Caroline Wong is the Chief Strategy Officer at Cobalt, a cybersecurity company with a focus on Pentest as a Service (PtaaS).
The beginning of the year is a time to reflect on successes and challenges of the previous year. Last year, layoffs, cyberattacks and data breaches were rampant among tech companies.
Before diving into how the cybersecurity industry evolved, however, let’s take a closer look at what has remained the same. When comparing the first OWASP top 10 list of common web vulnerabilities from 2003 to the findings in 2021, they are alarmingly similar. The information outlined in the OWASP Top 10 has stayed fairly consistent for nearly two decades, because fixing security vulnerabilities can be expensive and time-consuming.
With the introduction of new technology, cybercriminals develop “new” attacks, but the risks are similar even if the medium is different. Whether it’s in the metaverse or via email, obtaining financial or personal data is usually the end goal for attackers. Any effective approach to solving modern security issues requires significant involvement of people and processes.
As we begin a new year, I have compiled my predictions for what businesses and consumers alike should focus on.
Increased Scamming: Phishing, Smishing And Everything In Between
Social engineering attacks, also known as phishing attacks, remain one of the biggest security threats facing consumers and businesses. Whether it takes the form of a fake shipping email, a login reset request for bank accounts or a message from your “boss” asking you to buy gift cards, these attacks are getting more sophisticated and common.
Phishing via text message, also known as SMS phishing—or smishing—is also on the rise with more people shopping on their smartphones. Not to mention that for parents with school-aged children, ransomware and malware is a growing security threat increasing within school-issued devices. Educational institutions are relying more on outside sources and must invest in bolstering their security posture when utilizing new tech programs. Confidential student data and financial details are all at risk for exposure during school breaches.
Fraudulent behavior used in phishing attacks targets emotions and includes a sense of urgency with the ultimate goal of securing financial or other personal information. Gauging whether the behavior is reactive is a good way to figure out if a cybercriminal is attempting a scam because they will often reach out first. Debunking a phishing attempt can be done with due diligence and taking a step back to evaluate the situation calmly and objectively.
Stress From Decreased Cybersecurity Budgets And On-going Talent Shortage
In 2022, many industries—but especially tech—made the very difficult decision of reducing their budgets and teams. Cybersecurity departments have been affected, and sometimes cost reduction can result in larger security risk. This may increase exposure for organizations with vulnerable digital infrastructure.
Insider threats have the potential of becoming more prominent due to fewer cybersecurity personnel as well as the reduction in active security controls following layoffs. With less staff, something as small as an oversight for file sharing could lead an attacker to take advantage of broken access control.
As we move into 2023 amidst economic turmoil, businesses continue to look for ways to tighten their purse strings. Unfortunately, cybersecurity teams are among those being cut and the consequences are widespread. According to Cobalt’s 2022 State of Pentesting Report, 90% of respondents who have suffered shortages or lost team members are struggling with workload management. These struggles include finding it hard to maintain high quality of work standards, difficulty consistently monitoring for vulnerabilities and struggling to monitor for and respond to security incidents.
Teams are feeling the stress of fewer members and the increased workload that follows and, in turn, businesses are opening themselves up to vulnerabilities and potential attacks as they cut positions and increase employee burnout.
Keeping Up With Smart Technology And The Expanding IoT World
Technology is becoming more ingrained into every aspect of our lives. Self-driving vehicles and EVs, for example, create an entire new ecosystem for cybersecurity hacks and risks. Self-driving cars and the algorithms that control these vehicles are: 1. internet-connected, and 2. depend heavily on software programs.
The increased exposure of both internet and software-connected devices make self-driving vehicles especially vulnerable as this technology becomes more commonplace. OWASP risks, like sensitive data exposure, are of concern in this new ecosystem because of the amount of personal information available. As driverless testing continues, personal smart vehicles, as well as smart car fleets, need to have intentional and proactive cybersecurity measures. In the event of an attack, passengers might be dangerously rerouted or even driven off the road.
Keeping an up-to-date inventory of IoT devices can better prepare organizations for breaches and help avoid holes within their ecosystem. IoT devices can cause a variety of issues—including disruptions in the supply chain, the inability to use vital equipment within industries such as healthcare or even provide an entry point to an attacker which may lead to the loss of confidential or critical data—that can impact both operations and privacy. A breach of an IoT device can lead to hackers accessing sensitive customer data, including names, personal identifications and social security numbers.
Anything connected to or stored on the internet is at risk. The first step before starting to develop an IoT security strategy is to conduct an initial risk analysis. Whether it’s a fleet of security cameras or a smart coffee machine, they all need to be taken into the conversation, regardless of their use case. The next step is to categorize the level of connectivity and potential data transfer use cases.
When planning for 2023, security teams must not underestimate potential vulnerabilities, big or small. A good place to start is with the basics, like the OWASP Top 10. Cybersecurity awareness and education is another key way for both businesses and individuals alike to arm and protect themselves from security threats. Let’s all make a resolution to better our cybersecurity posture in 2023.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?