As we head into 2023, the annual trends prediction season is upon us once again. BeyondTrust, a global leader in intelligent identity and access security, released its annual forecast of cybersecurity trends emerging for the New Year and beyond. These projections, authored by BeyondTrust experts Morey J Haber, Chief Security Officer and Brian Chappell, Chief Security Strategist, EMEA/APAC, are based on shifts in technology, threat actor habits, culture, and decades of combined experience.
“The Arab Gulf region continues to innovate at scale,” said Morey Haber, Chief Security Officer, BeyondTrust. “But digital transformation in the cloud brings with it a range of issues, including the increased sophistication of attackers and their ability to adapt to the moment at a pace that, as yet, enterprise security functions have been unable to match.”
“Our assessments of the year ahead may seem all doom and gloom, but in truth, organizations have many ways of protecting themselves against an incident,” said Haber. “With the right blend of skills, tools and strategy — either in house or in collaboration with a trusted partner — businesses can go into 2023 with their eyes open and conduct their affairs with confidence,” he added.
Here are the top 10 cybersecurity predictions for 2023:
Prediction #1: Negative, Zero, and Positive Trust. Next year, expect products to actually be “zero trust-ready”, satisfy all seven tenants of the NIST 800-207 model, and support an architecture referenced by NIST 1800-35b. Zero trust product vendors will create marketing messages that may imply positive and/or negative intent. Some will provide positive zero trust authentication and behavioral monitoring, while others will work using a closed security model to demonstrate what should happen when a negative zero trust event occurs.
Prediction #2: Reputation for Ransom. The rise of Ransom-Vaporware. We will see a rise in the extortion of monies based purely on the threat of publicizing a fictional breach. Society so willingly accepts the veracity of breaches reported in the news – and without evidence. For a threat actor, this could mean the need to perpetrate an actual breach is reduced and a threat alone, that is not even verifiable, becomes an attack vector all in itself.
Prediction #3: The Foundation of Multi-Factor Authentication (MFA) Invincibility Fails. Expect a new round of attack vectors that target and successfully bypass multifactor authentication strategies. In the next year, push notifications, and other techniques for MFA will be exploited, just like SMS. Organizations should expect to see the foundation of MFA eroded by exploit techniques that compromise MFA integrity and require a push to MFA solutions that use biometrics or FIDO2-compliant technologies.
Prediction #4: Cyber Un-insurability is the New Normal. In 2023, more businesses will face the stark realization that they are not cyber-insurable. As of the second quarter of 2022, US cyber-insurance prices already increased 79% over the prior year. The truth is, it’s becoming downright difficult to obtain quality cyber insurance at a reasonable rate.
Prediction #5: Compliance Conflicts are Brewing. Significant compliance standards, best practices, and even security frameworks, are starting to see a diverging in requirements. In 2023, expect more regulatory compliance conflicts, especially for organizations embracing modern technology, zero trust, and digital transformation initiatives.
Prediction #6: The Death of the Personal Password. The growth of non-password-based primary authentication will finally spell the end of the personal password. More applications, not just the operating system itself, will start using advanced non-password technologies, such as biometrics, either to authenticate directly or leverage biometric technology, like Microsoft Hello or Apple FaceID or TouchID, to authorize access.
Prediction #7: Cloud Camouflage is confronted. To mitigate cloud security risks, expect a push for transparency and visibility into the security operations of SaaS solutions, cloud providers and their services. The push to ensure transparency of the architecture, foundational components, and even discovered vulnerabilities, will extend beyond SOC and ISO certifications.
Prediction #8: Social Engineering in the Cloud. Attackers will turn from their software toolkits to their powers of persuasion as they increase the number of social engineering attacks leveled at employers and organizations across the cloud.
Prediction #9: Unfederated Identities to Infinity and Beyond. Expect a push into unfederated identities to help provide a new level of services and potentially physical products that will become a mild access control and management nightmare. The size and scope will feel truly infinite — unless it is well-defined for identity management teams to provide access beyond what typically is available today.
Prediction #10: OT Gets Smarter, Converges with IT. Expect attack vectors for basic Operational Technology (OT) to expand based on similar exploits that target IT. OT which once had a single function and purpose is now becoming smarter, leveraging commercial operating systems and applications to perform expanded missions. As these devices expand in scope, their design is susceptible to vulnerabilities and exploitation.