As organisations become increasingly digital, adopting new technologies, applications and services in order to innovate, improve efficiencies, ensure resilience and remain competitive, they are also becoming increasingly connected. As JP Perez-Etchegoyen, CTO of Onapsis tells Digital Journal, this is by virtue because all of these technologies need to be able to communicate with each other in order to ensure the effectiveness of business processes while reducing data duplication and redundancy.
There are weakness as well as advantages with this approach, says Perez-Etchegoyen. As he outlines: “These interconnections and API(s) introduce unique vulnerabilities into software systems, providing an opening for attackers to inject malicious code into any of the applications connected through insecure communications.”
Citing an example, Perez-Etchegoyen says: “The Log4j vulnerability is a particularly clear example of this exposure to cybersecurity risk as the vulnerable component is used by countless applications and is potentially exploitable from open API(s) that are required by the applications. However, this opens the door for malicious activities across an entire system or network.”
Expanding on this risk further, Perez-Etchegoyen assesses: “Log4j is an open-source logging library which is commonly used by apps and services across the internet and in the next year, threat actors will continue to take advantage of unpatched Log4j vulnerabilities, which the Director of US Cybersecurity and Infrastructure Security Agency Jen Easterly has called the most serious vulnerability she’s seen in her career, while also increasing their focus on exploiting open-source libraries.”
Another source of cyber-threats is the world economic situation. According to Perez-Etchegoyen: “It comes as no surprise that as geopolitical tensions continue to rise across the world, enterprises are increasingly hyper-focused on ensuring their resilience to such geopolitical risk by prioritising infrastructure security within 2023. However, cybersecurity within the public sector is still seriously lacking, especially as the security of the personal information of private citizens which the sector is tasked with handling on a daily basis is vital to privacy and to compliance with data protections laws and regulations.”
Drawing on notable examples, the analyst adds: “Over the course of 2022 we saw countless attacks on healthcare, education, utilities and other critical avenues of the public sector. Given rising tensions, tackling this is all the more crucial going into 2023 and it is something that will become a top priority on government agendas over this next year. We can see this already coming to fruition in the decision by Australia to develop a new cybersecurity strategy following a series of heavy attacks on the country.”
However, economic constraints breed new ways of thinking about cybersecurity and this can confer advantages.
Here Perez-Etchegoyen explains: “Often the approach taken to protect business-critical applications by enterprises is a broad “defence-in-depth” security model whereby layers of technology are applied to protect critical systems. However, this approach does not give enough consideration to the security of each application itself, leaving enterprises exposed to attackers looking to take advantage of existing vulnerabilities.”
As a further speculative recommendation, Perez-Etchegoyen provides: “Additionally, the current challenges of volatile and shrinking economies across the globe means that cybersecurity spending will need to be more curated and targeted in order to deal with growing (and increasingly sophisticated) threats. As such, organisations will be thinking more deeply about the cost of an attack and will look to improve their protection moving into 2023. Vulnerability management capabilities which are specifically designed to protect an organisation’s most business-critical assets and systems will therefore play a vital role in cybersecurity strategy in the next year.”
