FOR 2023

 from CISO, Paul Delahunty
Nobody knows what 2023 has in store or what the world will look like by the year end. Whilst we cannot predict how many breaches will occur or who will suffer an attack at the hands of cybercriminals, we can examine the cybersecurity trends to watch out for over the coming months.    

Over the next 12 to 18 months, we are painting a very active picture. There are other threats such as quantum computing which will have an impact over the next few years. However, below are the things we are going to see much more of, and the topics that are going to be grabbing the headlines over the next few months. 
Empty space, drag to resize
Empty space, drag to resize
1. A Struggle for Cyber Insurance
In the past, many companies used cyber insurance as their cyber safety net. If companies got breached or hacked, they had cyber insurance to mitigate the consequences. Over the past few years, insurance companies have become aware of this phenomenon, and now it is much harder for companies to get cyber insurance.  

Companies must show they have taken reasonable precautions to prevent breaches and make sure their defenses are up to scratch. If not, it will be almost impossible for them to find a provider or they will pay exorbitant policy fees and run the risk that, at the most critical time, in the wake of a breach, their provider will still refuse to pay out if they cannot demonstrate reasonable precautions to prevent a breach.    

This is becoming a pain point for many companies and it will remain so in the short term. However, in the long term, this is a good thing; it will force everyone to raise their game and become more cyber security aware.    

2. An Increase in Laws and Regulations
Over the next 12 to 18 months, I also expect to see an increase in laws and regulations. With data being so critical to the economies of the world, governments are now finally catching on to the importance of placing the responsibility for protecting that data onto C-Suites and Company Boards. The EU, to its credit, has put a lot of regulations in place. For example, everyone now knows about GDPR and how important that is.    

The effectiveness of EU regulations had been limited by the fact that only a small number of substantial fines have been imposed, until recently. Over the past year, the Irish Data Protection Commission (DPC), in particular, has handed out some large fines and it has started to implement the push behind the GDPR (as recently as 5th Jan 2023, Facebook and Instagram were fined a further €390M, bringing the total fines for the Meta Group to €1.3bn).

However, with the number of cyber-attacks increasing, and the importance of data to our economies, emerging tech like the Internet of Things, (IoT) and the influx of unsecured devices, I believe that over the next 12 to 18 months, we will see further laws and further regulation not just from the EU, but from governments around the world to make sure service providers take responsibility for these devices and do the utmost to make sure they are as secure as possible.   

3. More AI-Powered Attacks Artificial
Intelligence, or AI, powered cyber-attacks will increase this year. It is a new front in this cyber war. AI is a powerful tool, and it was a matter of time before hackers adopted it. Before now, AI had been inaccessible but that is starting to change.    

As it changes, we will see more AI-powered attacks in the future. The Internet of Things is an example of a space where these types of attacks will be particularly devastating. Imagine 75 billion connected devices, many of them unsecured, being attacked by artificial intelligence that reads your defenses and can circumvent them. The only answer to this is to fight fire with fire and ensure that AI is part of your defenses.   

4. The Rise of the “Internet of Threats” 
In 2023 and beyond, the Internet of Things, or as I like to call it, the internet of threats, will continue to be a more integral part of our lives. We are accustomed to thinking of devices such as PCs, phones, Alexa and printers, as connected devices. With the emergence of IoT, almost anything that you can fit a chip into becomes a connected device. For example, your glasses, your car and your phone can all become part of the internet of things.    

The problem from a security point of view is that these things are designed to connect very easily, however, they are not designed with security in mind. When you add devices like this into a network all you are doing is expanding the number of threat vectors or routes a bad guy can take to attack your system.   

There are approximately 30 billion connected devices in the world today. By 2025, just over 2 years from now, that number is expected to increase to 75 billion devices. That is 75 individual attack vectors hackers can use to get to your network. Most of those devices are not secured and that creates a nightmare scenario.    

It is one thing to bring these devices into your home, many companies are also bringing them into the office. This makes them an attractive target for hackers to use because, of course, the rewards are much bigger in a business. Over the next 12 to 18 months and beyond that, as these devices become a more integral part of our lives; I expect them to be fully taken advantage of by hackers.   

5. The Rise of State-Sponsored Critical Infrastructure Attacks   
I also expect to see a rise in state-sponsored critical infrastructure attacks. We have passed the first anniversary of the attack on the HSE. That is an attack we know well here in Ireland, but it is just one of many critical infrastructure attacks across the world. The NHS was hit in the UK, the German health service was hit previously, Colonial Pipelines and SolarWinds. The list goes on. These attacks are big, brash, and bold, and they make a lot of noise. While cyber-criminal gangs are often responsible for them, it is generally not their modus operandi because they bring too much heat and too much focus upon them. However, state-sponsored actors have no such qualms.   

We also cannot ignore the current geopolitical climate. The Russian invasion of Ukraine has opened a new front in a cyber war. This attitude in Ireland of “well, we’re friends with everyone, who would attack us?” no longer holds water. We are a member of the United Nations Security Council, we are a key member of the European Union, and we have absolutely chosen a side in the war; we have been very vocal in speaking out. There isn’t a town or a village in Ireland without Ukrainian flags flying high.   

Coupled with this is the fact that we don’t have all our ducks in a row when it comes to cyber security, Ireland is a relatively easy target. When you put all these things together, it has the makings of a perfect storm. For those reasons, I do expect to see an increase in this cyber security state actor threat in Ireland.   

Final thoughts   
As you have read, I expect to see a very dynamic range of cybersecurity challenges in the year ahead. A report from Typetec last week (January 2023) suggests SMEs will lower their cybersecurity budgets in 2023 despite 80 per cent having experienced an attack. I believe that now is the time to double down on your cybersecurity defenses. Make cybersecurity mindfulness and planning as important as your financial projections or sales strategy and consider engaging professional cybersecurity services to get expertise on your team.
Empty space, drag to resize
Paul Delahunty, one of the country’s top Information Security experts, is the Chief Security Officer at Stryve, a Carlow headquartered private cloud and cybersecurity company.
Connect to Paul here.