We’re already two months into 2023, and cyber risk remains high on the list of high-alert challenges for the year. The World Economic Forum recently highlighted “widespread cyber crime and cyber insecurity” as one of its top 10 global risks in its 2023 Global Risks Report. Global economic turmoil, geopolitical crises and technology industry layoffs add to the concerns, as C-suite leaders already struggle with understanding the impacts and visibility into cyber and IT risk.
This volatile backdrop calls for ongoing agility and cyber resilience. In addition to our top 10 Cyber Risk Trends Report, here are 10 cyber risks to prepare for in 2023.
According to Verizon, ransomware attacks saw a 13% increase over the past five years, with the first two quarters of 2022 documenting 236.7 million ransomware attacks worldwide. As organizations employ complex countermeasures to tackle ransomware and manage cyber risk, attackers are resorting to increasingly sophisticated infiltration techniques, including the use of AI and the availing of ransomware-as-a-service (RaaS). Educating your teams on ransomware and mounting equally sophisticated defenses is key.
By 2025, Gartner expects 45% of firms to have suffered supply chain attacks, up threefold from 2021, making it an important cyber risk to make note of. Today, with highly interconnected risks and hundreds if not thousands of third and fourth-party IT vendors within the chain, a cyber attack can result in accessing a company's networks, data theft, and operational disruption, resulting in financial losses and reputational damage.
A strong third-party vendor risk management program, from onboarding to offboarding, can help plug the gaps. Consider not only critical suppliers but also incorporate automation and AI to expand your risk monitoring and assessment to as many of your third parties and their suppliers as possible. You never know where risk can come from.
A cloud security gap is a weakness or vulnerability in an organization's cloud security posture. According to a Gartner survey, misconfigurations of the cloud environment can cause 80% of all data security breaches, making it a critical source of cyber risk. Causes include:
Implementing cyber risk controls, deploying technology for continuous control monitoring of the cloud environment, and training staff to identify and report security issues are vital steps to help address cyber risk stemming from cloud security gaps. Cloud-first models are here to stay (as we discuss in our 2023 Cyber Risk Trends Report) and that’s a great thing – and securing the risk will keep them, and you, safe.
Check out 2023's Top Cyber Risk Trends:
The Ponemon Institute's 2022 Cost of a Data Breach Report found that critical infrastructure data breaches cost $4.82 million, $1 million more than other industries. This covers losses, recovery fees, and equipment damage. Cyber risk due to software vulnerabilities in critical infrastructure can cause service outages, injuries, and financial losses. In addition, cyberattacks can infect PLCs (programmable logic controllers) with malicious instructions that have nationwide ramifications. The associated cyber risks can further increase as businesses connect operations and machines to the internet to collect and exchange data and make remote control more convenient.
One memorable example is the Colonial Pipeline data breach, which put cyber risk and security on board agendas around the world. As in all things cyber risk related, that means guarding your critical assets and infrastructure with extra care – and to take the usual cyber precautions. In the case of Colonial Pipeline, according to Reuters, a giant oil pipeline was brought down because a legacy VPN did not have multi-factor authentication. That’s a classic case of inadequate cyber hygiene.
Data poisoning is a cyberattack when an attacker inserts erroneous data into a dataset to disrupt machine learning. This could include adding malicious data points to a training dataset, altering labels, or introducing noise. According to Gartner's 2021 Top Tech trends, 30% of AI hacks on ML-powered systems will include training data poisoning, model theft, or adversarial samples. From a cyber risk perspective, the repercussions can be drastic. For instance, a healthcare company using machine learning to predict patient outcomes can endanger patients if the dataset is poisoned.
Microsoft’s Digital Defense Report 2022 found that cyberattacks by nation-states targeting critical infrastructure jumped from 20% to 40%. Hackers from nation-states have targeted hundreds of thousands of systems globally and are not limiting the attacks to governments alone. The report highlighted that 79% of nation-state attacks target enterprises, making it an important cyber risk challenge.
A Wall Street Journal article cites the ever-growing regulatory demands as a top concern for 2023. In a recent survey, 36% of respondents felt that evolving legislation and regulations were a significant risk as they increased the chances of companies' non-compliance, either knowingly or unknowingly.
Top cyber regulations include those surrounding data privacy (EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA); incident reporting (New York State Department of Financial Services (NYDFS) Cybersecurity Regulation); industry-specific regulations (Health Insurance Portability and Accountability Act—HIPAA); third-party compliance (Payment Card Industry Data Security Standard—PCI DSS); cybersecurity standards (ISO 27000 Standards and the NIST Cybersecurity Framework) and digital services and networks (Network and Information Systems (NIS) Directive).
Deep fakes are synthetic media that use AI and ML to manipulate or generate realistic video, audio, and images. Gartner blogger Avivah Litan points out that "Detecting Deep Fake objects is a losing proposition in the long run," as "determined adversaries" will use Generative Adversarial Networks (GAN) to create their objects, reducing detection to as low as 50%. With bad actors using deep fakes to evade security controls and defraud businesses, it is increasinly becoming a credible cyber threat.
Similarly, new generative AI tool ChatGPT also creates cyber threats. Just as it can credibly create marketing copy, it can also duplicate code, create convincing phishing emails by copying the style of real people, etc. It offers real opportunity – and real risks.
The 2022 Cost of Insider Threats Report indicates that insider threats – cyber risks from employees, whether intentional or not -- have increased by 44% over the last two years, and costs per incident have risen to $15.38 million. Taking a more stringent view of insider risk as part of an organisation’s cyber risk strategy with continous monitoring of security and privacy controls is the need of the hour. These include the always necessary creation of a culture of security awareness, controls such as blocking of USB access/flash drives, immediate offboarding of employees/contractors, safeguards/role-based access to sensitive information, etc.
IoT expansion has led to an increase in the "surface area" of attacks by malicious actors. According to the State of IoT—Spring 2022 report, the market for the Internet of Things is expected to grow by 18% to 14.4 billion active device connections. By 2025, there will be approximately 27 billion connected IoT devices—making it vital for organizations to take active steps to mitigate the cyber risks posed by IoT surface expansion.
CyberGRC, an interconnected, intuitive, and intelligent GRC product from MetricStream, enables your company to integrate cyber risk data from across the enterprise and use actionable business intelligence to enhance cyber resilience.
With CyberGRC your organization can:
Learn how MetricStream CyberGRC can help you effectively manage and mitigate cyber risk in 2023.
Request a personalized demo to see how our product works.
Read the eBook: Top 10 Cyber Risk Trends in 2023 and Beyond
Download the Analyst Report: Cyber-Risk Appetite: How to Put the ‘Business’ in ‘Managing Cybersecurity as a Business Decision’