By Lucia Milică, Global Resident CISO, Proofpoint.
This has been another extremely busy year for CISOs. Cyber-attacks pummelled organisations across the globe. Ransomware, nation-state actors, and supply chain vulnerabilities were just some of the multiplying threats. A few highlights are noteworthy:
- Ransomware continued to wreak havoc, whether it was to force a 157-year-old educational institution to close its doors, the entire nation of Costa Rica to declare an emergency, or a major automaker to shutter operations for one whole day.
- Critical infrastructure remained firmly in the sights of adversaries, ranging from Russian hackers targeting U.S. airports to Chinese nation-state actors exploiting vulnerabilities within telecoms.
- The threat to the digital supply chain escalated, with cyber attackers pivoting to identity and authentication technology attacks.
As we head into 2023, CISOs and boards should prepare to face even bigger demands, especially as global tensions escalate, the global economy grows more volatile, and workforce challenges continue. Proofpoint’s CISO team looks ahead to the new year and offers some thoughts on how to deal with what we can expect.
1. Global pressures will exacerbate systemic risk, as the economic downturn and physical conflicts create ripple effects through the entire ecosystem.
Our increasingly complex, interconnected digital ecosystem exacerbates existing concerns and raises new fears about systemic risk, where weaknesses in any one component threaten the strength of the whole. Proofpoint’s recent Cybersecurity: The 2022 Board Perspective report disclosed that 75% of boards believe they clearly understand systemic risk within their organisations. Even so, the fluctuating global turmoil makes it very difficult to grasp the full extent of the threats to our ecosystems. Consequently, systemic risk will demand constant attention.
The stress of the economic downturn—job losses, higher interest rates, lower living standards, and inflation—takes both a financial and emotional toll on employees and their families. Our people become distracted and unhappy at work, making it much easier for threat actors to exploit human weaknesses. Cyber attackers thrive on such worries, upping their game to prey on people’s emotional state. Physical conflicts, like Russia’s war with Ukraine, exacerbate the general global turbulence, igniting new cyberattacks and expanding systemic risk for organisations.
2. The commercialisation of hacking tools on the dark web increase cybercrime.
We have seen hacking tool kits for executing ransomware turn into a commodity on the criminal underground over the last few years. Ransomware-as-a-service has bloomed into a lucrative dark web economy, leading to the proliferation of ransomware attacks. New dark web tools make ransomware attacks possible with little to no technical sophistication, opening the door to cybercrime to anyone with a Tor browser and a little time on their hands.
As dark web commerce continues to boom, we expect a fresh wave of attacks made possible by this commercialisation. We expect more tools for smishing attacks and mobile device takeovers—complicating our ability to stop these threat actors, even though they are less technically savvy.
3. Data theft will become part of every successful ransomware attack as threat actors’ business models move to double-extortion schemes.
Ransomware has become endemic, and no organisation is immune to this threat. According to Proofpoint’s 2022 State of the Phish report, 68% of organisations globally have experienced at least one ransomware infection. What’s most concerning, however, is the evolution over the past three years from data encryption to the double-extortion schemes that both encrypt and exfiltrate the data.
Only one gang used the double-extortion tactic in 2019. By the first quarter of 2021, 77% of attacks involved threats to leak the data. The latest trend is triple extortion, with attackers seeking payments not only from the target organisation but also any entities that may be impacted by the data leak. This move is an indication that threat actors are growing bolder and their monetisation strategies becoming more aggressive. A complete pivot from simple encryption attacks may be inevitable.
4. MFA bypass attacks will grow as cybercriminals explore new avenues for breaching defences and exploiting weaknesses in human behaviour.
Threat actors continue to innovate as they learn more about human behaviours and find new and easier ways to get credentials. The cybersecurity industry has responded by pushing for MFA, which has become a standard security practice. And thus begins a new cat-and-mouse game: as more organisations add MFA as a security layer, more cyber attackers are pivoting to exploit MFA weaknesses and MFA fatigue among users. We observed proof of this evolution in recent headlines and see this as the beginning of a new trend.
The threat itself is not new—our researchers verified vulnerabilities bypassing MFA two years ago—but we are seeing more tools for executing these attacks, such as phishing kits for stealing tokens. What makes this threat more challenging is that it exploits not just technology but also human weaknesses. Attackers often rely on notification fatigue, bombarding an employee with approval requests until they finally relent.
5. The supply chain will be increasingly weaponised, exploiting our trust in third-party vendors and suppliers.
SolarWinds and Log4j may have been wake-up calls, but we are still a long way from having adequate tools to protect against those kinds of digital supply chain vulnerabilities. A World Economic Forum survey found that nearly 40% of organisations experienced negative effects from cybersecurity incidents within their supply chain, and almost all expressed concerns about the resilience of small and medium enterprises within their ecosystem.
We predict these concerns will mount in 2023, with our trust in third-party partners and suppliers becoming one of the primary attack channels. APIs are of particular concern because threat actors know we have become heavily reliant on them. What makes things worse is that many organisations simply lack solid practices for securely integrating and managing APIs, making the threat actors’ job that much easier. We expect more tension in supply chain relationships overall, as organisations try to escalate their vendors’ due diligence processes for better understanding the risks, while suppliers scramble to manage the overwhelming focus on their processes.
6. Deepfake technology will play a more prominent role in cyberattacks, increasing the risk of identity fraud, financial deception, and disinformation.
Deepfake technology is becoming more accessible to the masses. Thanks to AI generators trained on huge image databases, anyone can generate deep fakes with little technical savvy. While the output of the state-of-the-art model is not without flaws, the technology is constantly improving, and cybercriminals will start using it to create irresistible narratives.
Deepfakes have traditionally involved fraud and business email compromise schemes, but we expect usage to spread far beyond these deceptions. Imagine the chaos to the financial market when a deepfake CEO or CFO of a major company makes a bold statement that sends shares into a sharp drop or rise. Or consider how malefactors could leverage the combination of biometric authentication and deepfakes for identity fraud or account takeover. These are just a few examples, and we all know cybercriminals can be highly creative.
7. The growing regulatory scrutiny at the board level will further shift the CISO’s role and increase the board’s expectations and requirements.
The proposed U.S. Securities and Exchange Commission reporting requirements for increased transparency will compel companies to improve oversight and increase cybersecurity expertise on the board itself. They will have new requirements and expectations for their CISOs, changing the CISO’s traditional role.
But the recent Uber breach verdict in a U.S. federal court sets a dangerous precedent that encourages boards to shift liability directly to CISOs. Our industry is already struggling to recruit cybersecurity professionals, so this verdict could have a chilling effect on any effort to make headway in the battle for talent.
With only half of CISOs reporting seeing eye-to-eye with their boards, the mounting expectations and the stress of potential personal liability for a cyber attack will only increase the strain in the board-CISO relationship, with huge implications for an organisation’s cybersecurity.
Our team’s predictions all point to the same theme: organisations need to go back to the basics to ensure they are protecting their people and their data. Whatever weaknesses threat actors exploit in 2023, people will remain their favourite attack surface and data their desired prize, which underscores the importance of cyber hygiene and a holistic approach to defence strategies.
Taking a broader lens beyond individual organisations, we see a growing need for public and private sectors to come together to boost our resiliency. With cybersecurity emerging as a national security concern in recent years, our industry and the government must work collaboratively to address these pressing cybersecurity issues.