Every year I peruse emerging statistics and trends in cybersecurity and provide some perspective and analysis on the potential implications for industry and government from the data. While cybersecurity capabilities and awareness seem to be improving, unfortunately the threat and sophistication of cyber-attacks are matching that progress.
The 2023 Digital Ecosystem
The emerging digital ecosystem is treacherous. In our current digital environment, every company is now a reachable target, and every company, large or small, has operations, brand, reputation, and revenue pipelines that are potentially at risk from a breach.
For 2023 and beyond the focus needs to be on the cyber-attack surface and vectors to determine what can be done to mitigate threats and enhance resiliency and recovery. As the interest greatly expands in users, so do the threats, As the Metaverse comes more online it will serve as a new vector for exploitation. Artificial intelligence and machine learning, while great for research & analytics (i.e. ChatGPT). However, AI tools can also be used by hackers for advanced attacks. Deep fakes are already being deployed and bots are continuing to run rampant. and the geopolitics of the Russian invasion of Ukraine has highlighted the vulnerabilities of critical infrastructure (CISA Shields Up) by nation-state threats, including more DDSs attacks on websites and infrastructure. Most ominous was the hacking of a Ukrainian satellite.
Here are some initial digital ecosystem statistics to consider: According to a Deloitte Center for Controllership poll. “During the past 12 months, 34.5% of polled executives report that their organizations' accounting and financial data were targeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one.” And “nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations' accounting and financial data to increase in the year ahead. And yet just 20.3% of those polled say their organizations' accounting and finance teams work closely and consistently with their peers in cybersecurity.” Nearly half of executives expect cyber-attacks targeting accounting, other systems Nearly half of executives expect cyber attacks targeting accounting, other systems (northbaybusinessjournal.com)
Cyber-Trends:
AI and ML Making Impacting the Cyber-Ecosystem in a big Way in 2023 and Beyond
International Data Corporation (IDC) says AI in the cybersecurity market is growing at a CAGR of 23.6% and will reach a market value of $46.3 billion in 2027 Please see: Experts predict how AI will energize cybersecurity in 2023 and beyond | VentureBeat
My Take: AI and ML can be valuable tools to help us navigate the cybersecurity landscape. Specifically it can (and is being) used to help protect against increasingly sophisticated and malicious malware, ransomware, and social engineering attacks. AI’s capabilities in contextual reasoning can be used for synthesizing data and predicting threats.
They enable predictive analytics to draw statistical inferences to mitigate threats with less resources. In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms.
While AI and ML can be important tools for cyber-defense, they can also be a two edged sword. While it can be used to rapidly identify threat anomalies and enhance cyber defense capabilities, it can also be used by threat actors. Adversarial Nations and criminal hackers are already using AI and MI as tools to find and exploit vulnerabilities in threat detection models.
Cyber criminals are already using AI and machine learning tools to attack and explore victims’ networks. Small business, organizations, and especially healthcare institutions who cannot afford significant investments in defensive emerging cybersecurity tech such as AI are the most vulnerable. Extortion by hackers using ransomware and demanding payment by cryptocurrencies may become and more persistent and evolving threat. The growth of the Internet of Things will create many new targets for the bad guys to exploit. There is an urgency for both industry and government to understand the implications of the emerging morphing cyber threat tools that include AI and ML and fortify against attacks.
Please also see the recent FORBES article discussing three key applications of artificial intelligence for cybersecurity including, Network Vulnerability Surveillance and Threat Detection, Incident Diagnosis and Response, and applications for Cyber Threat Intelligence Reports: Three Key Artificial Intelligence Applications For Cybersecurity by Chuck Brooks and Dr. Frederic Lemieux Three Key Artificial Intelligence Applications For Cybersecurity by Chuck Brooks and Dr. Frederic Lemieux (forbes.com)
Cyber-Crime and the Cyber Statistics to Explore so Far in 2023
Cyber-crime is growing exponentially. According to Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. Please see: eSentire | 2022 Official Cybercrime Report There are many factors for such growth and some of them will be explored in more detail below.
Open Source Vulnerabilities Found in 84% of Code Bases
It starts with open source code. Unfortunately, according to Synopsys researchers, at least one open source vulnerability was found in 84% of code bases. The vulnerability data was included in Synopsys' 2023 Open Source Security and Risk Analysis (OSSRA) report on 2022 data. Since most software applications rely on open source code, this is still a significant cybersecurity issue to address.
The report noted: “open source was in nearly everything we examined this year; it made up the majority of the code bases across industries,” the report said, adding that the code bases contained troublingly high numbers of known vulnerabilities that organizations had failed to patch, leaving them vulnerable to exploits. All code bases examined from companies in the aerospace, aviation, automotive, transportation, and logistics sectors contained some open source code, with open source code making up 73% of total code. “
As significant as the risks from the open source code are, they can be detected by penetration testing and especially by patching. The report found that patches clearly are not being appplied. It cited that “of the 1,481 code bases examined by the researchers that included risk assessments, 91% contained outdated versions of open-source components, which means an update or patch was available but had not been applied.”
Please see: At least one open source vulnerability found in 84% of code bases: Report At least one open source vulnerability found in 84% of code bases: Report | CSO Online
On way that hackers take advantage of code vulnerabilities and open source flaws is via zero-day exploits. Recently a ransomware gang used a new zero-day flaw to steal data on 1 million hospital patients. “Community Health Systems (CHS), one of the largest healthcare providers in the United States with close to 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to 1 million patients. The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stems from its use of a popular file-transfer software called GoAnywhere MFT.” Clop claims it mass-hacked 130 organizations, including a US hospital network
My Take: as a remedy to avoid vulnerability exploits and keep open source code updated, the report suggested that organizations should use a Software Bill of Materials (SBOMS) . I agree, in addition to Pen testing, SBOMS are an important way to map systems and organize to be more cyber secure. An SBOM is basically a list of ingredients that make up software components and serves as a formal record containing the details and supply chain relationships of various components used in building the software. I wrote about this extensively in a previous FORBES article.
In the article, Dmitry Raidman. CTO, of a company called Cybeats offered insights into l specific use cases for SBOMS. They include transparency into software provenance and pedigrees, continuous security risk assessment, access control and sharing with customer who can access and what data can be seen, threat intelligence data correlation, software composition license analysis and policy enforcement, software component end of life monitoring, SCRM - Supply Chain Risk Management and supply chain screening, SBOM documents repository and orchestration, efficiency in data query and retrieval.
Clearly, SBOMS are a good path forward in discovering and correcting open source vulnerabilities in code. Please see: Bolstering Cybersecurity Risk Management With SBOMS Bolstering Cybersecurity Risk Management With SBOMS (forbes.com)
Phishing Continues to be a preferred Method of Hackers in 2023
Phishing is still the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization, or a website you may frequent.
Advances in technology have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware and a tactic for hackers is to target leadership at companies or organizations (spear-phishing) because they usually have better access to valuable data and make ready targets because of lack of training.
According to the firm Lookout, the highest rate of mobile phishing in history was observed in 2022, with half of the mobile phone owners worldwide exposed to a phishing attack every quarter. The Lookout report was based on Lookout’s data analytics from over 210 million devices, 175 million apps, and four million URLs daily. The report noted that “non-email-based phishing attacks are also proliferating, with vishing (voice phishing), smishing (SMS phishing), and quishing (QR code phishing) increasing sevenfold in the second quarter of 2022. And that “the damage can be colossal for businesses that fall victim to mobile phishing attacks: Lookout calculated that the potential annual financial impact of mobile phishing to an organization of 5000 employees is nearly $4m.
The report also noted that “Cybercriminals mostly abused Microsoft's brand name in phishing attacks, with more than 30 million messages using its branding or mentioning products like Office or OneDrive. However, other companies were also frequently impersonated by cybercriminals, including Amazon (mentioned in 6.5 million attacks); DocuSign (3.5 million); Google (2.6 million); DHL (2 million); and Adobe (1.5 million).”
Please see: Record Number of Mobile Phishing Attacks in 2022 Record Number of Mobile Phishing Attacks in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Ransomware and Phishing: the current state of cyber-affairs is an especially alarming one because ransomware attacks are growing not only in numbers, but also in the financial and reputational costs to businesses and organizations.
Currently, ransomware, mostly via phishing activities, is the top threat to both the public and
private sectors. Ransomware allows hackers to hold computers and even entire networks hostage for electronic cash payments. In the recent case of Colonial Pipeline, a ransomware attack disrupted energy supplies across the east coast of the United States.
“In 2022, 76% of organizations were targeted by a ransomware attack, out of which 64% were actually infected. Only 50% of these organizations managed to retrieve their data after paying the ransom. Additionally, a little over 66% of respondents reported to have had multiple, isolated infections.” Please see: New cyberattack tactics rise up as ransomware payouts increase New cyberattack tactics rise up as ransomware payouts increase | CSO Online
My Take: Since most of us are now doing our work and personal errands on smartphones, this is alarming data. But there are remedies. Training employees to identify potential phishing emails is the first step in prevention, but many of the obvious clues, such as misspelled words and poor grammar, are no longer present. Fraudsters have grown more sophisticated, and employees need to keep up with the new paradigm.
Human errors are inevitable, however, and some employees will make mistakes and accidentally fall victim to phishing. The backup system at that point should include automated systems that can silo employee access and reduce damage if a worker’s account is compromised. The best way is to establish and monitor administrative privileges for your company. You can limit employee access or require two [authentication] steps before they go there. A lot of companies will also outlaw certain sites that workers can’t go visit, so it makes it more difficult to get phished.
My additional advice to protect against phishing and ransomware, is to make sure you backup your valuable data (consider encrypting it too), preferably on another device segmented from the targeted PC or phone. If you are a small business or an individual, it is not a bad idea to invest in anti-phishing software. It adds another barrier. I also recommend monitoring your social accounts and credit accounts to see if there are any anomalies on a regular basis.
Business E-mail Compromise
Often done in coordination with phishing, business email compromise is still a serious cybersecurity issue. A research company Trellix determined 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases, resulting in a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns. Please see: Malicious actors push the limits of attack vectors Malicious actors push the limits of attack vectors - Help Net Security
“Seventy-five percent of organizations worldwide reported an attempted business email compromise (BEC) attack last year. While English remained the most common language employed, companies in a few non-English nations witnessed a higher volume of attacks in their own languages, including organizations in the Netherlands and Sweden, which reported a 92% jump in such attacks; in Spain, with a 92% jump; Germany, with an 86% increase; and France, with an 80% increase.” Please see: New cyberattack tactics rise up as ransomware payouts increase New cyberattack tactics rise up as ransomware payouts increase | CSO Online
“Business Email Compromise (BEC) attacks are no longer limited to traditional email accounts. Attackers are finding new ways to conduct their schemes — and organizations need to be prepared to defend themselves. Attackers are leveraging a new scheme called Business Communication Compromise to take advantage of large global corporations, government agencies and individuals. They are leveraging collaboration tools beyond email that include chat and mobile messaging — including popular cloud-based applications such as Slack, WhatsApp, LinkedIn, Facebook, Twitter and many more — to carry out attacks.” Please see: The evolution of business email compromise to business communication compromise The evolution of business email compromise to business communication compromise (betanews.com)
My Take: business emails have been a top target of hackers. Accordingly, organizations need to create a corporate risk management strategy and vulnerability framework that identifies digital assets and data to be protected, including sensitive emails. Such as risk management strategy should be holistic and include people, processes, and technologies. This includes protecting and backing up email data, and the business enterprise systems such as financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel and detection, Identity Access Management, firewalls, etc.) and policies. That risk management approach must also include knowing your inventory and gaps, integrating cybersecurity hygiene practices, procuring, and orchestrating an appropriate cyber-tool stack.
Fraud is Trending Digital, Especially Identity Theft
Fraud has always been a societal problem, but it is being compounded by the expansion of criminals in the digital realm. The cost is going higher as more people do their banking and buying online.
Federal Trade Commission (FTC) data shows that consumers reported losing nearly $8.8 billion to fraud in 2022, an increase of more than 30 percent over the previous year. Much of this fraud came from fake investing scams and imposter scams. Perhaps most alarming in this report was that there were over 1.1 million reports of identity theft received through the FTC’s IdentityTheft.gov website. FTC reveals alarming increase in scam activity, costing consumers billions - Help Net Security
My take: the reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. The surface threat landscape has expanded exponentially with smartphones, wearables, and the Internet of Things. Moreover, those mobile devices, social media applications, laptops & notebooks are not easy to secure.
There are no complete remedies to identity theft but there are actions that can enable people and companies to help deter the threats. Below is a quick list of what you can to help protect your accounts, privacy, and reputation:
1) Use strong passwords. Hackers are quite adept at guessing passwords especially when they have insights into where you lived in the past (street names), birthdays and favorite phrases. Changing your password regularly can also complicate their tasks.
2) Maintain a separate computer to do your financial transactions and use it for nothing else.
3) Consider using encryption software for valuable data that needs to be secured. Also set up Virtual Private Networks for an added layer of security when using mobile smartphones.
4) Very important; monitor your credit scores, your bank statements, and your social accounts on a regular basis. Life Lock and other reputable monitoring organizations provide account alerts that are very helpful in that awareness quest. The quicker you detect fraud the easier it is to handle the issues associated with identity theft.
5) If you get breached, if it is especially serious, do contact enforcement authorities as it might be part of a larger criminal enterprise that they should know about. In any severe breach circumstance consider looking for legal assistance on liability issues with creditors. Also consider hiring outside reputation management if necessary.
Some Additional Resources and Compilation of Cybersecurity Trends for 2023:
There is a very good report done by the Bipartisan Policy Research Center on the top eight macro risks to watch out for in 2023. The are stated below from the article and I agree with them all.
- Evolving geopolitical environment: The war launched by Russia in Ukraine is emblematic of this first risk, encompassing the key factors of lowered inhibition for cyberattacks, digital assaults on critical infrastructure, misinformation, and disinformation campaigns, and protectionist approaches to trade that can leave companies who purchased technology products from abroad even more vulnerable.
- Accelerating cyber arms race: As attackers step up their assaults on beleaguered organizations, defenders must keep pace in an environment that disproportionately favors malicious actors, who use commonly available consumer tools and trickery to achieve their ends while also targeting national security assets.
- Global economic headwinds: Stock market volatility and inflation pose risks across the cybersecurity sector, threatening supply chains, forcing businesses to make difficult decisions about allocating resources, and possibly harming innovation as startups face a weakened capital supply market.
- Overlapping, conflicting, and subjective regulations: Companies in the US face a "complex patchwork of required cybersecurity, data security, and privacy regulations implemented by national, state, and local authorities, with varying prescriptive requirements," including balkanization of data privacy and breach disclosure laws, rapidly elevating security control requirements, and one-size-fits-all regulation.
- Lagging corporate governance: Although there has been significant improvement in the priority organizations place on cybersecurity in recent years, many firms still have not placed cybersecurity specialists in leadership positions, excluding CISOs and CSOs from the C-suite and boards of directors, and keep cybersecurity separate from organizational objectives.
- Lack of investment, preparedness, and resilience: Both public and private sectors are still insufficiently prepared for a cybersecurity disaster due to incomplete and imperfect data, lack of crisis preparedness, disaster recovery, and business continuity planning, failure to conduct crisis exercises and planning, vendor risk concentration and insufficient third-party assurance capabilities, the escalating cost of cyber insurance, and chronic poor cyber hygiene and security awareness among the general public.
- Vulnerable infrastructure: Critical infrastructure remains vulnerable as organizations "rely heavily on state and local agencies and third- and fourth-party vendors who may lack necessary cybersecurity controls," particularly in the finance, utilities, and government services sectors, which often run on unpatched and outdated code and legacy systems.
- Talent scarcity: The ongoing shortage of qualified security personnel continues to expose organizations to cyber risks, made even more glaring by insufficient automation of tasks needed to execute good cybersecurity.
Please see: Cyber arms race, economic headwinds among top macro cybersecurity risks for 2023 Cyber arms race, economic headwinds among top macro cybersecurity risks for 2023 | CSO Online
And for a deeper dive on cyber stats please see: 34 cybersecurity statistics to lose sleep over in 2023 34 cybersecurity statistics to lose sleep over in 2023 (techtarget.com) The article notes upfront that that we need understand the data and its immense volume used for cyber-attacks. “By 2025, humanity's collective data will reach 175 zettabytes — the number 175 followed by 21 zeros. This data includes everything from streaming videos and dating apps to healthcare databases. Securing all this data is vital.”
Please also see Dan Lohrman’s annual analysis on cybersecurity trends: “After a year full of data breaches, ransomware attacks and real-world cyber impacts stemming from Russia’s invasion of Ukraine, what’s next? Here’s part 1 of your annual roundup of security industry forecasts for 2023 and beyond.” The Top 23 Security Predictions for 2023 (Part 1) The Top 23 Security Predictions for 2023 (Part 1) (govtech.com) and The Top 23 Security Predictions for 2023 (Part 2) The Top 23 Security Predictions for 2023 (Part 2) (govtech.com)
My Take: Of course, there are many other trends and statistics to explore as the year unfolds. It is certainly a treacherous cyber ecosystem, and it is expanding with risk and threats. Being cyber-aware is part of the process of risk management and security and hopefully looking at the cyber-threat landscape will implore both industry and government to prioritize cybersecurity from the top down and bottom up!
Read original article here.