Total Security Advisor
Practical Security Tips, News & Advice.
Updated: Dec 9, 2022
As we near the end of 2022, IT professionals are looking back at one of the worst years on record for incidents. Cyberattacks and breaches are rising with no end in sight. Organizations continue to invest in technology at a record pace; however, they still continue to be at risk.
During 2022, over 65% of organizations expected cybersecurity budgets to expand. Gartner estimated that $172 billion will be spent this year, up from $155 billion in 2021. Even with this increased spending, the cyberattacks continue at an exponential rate. According to Check Point, by mid-year cyberattacks had risen 42% globally.
From supply chain breaches to ransomware, organizations continue to struggle with how to avoid becoming an eventual statistic of being attacked.
As we look forward to 2023, several emerging trends are top security areas that executives should focus on.
User awareness is still the No. 1 area where organizations must continue to invest. The theft of credentials to leverage access remains the largest threat to organizations. According to the Ponemon Institute, over 54% of security incidents result from credential theft. This report states that 59% of organizations fail to maintain strict user account lifecycle management, leaving credentials that are no longer needed in the environment that can be compromised. It is this type of failure in credential management that bad actors leverage to gain access to accounts and data. Lifecycle management of identities must improve to avoid these types of breaches. This area will continue to be an ongoing challenge for organizations in 2023.
Ransomware will continue to be a leading way for bad actors to leverage control and data to monetize hacking organizations. According to the SonicWall Cyber Threat Report, the global volume of ransomware is increasing by 98%. Although this number is down from a 105% increase in 2021, the frequency and dollars spent continue to grow. Globally, healthcare, financial services, manufacturing, and state and local governments continue to see a rise in the frequency of attacks. Interestingly, a growing trend in this game of cat and mouse is that you may pay the ransom and still not be set free from the hacker’s control. According to Veeam’s 2022 Ransomware Trends Report, 76% of surveyed organizations had experienced a ransomware attack. Of those, only 69% that paid the ransom were able to obtain their data.
From internet providers to manufacturers, this continues to be an issue. In 2022, we witnessed several third-party supply chain breaches. Forbes earlier this year outlined how this topic has hit prime time in the board room and continues to plague organizations. Accenture also highlighted this area for concern and illustrated the disruption of the supply chain as part of the risk—that is, not only vulnerabilities due to third parties, but the actual disruption of supplies as it relates to technology disruptions. This challenge will continue in 2023, with growth in this area expected to be in the double digits.
IoT/OT and DoS attack vectors were key areas in 2022 for an attack. Organizations are still trying to get their arms around exactly what is on the network and how vulnerable the devices are. Meanwhile, bad actors are finding ways to exploit devices connected to the internet at a record pace. As organizations accelerate adoption, security is woefully an afterthought. Bad actors will continue to take advantage of weak security postures in this area to exploit security holes to break into networks.
Issues in this area have just exploded in 2022. These issues range from everything from application security to privacy of personal data. Organizations that write apps must secure code, keys, and personal data. Few are taking the necessary precautions to validate that all these areas are covered at a comprehensive level. The other challenge is that applications intentionally share personal data about the users. From locator services information to text messages, users fail to understand exactly what data is being collected from mobile devices and then shared or sold on the open market. This area is going to just explode in 2023, with users now starting to become more aware of these risks.
This vector is still the No. 1 way that bad actors get into networks. Phishing, smishing, and social engineering are still extremely popular, and the bad actors are getting more sophisticated on the methods, approaches, and techniques used to gain information and credentials to gain access to systems and data. F5 posted last year that there was a 45% increase in phishing emails from 2020 to 2021. That number will undoubtedly increase again when the new figures are released for the 2021-2022 period. Bad actors are now using automated tools to carry out these attacks; with these tools, they can send millions of phishing messages with a single click. The trend for 2023 is that smishing and mobile device attacks are growing as users ditch standard email and move to text and SMS messaging.
Based on what is occurring in the market and the economy, here are a few other items to consider as you look at trends in 2023.
Resources are going to continue to be very difficult to retain, attract, and find. With the changes that COVID-19 introduced into the workforce with remote work and just a large demand for few resources, it has been difficult this year to retain and attract talent. Workers are looking for big pay and larger flexibility in work locations and schedules. Organizations attempting to return to the office are finding that some of their best talent resources are not on board for that move. The resource constraints are going to continue in 2023, with security and cloud leading the way in highly sought-after talent.
Data security is going to be a big bet in 2023. Organizations have started figuring out that they have data everywhere and a lack of security controls to secure, encrypt, and manage the data. This challenge and the compounding of third-party access and risk leave the board of directors and CIOs up at night. 2023 will be the year that more organizations start to admit their weaknesses internally and begin the process of identifying where data lives, how it is secured, who has access, and complete lifecycle management.
The next area for 2023 trends is application security. In general, CI/CD pipeline and security around application development is a big area for concern. Development teams in a number of organizations have operated independently from cybersecurity. Dev/Sec/Ops has been held at arm’s length with the statement that developers own security in the development environment. Without specific oversite and auditing, development teams often leave access and environments insufficiently managed and protected. This is the Pandora’s box within an organization. Often, inconsistent controls are found, there is a lack of auditing, and identity lifecycle management is almost non-existent. For example, contractors who worked on last year’s development project still have administrative rights to code and systems. Libraries and other resources are stored in places like unsecured box accounts. These types of habits require organizations to look closer at development organizations’ security practices, standards, auditing, and procedures.
The last crystal-ball item for next year is the rise in FINOPS. This is the awareness that security, development, and cloud all cost money and how FINOPS is the next big bet to analyze spend, trends, and baselines and look for cost optimization, reductions, waste, and abuse. From overspending in the cloud to shelfware, organizations have been on a spending spree, and with the tightening of the economy and budgets, CIOs are going to be looking for every dime that can be saved or shaved off the budget.
Although 2022 is not completely over yet, it’s imperative to start looking forward to your 2023 strategy and how your organization can improve security without breaking the bank. How your organization prepares for some of these trends could be the difference between a better-layered defense strategy or the next headline in the local paper about a breach of your network.
Stephanie Benoit Kurtz is Lead Faculty for the College of Information Systems and Technology at University of Phoenix and has taught IT-related courses over the past 20 years. She is also Principal Security Consultant at Trace3. Stephanie has over 25 years of industry experience in Information Technology and Security Solutions and Consulting.
Download this free report to learn seven steps to protect your facility from workplace violence.
This report is sponsored by the Total Security Summit, an event specifically organized for VPs, Directors, and Managers of Security who are directly concerned with their facility’s security and safety operations.
The Security Industry Association (SIA) announced a major milestone in its SIA OSDP Verified initiative – that over 100 device models have been named OSDP Verified through the comprehensive program, which validates device conformance to the SIA Open Supervised Device Protocol (OSDP) standard. SIA OSDP standard is an access control communications protocol standard maintained by SIA to improve interoperability, add […]
GXO Logistics, Inc., the world’s largest pure-play contract logistics provider, announced that it has deployed advanced air and ground security robotics at one of its major distribution centers in Clayton, Ind., and plans to significantly increase deployment of automated security systems across other sites within the next year. This would be the largest air and […]
The Security Industry Association (SIA) is pleased to announce the first members of its Utilities Advisory Board Steering Committee. SIA created the Utilities Advisory Board to offer insight and education to security practitioners, members of the security industry and other stakeholders about emerging security trends, regulatory compliance issues, and recommended practices for protecting utility infrastructure. The steering committee members, […]
SILVER SPRING, Md. – The Security Industry Association (SIA) has named Alice DiSanto the 2022 recipient of the SIA Committee Chair of the Year Award, which recognizes individuals for excellence in leading SIA committees and advancing member objectives. SIA will present DiSanto with the award at The Advance, SIA’s annual membership meeting, which will be held March 22 during […]
ISC West, in collaboration with premier sponsor Security Industry Association (SIA), continues to experience steady growth for the upcoming event, and will be taking place just less than two months away on March 22-25, 2022 at the Venetian Expo in Las Vegas (SIA Education@ISC: March 22-24 | Exhibit Hall: March 23-25). After initial reports of […]
Our world is full of threats both external and internal. This whitepaper encourages looking at life safety and security measures on your campus from another perspective. Most facilities have addressed access control and the securing of main doors, but those should be measures of last resort. There are steps you can take — some that you may not have considered — to mitigate the threat before it arrives at your front door.
The 2019 Total Security Salary Guide is here to help physical and technical security employers and employees understand where they stand in today’s security job market. This Salary Guide includes not only salary and wage data from 2017 to 2018, but also certification information as it applies to 20 benchmarked exempt and nonexempt security positions.
A proliferation of cameras has resulted in an overwhelming amount of video available to security operators, analysts and investigators. Technology that used to be prohibitively priced, is now cheap and readily accessible.
Learn how to protect your people, assets and physical spaces better with AI-powered solutions that deliver whole-building security.
