In the first few weeks of 2023 we have already seen several high-profile breaches reported, including T-Mobile and Mailchimp. The Mailchimp hack is particularly concerning as when a major service provider stores large amounts of sensitive data, the ramifications will likely extend beyond the businesses that rely on Mailchimp, affecting many more businesses in the supply chain. The company and its customers must remain vigilant and proactive in the coming months to protect themselves from phishing attempts that could leverage the stolen credentials from the attack.
With cyber threats constantly evolving, the industry must work to stay ahead of emerging trends. As we work hard this year to better defend ourselves, it is important to reflect on the key learnings and trends that we can take from 2022. Below I’ve outlined four areas to be vigilant about in 2023.
Humans are still the weakest link and MFA will be targeted
Hackers, cybersecurity professionals, and vendors are locked in a constant battle, with each pushing to get the upper hand. The good news is that organizations are rapidly becoming more cyber-mature and this is making hackers' jobs more difficult. CISOs, for example, are now budget holders, and software and software as a service (SaaS) companies are getting better at quality assurance and dynamic and static application security testing. This combination has made finding vulnerabilities harder, more costly, and ultimately, less profitable for hackers.
Most hackers are out to make money and, in turn, are focusing on either low-effort, or high-reward outcomes – which these days inevitably involves hacking people rather than networks and applications. In particular, cybercriminals are focusing on getting their hands on log-in credentials.
If hackers can trick just one employee into giving up their password, it's like getting the magic key to someone's life and business. Multi-Factor Authentication (MFA) has made this process harder for hackers, but they are quick to adapt. As a result, we are seeing a lot of criminal research and development focused on bypassing MFA.
The cybersecurity insurance space will start to look vastly different
We’ve already seen companies that entered the cybersecurity insurance space early on start to exit. Those that have stayed in are offering much more caveated policies. The cyber insurance sector is experiencing growing pains, and changes need to be made for the industry to mature.
Currently, too many companies with insurance are being targeted by ransomware, and when they pay out, they are more likely to be targeted again. It's a vicious cycle. To break this, I'd like insurers not to pay ransomware demands themselves, but rather focus on covering the mediation and mitigation costs. If every organization in the world pledged to not pay ransomware demands and followed this promise through, the number of attacks would drop significantly.
Additionally, there are a number of insurance agencies removing nation-state attacks from their coverage area. However, everyone in the security industry knows that attribution is one of the most challenging things to prove, and if that is necessary for a pay out, we can expect to see increased litigation.
Small and medium-sized organizations may well find themselves unable to afford the legal fees or forensic investigations to try to prove attack attribution. This means they’ll bear the brunt of this policy change, which may prove unsustainable for them.
Prepare for a rise in recession-related attacks.
As a society, we're worried and stressed about the high cost of living as inflation continues to rise. This is fantastic from a hacker's point of view. When we're in an emotional, tense state, we're more likely to make mistakes or fall for a scam, even if there are red flags. That's why attackers will continue to craft scams specifically designed to prey on the cost of living crisis.
We saw it during COVID when there were a lot of scams around mail delivery, as most shopping was done online. Now, we are seeing scammers pretending to be from retail companies such as supermarket chains and saying they’re giving out shopping vouchers – such as the recent impersonation attack of major UK supermarket Tesco.
Biometrics won’t be replacing passwords
Biometrics are sometimes seen as a potential replacement for passwords, but they have drawbacks too. Biometrics are immutable as your fingerprint, iris, and other biological features cannot be changed. However, if another person has created an accurate replica of a biometric feature, almost nothing can be done to be on the safe side except opt for passwords or security tokens.
You’re the only one with your ears, eyes, and fingerprints, but that doesn't necessarily mean biometrics are totally private. These can easily be copied without your knowledge. A password is inherently more private as you're the only individual who knows it, plus it’s fast and simple to change a password in the event that it’s stolen.
A serious caveat regarding biometric security is that it’s impossible to modify such authentication data remotely. If you’re using a password, you can easily resort to a recovery option in case you forget it, or your account was compromised. Therefore, if your smartphone is taken, a determined burglar might be able to deceive the fingerprint reader and unlock the device using a fake silicon finger or one that was 3D printed. Stolen biometrics can cause greater consequences than a stolen password (especially if people follow best practice and use different passwords for different applications). Depending on the level of biometric authentication, faked biometrics could falsify legal documents such as passports, credit cards, or criminal records.
Hackers’ methods are working – but it is possible to defeat them
Put simply, the methods used by threat actors today are working, and cybercriminals will keep on taking advantage of attacks that keep yielding fruitful outcomes. So, if organizations don’t take a new approach, the results will always stay the same.
To prevent attacks, you must use products that are continually evolving, and which allow technology, people, and policy to work together. No matter if your company is valued at $1,000,000 or $100,000,000,000. Your castle can collapse with just one weak link.
To summarize the key themes to be alert to: the popular tactic of hackers weaponizing the news cycle means we will likely see a rise in scams relating to the economic downturn. Developments within the cyber insurance market will affect the policies companies are eligible for - if they are eligible at all. And, while biometrics offer a unique take on security, they still have pitfalls and will not be replacing passwords entirely anytime soon.