The cyber-threat landscape is becoming increasingly volatile. Attacks are more indiscriminate than ever before, and as more companies fall victim to cyber-attacks, the industry is continuing to become ever-more lucrative for cyber criminals. Research published last year revealed that the cost of cyber-crime to businesses is set to reach $8tn in 2023, and $10.5tn by 2025. If this does materialise, it would make cyber-crime the third biggest economy in the world, behind only the United States and China.
Cyber-crime is an issue which isn’t going away, and is likely to get worse in the next 12 months, as the cybersecurity industry struggles to cope, on an individual, organisational and national level. Below I outline what I believe will be the most important trends for the cybersecurity industry in 2023:
1. State-sponsored cyber-attacks on national critical infrastructure and key industries
State-sponsored cyber-attacks involve one nation targeting another in the hope of disrupting key components of its infrastructure. Common targets for these types of attack include; energy providers, healthcare organisations, water companies, and emergency services - any and all national critical infrastructure can be targeted by these threat actors. And the tactic is evolving. The potential to disrupt the economy of another state through attacks on key industries, such as banking, could be as valid as critical Infrastructure.
And the problem is that attacks are always carried out directly by the State responsible. A recurring theme we see is malicious groups and cyber criminals being funded or supported by a government, which asks the group to carry out attacks at their request. This is extremely common for state-sponsored cyber-attacks, and gives some deniability for the responsible parties, making it harder to sanction them.
With the war in Ukraine still at large, the increase in this type of attack is inevitable. In a cyber-war every inch is crucial, and state-backed cyber groups have been wreaking havoc since the war began last year. We expect this to get worse before it gets better.
2. The rise in AI and the regulation of it
In recent months AI seems to have finally become a part of our daily lives, fueled by the introduction of ChatGPT at the end of last year, and Google’s own iteration, Bard, which came out more recently. A lot has been made of the capabilities, risks and benefits of this type of generative AI, however, at the moment, many don’t know where these advancements in the AI field are going to take us, and the true capabilities of these tools are yet to be seen.
In 2023, we believe that there is going to be a clamour by governments and regulators to ensure AI is properly policed, and our current laws encompass it. The fact is that lawmakers don’t make laws for things that haven’t happened or been created yet. It’s largely a waiting game as we wait to see what the AI of today and tomorrow is truly capable of, and what laws are needed to ensure it’s used safely.
3. Data residency and changing legislation
The purpose of cybersecurity defences is to ensure your data is protected. However, one thing many don’t consider is data residency. Where your data is held can have massive implications for its security. Different countries have different regulations on how your data legally has to be stored, and what protections it should have. This means that data hosted in some areas simply isn’t as safe as data elsewhere. The UK has strong data protection laws, which is why many companies are keen to move their data here. And this legislation is constantly changing. Recent introductions of the NIS2 Directive in Europe and the UK’s cyber resilience legislation have moved the goalposts for thousands of businesses when it comes to cybersecurity, especially those connected to national critical infrastructure.
Additionally, your data may be at the mercy of foreign states. For example, if a data store based in China has its servers seized by the Chinese Government, all of that data is now in the hands of a foreign state. And if businesses are using these servers to store their data, it means that the state will have access to potentially thousands or millions of data points.
We expect to see an increasing number of businesses investing in UK-based data residency in 2023 for themselves and their clients.
Cyber-crime is growing, and every type of organisation is at risk. Whether you’re a charity, government institution, medical care centre, car dealership, or online clothes brand, cyber criminals are targeting you, and it’s no longer a matter of ‘if’ but ‘when’ your cyber defences are tested.
Despite the devolving state of the threat landscape though, there are steps organisations and individuals can take to protect themselves. Cybersecurity is everyone’s responsibility, and in 2023, that mindset has never been more important.