The past year was characterised by heightened cybersecurity risks within an environment defined by rising political, social and economic challenges. It is important, under such circumstances, to consider the cybersecurity landscape in the year ahead so that organisations can ensure they are prepared to respond to future threats and are able to mitigate any risk.
To gain an expert insight, Digital Journal heard from JP Perez-Etchegoyen, CTO of Onapsis.
Digital Journal: What are the main threats for the year ahead?
Perez-Etchegoyen: For the most part, this coming year we can expect threat actors to continue to look for ways to exploit already existing vulnerabilities within organisations, as well as those newly introduced, as organisations keep pace with new innovations and applications of technologies in order to stay ahead of the pack in an ever-evolving digital world.
And, while remote and hybrid work has certainly decreased again this year, the number of people working remotely remains higher than before the pandemic with around 22 percent of the UK workforce working at least one day a week from home and 13 percent working exclusively from home in September 2022. As the biggest cybersecurity vulnerability in any organisation is its own employees, this will add additional risk to organisations across the UK.
DJ: How do attacks occur?
Perez-Etchegoyen: Successfully exploiting a vulnerable system allows an attacker to execute a wide range of malicious activities, particularly if the exploitation of a vulnerability enables a malicious actor to access business-critical applications that lie at the centre of every organisation. This could lead to significant impact on vital business areas such as supply chains and manufacturing processes, and even allow threat actors to redirect financial payments and compromise highly sensitive and potentially heavily regulated data.
That’s why mitigating the risk to critical business systems and applications from human error or newly added, complex systems or technologies will need to continue being any organisation’s number one priority in 2023.
DJ: Is greater reliance on the cloud exposing more risk for businesses?
Perez-Etchegoyen: It’s indisputable that the world is now adopting cloud computing at an increasingly swift pace. In fact, many organisations across the UK are describing themselves as being “cloud-first” entities as they continue to prioritise the use and adoption of cloud-based offerings when looking to procure new technologies. While this is leading to increased efficiency, productivity and oftentimes, safety, for these organisations, the rapid adoption of cloud also brings with it a number of new security concerns, fuelled in many cases by the lack of clarity in the responsibilities of implementing and maintaining security, when it comes to cloud deployments.
Over-reliance on the cloud without thought for the security of the applications and services on the cloud can leave business critical applications exposed to threats, especially as the severity of attacks on software supply chains – which target less secure elements within the supply chain – are likely to increase in the coming year.
DJ: Is there increased exploitation of connectedness between applications and systems?
Perez-Etchegoyen: As organisations become increasingly digital, adopting new technologies, applications and services in order to innovate, improve efficiencies, ensure resilience and remain competitive, they’re also becoming increasingly connected. This is by virtue because all of these technologies need to be able to communicate with each other in order to ensure the effectiveness of business processes while reducing data duplication and redundancy.
However, these interconnections and API(s) introduce unique vulnerabilities into software systems, providing an opening for attackers to inject malicious code into any of the applications connected through insecure communications. The Log4j vulnerability is a particularly clear example of this exposure to cybersecurity risk as the vulnerable component is used by countless applications and is potentially exploitable from open API(s) that are required by the applications. However, this opens the door for malicious activities across an entire system or network.
Log4j is an open-source logging library which is commonly used by apps and services across the internet and in the next year, threat actors will continue to take advantage of unpatched Log4j vulnerabilities, which the Director of US Cybersecurity and Infrastructure Security Agency Jen Easterly has called the most serious vulnerability she’s seen in her career, while also increasing their focus on exploiting open-source libraries.
DJ: What will happen with geopolitical tensions?
Perez-Etchegoyen: It comes as no surprise that as geopolitical tensions continue to rise across the world, enterprises are increasingly hyper-focused on ensuring their resilience to such geopolitical risk by prioritising infrastructure security within 2023. However, cybersecurity within the public sector is still seriously lacking, especially as the security of the personal information of private citizens which the sector is tasked with handling on a daily basis is vital to privacy and to compliance with data protections laws and regulations.
Over the course of 2022 we saw countless attacks on healthcare, education, utilities and other critical avenues of the public sector. Given rising tensions, tackling this is all the more crucial going into 2023 and it is something that will become a top priority on government agendas over this next year. We can see this already coming to fruition in the decision by Australia to develop a new cybersecurity strategy following a series of heavy attacks on the country.
DJ: Do we need new ways of thinking about cybersecurity?
Perez-Etchegoyen: Often the approach taken to protect business-critical applications by enterprises is a broad “defence-in-depth” security model whereby layers of technology are applied to protect critical systems. However, this approach does not give enough consideration to the security of each application itself, leaving enterprises exposed to attackers looking to take advantage of existing vulnerabilities.
Additionally, the current challenges of volatile and shrinking economies across the globe means that cybersecurity spending will need to be more curated and targeted in order to deal with growing (and increasingly sophisticated) threats. As such, organisations will be thinking more deeply about the cost of an attack and will look to improve their protection moving into 2023. Vulnerability management capabilities which are specifically designed to protect an organisation’s most business-critical assets and systems will therefore play a vital role in cybersecurity strategy in the next year.