Security will continue to cause headaches in 2023. Not only will companies have to continue dealing with the normal issues like supply chain security and preventing ransomware, which they’ll continue to deal with, but a number of companies see other issues on the horizon for 2023.
Supply chain attacks are ones in which the attackers are targeting something within the business that the business depends on. In the context of software security, this usually means parts of the development toolchain are being targeted.
For example, a major instance of a supply chain vulnerability you might be familiar with is the one in the Apache Log4j library, which is a Java library for logging in applications that is widely used.
According to Matthew Appleton, e-commerce manager of candy company Appleton Sweets, supply chains can be really complex and challenging to comprehend, which makes them hard to manage.
“Any entity’s security (and resilience) depends on the security (and resilience) of all of the hardware, software, people, procedures, etc. that it depends on because of the many interdependencies between them. Despite the fact that third-party audits, data security agreements, and standards all might be helpful, the issue is extremely complex and is likely to continue,” said Appleton.
Jeff Williams, co-founder and CTO of Contrast Security, agrees that supply chain security will continue to be an issue.
He noted that there are only a “handful of security researchers” who work on analyzing open source libraries. He predicts that at least two or three significant zero day disclosures will happen next year.
“Attackers will leverage these vulnerabilities not only to steal data, but also to install malware, run ransomware, and mine cryptocurrency,” he said.
Impacts of the economy and government regulations
Tech companies haven’t been immune from the economic downturn that the US has been experiencing for the past several months. A number of companies — big and small — have laid off large portions of their workforce.
For example, Meta recently laid off 11,000 employees, Amazon is reportedly planning to lay off up to 10,000 corporate employees, Stripe laid off 1,100 employees, and so on.
These layoffs have Justin Foxwood, solution engineer at IT services company TBI, predicting that the biggest challenge in 2023 will be keeping up with security measures amidst budget cuts.
“Businesses of all sizes are continuing to experience breaches and cyber-attacks, so it’s never been more important to have the proper measures in place. However, when tougher economic times are on the horizon, it can be easy to cut some security measures that companies may not think are necessary. In 2023, we’ll see an increase in all types of cyberattacks from DDoS to Malware, so businesses need to remain vigilant. Cutting security employees will prove to be a costly mistake as companies will need to continue updating software and making any necessary patches as breaches become more complex,” he said.
Fortunately there will be some pressure on companies to be more secure in order to meet the recent measures set by the White House to improve security.
For example, last year President Biden signed an executive order “Improving the Nation’s Cybersecurity,” which sets strict guidelines on software developed for the federal government. It requires software bill of materials (SBOMs), establishes a zero trust strategy, improves remediation capabilities after data breaches, and more.
“By the end of 2023, we know that any company building software will have to publicly attest to their software security practices and create SBOMs under the Cybersecurity Executive Order and OMB regulations,” said Williams. “In 2023, organizations will adopt new technologies to track appsec test results, appsec processes, development of SBOMs, and runtime protection. We’ll see folks get much smarter around the management of the information.”
Other priorities for 2023
In addition to the big challenges of reducing supply chain and ransomware attacks, a number of companies have other priorities for the coming year.
Another area companies will need to continue focusing on is training their employees to follow best practices.
Security tools can only do so much, and good security training can help reduce the risk of someone accidentally clicking on a phishing email or falling victim to some other sort of social engineering attack.
Gilad Zilberman, CEO of ticketing company SeatPick, plans to invest more heavily in security training for its personnel, with a particular emphasis on its IT and security employees. In addition, to test the effectiveness of the training, they’ll run breach tests to see how employees respond after the training.
“Minimizing human error is one of the best ways to secure your company in 2023, and we will be working full speed to tackle this challenge,” said Zilberman.
Contrast Security’s Williams believes companies need to do away with the notion of shifting left. Rather, they will need to instead “shift smart.”
“In 2023, more organizations will realize that they need to stop naively shifting everything left without considering where security can be done most accurately and cost-efficiently. Shifting smart takes advantage of additional context available as software goes through a development pipeline,” said Williams.
According to Williams, not every issue can even be addressed early on in the life cycle. There are many issues that will require additional context to deal with and thus they should be dealt with later in the life cycle when that context is available.
Though remote work is not new at this point, Evgen Verzun, founder of crypto company Kaizen.Finance, believes it will be a concern in the coming year from a security perspective.
Hackers will become more innovative in their approaches to targeting remote workers. Businesses are also struggling with ensuring privacy as their teams become more scattered.
“Remote employment frequently results in an increase in ransomware, phishing, and social engineering attacks. To address attacks related to remote workplaces, businesses must adopt a zero-trust policy, assuming that every device and user is a possible attacker,” he said.
According to Verzun, in zero trust environments, data and resources are unreachable by default. Using least-privilege access, users can only gain access to data under certain conditions.
Zero trust is a relatively new practice, but it is gaining traction, and is one of the key points of the executive order on reducing cyberattacks.
“Zero-trust technologies will continue to be deployed across the U.S. government. We should see a rise in the testing of zero trust defenses and reports to Congress – including through hearings – about the U.S. government’s increasing cybersecurity effectiveness. Congress should push to hold the U.S. federal government accountable for real progress over the coming year,” predicted Jonathan Reiber, vice president of cybersecurity strategy and policy at risk company AttackIQ, and former chief strategy officer for cyber policy in the Office of the U.S. Secretary of Defense in the Obama administration.
Gartner predicts that by 2025, 60% of “organizations will embrace zero trust as a starting point for security.”
Travis Lindemeon, managing director of Nexus IT Group, an IT staffing company, said: “The Zero Trust cloud security architecture is one of the most significant innovations in cloud security in recent years. This design assumes that an attack has already occurred in the network. Everyone has complete access to all systems and information. Many problems that people and businesses experience in the present are mitigated by zero-trust architecture.”