falsify legal documents such as passports, credit cards, or criminal records.”