2022 was a year of significant activity in the cybersecurity world, marked by numerous high-profile cyberattacks and data breaches, a spike in geopolitical tensions resulting in cyberwarfare, and the persistent growth of ransomware attacks. As cybercriminals harness new technologies to their advantage, 2023 promises to be equally, if not more, eventful.
The cybersecurity threat landscape is constantly evolving and with the added pressures of inflation, cost of living, and energy crises, as well as ongoing conflicts, it has never been more crucial for businesses to adopt new strategies for defence and for increased accountability of companies involved in cyber incidents from governments, regulators, and other stakeholders.
1. Governments will place greater importance on bolstering cybersecurity
The global cybersecurity threat landscape is constantly evolving, and as technologies continue to advance, governments are becoming more vulnerable to attacks. The development of tools like ransomware-as-a-service kits make a hacker’s job easier, and constant upgrades to hardware and software creates vulnerabilities that provide entryways for attacks, posing a great risk to businesses and critical infrastructure. In these tumultuous times, it’s imperative that governments act before it’s too late.
Last year we asked if you thought your government was doing enough to combat the rise of cybercrime. Here were the results:
It was evident that the majority of voters believed their government was not doing enough, or at the very least, they were unsure, which perhaps showed a lack of transparency. So, what exactly are they doing?
In late 2022, within the span of a month seven Australian businesses with household recognition publicly identified breaches to their networks that resulted in customer information being leaked. It not only caught the media’s attention, but the newly elected federal government at the time, with incoming Home Affairs and Cybersecurity Minister Clare O’Neil stating, “It’s now my job to turn this set of unbelievable disasters into a permanent step-change in cybersecurity for our country,” and declared that she wanted Australia to be the most cyber-secure country in the world by 2030.
O’Neil’s plan of action involved funnelling more money into cybersecurity and increasing the protection of government networks, and in December, she appointed an Expert Advisory Board to assist with the development of a new Cyber Security Strategy.
Of course, bolstering a nation’s cybersecurity doesn’t happen overnight, but AustCyber has stated that the Australian Government are planning to take these steps in 2023 to help protect individuals and businesses from advancing cyberattacks:
- Strengthening the government’s own cyber security infrastructure
- Implementing new regulations and standards for businesses
- Developing a national cyber security strategy
- Improving the cyber security of critical infrastructure
- Cooperating internationally to address cyber security challenges
- Recognising the need for a greater focus on cyber security literacy and training
But Australia isn’t the only country ready to take action. In November 2022, the US’s Cybersecurity and Infrastructure Security Agency (CISA) released its 2023-2025 Strategic Plan – its first comprehensive plan since its establishment in 2018. Over the next three years, their four major goals are:
- Spearhead the national effort to ensure the defence and resilience of cyberspace
- Reduce risks to, and strengthen the resilience of, America’s critical infrastructure
- Strengthen whole-of-nation operational collaboration and information sharing
- Unify as One CISA through integrated functions, capabilities, and workforce
In that same month, the Department of Defense (DOD) released a Zero Trust Strategy and Roadmap, which “goes into detail on how the department will implement zero trust to achieve a stronger cybersecurity posture over the next five years”. The Biden administration is also expected to soon release a national strategy, which will call for comprehensive cybersecurity regulation – a first for the US.
At the time of writing, nations from around the globe are gathering in Vienna, with the assistance of the UN, to negotiate and develop a Cybercrime Treaty. First proposed in 2019, this is the fourth meeting the committee has held and is expected to be the most influential, with the group focusing “solely on the provisions about what actions should be criminalized and the law enforcement mechanisms surrounding them.” A 21-page first draft of the treaty was also released in November 2022, and once finalised, is expected to “jumpstart a wave of new laws around the world based on the agreed-upon principles in the document.”
2. Companies will be held accountable for their involvement in cyber incidents
In years gone by, lenient laws and regulations around cybersecurity and data protection allowed many businesses to escape from cyber incidents relatively unscathed, with many avoiding reporting attacks completely for fear of reputation damage and legal or financial repercussions. More recently, bodies such as the EU’s General Data Protection Regulation (GDPR) have stepped up and endeavoured to change this, drawing attention to incidents and handing out enormous fines for those who haven't complied with the law. However, in 2022 we saw governments also taking notice of the growing cybersecurity threat landscape and making changes to their cybersecurity regulations and policies, or at least opening discussions.
In March 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules, titled ‘Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure’, that would require public company boards to disclose the cybersecurity expertise of their corporate directors. If introduced, the intention would be to build boards that have a thorough understanding of cyber risk, and how this should be integrated into business strategy and financial oversight. More importantly, it would help to build transparency between companies and investors and would ensure they’re held accountable in the case of an incident, rather than hiding behind inadequate knowledge or skillsets.
At the time, we questioned Craig McDonald’s LinkedIn network if they believed the cybersecurity expertise of directors should be disclosed by corporate boards. Here are the results:
Fortunately, the majority were in favour of the change because it’s anticipated that the SEC’s Cybersecurity Disclosure Requirements will come into effect in the US in 2023. However, the requirements will extend beyond simply reporting the cybersecurity expertise of board members.
As it stands, the US does not have any federal law that forces businesses to report cyber incidents or data breaches. Instead, under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, they are “encouraged” to report any unusual cyber behaviour or cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). The introduction of the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule would change this. Under the new rules, companies would be required to disclose material cybersecurity incidents to the SEC within four business days.
Similarly, Australia introduced reforms to their Security of Critical Infrastructure Act 2018 which now as of July 2022 requires any “businesses in specified sectors or critical infrastructure asset classes are now required to report cyber security incidents to the Australian Cyber Security Centre (ACSC) within 12 hours.” These reforms mean that cyber incidents can no longer be swept under the rug.
While these reforms certainly help to create transparency between stakeholders and businesses, and in turn, help to hold companies accountable for their part in cyber incidents, regulators around the world are tightening data security policies and dishing out large fines.
The GDPR has been operating since 2018, but in September 2022, hit Meta with a €405 million fine - the second biggest fine issued so far. They were hit again in November with a €265 million fine, the fourth biggest, and in January 2023, the GDPR started the year strong by issuing Meta with a €390 fine. However, Meta isn’t the only business that the GDPR has its sights set upon, and we can expect to see more fines issued throughout the year for non-compliance.
Outside of the GDPR’s jurisdiction, other regulators have followed the same lead to continue tightening data security policies, and businesses are being held accountable for mismanagement. In October, Australia tabled amendments to the country’s privacy law that are set to come into effect in 2023 which would increase the maximum fine for repeated or serious privacy breaches from $2.2 million AUD to $50 million, or “30% of the company’s revenue for the relevant period if that amount exceeded $32 million.” In July 2022, China’s cybersecurity regulator set a precedent for businesses by fining ride-sharing company Didi 8 billion yuan (US $1.28b) following a year-long investigation where they were found to have violated data security laws and misused personal information. This is only the tip of the iceberg of what we can expect to see in the coming year.
3. ChatGPT will transform the cybersecurity industry
In the two months since its release in late November 2022, ChatGPT has taken the world by storm. Within a few days, social media was flooded with posts and videos highlighting the chatbot's amazing features, and the hype hasn't died down yet. The app already boasts 75 million unique monthly users, and we can expect that this number will only continue to grow throughout the year.
Although ChatGPT isn't the first chatbot to have existed, it is the first with this sized dataset. The current version of ChatGPT (GPT-3) was trained on 570 gigabytes of text and has 175 billion parameters, making it “able to perform tasks it was not explicitly trained on, like translating sentences from English to French, with few to no training examples”. With each conversation, it's learning more and more.
GPT-3 is so promising that in the midst of laying off almost 5% of their workforce, Microsoft announced they were investing $10 billion into the software. With CEO Satya Nadella referring to AI as “the next major wave of computing” the week prior, “the new deal is a clear indication of the importance of OpenAI’s technology to the future of Microsoft and its competition with other big tech companies like Google, Meta and Apple.”
From a cybersecurity perspective, there are a number of positives about the release of ChatGPT. By far one of the greatest benefits of the chatbot is its threat detection capabilities. Security teams can use the service to analyse large amounts of data, such as log files and network traffic, to identify unusual behaviour or communication patterns that may indicate a cyberattack. This even extends to spam/scam classification. On the other hand, to reduce the potential of cybercriminals using the service, ChatGPT also has strict content policies which prohibit individuals from using the chatbot to generate malicious content and it will deny outright requests if it detects misuse.
On top of this, the chatbot can also be a valuable tool for businesses to educate non-technical stakeholders about complex security problems or concepts. By being able to generate explanations in a human-like manner, it can “translate” tech jargon into everyday language, helping to bridge the gap between technical and non-technical team members, and allowing for better communication and understanding of potential risks.
However, with concerns about plagiarism and then negative impact on learning, schools systems around the globe have begun to ban the use of ChatGPT on their devices and networks, and their concerns are not unfounded. The chatbot itself recognises the potential for plagiarism:
Questions have also been raised about the accuracy of the app’s output. Due to ChatGPT being a machine learning model, its performance is highly dependent on the diversity and quality of the data that it’s trained on. For day-to-day personal use, it may not be significant, but in cybersecurity, these inaccuracies can be problematic. For example, if a business is reliant on the software for incident detection, there’s a potential that they may receive a false positive or negative, leading to a security incident being wrongly identified or overlooked. This can also be affected by the potential of ChatGPT developing a bias from the information it learns, which can lead to discrimination of certain groups of people or organizations and for example, could block incoming traffic or classify something as spam based purely on the bias.
Although ChatGPT's content policy prohibits using the service to create malicious content, users have already found ways to bypass these restrictions. This means that even entry-level cybercriminals can use the chatbot to generate sophisticated phishing emails and websites, BEC messages, and malicious code in seconds, posing a huge threat to businesses that are trying to defend against attacks.
In the right hands, it's an incredible tool. In the wrong hands, ChatGPT is a serious cybersecurity threat. This year we can expect to see the full effect that the chatbot has on the industry - the good and the bad.
For a more in-depth analysis of ChatGPT, read our blog here.
4. Critical infrastructure will remain a big target for cyberattacks
According to Microsoft’s Digital Defense Report, attacks on critical infrastructure doubled in 2022. To add to this further, 40% of all nation-state attacks around the world were targeting critical infrastructure. The report states that this dramatic increase is due in part to Russia’s attempts to damage the infrastructure of Ukraine’s allies as the war raged on through the year.
Other attacks are often carried out with the intention of causing widespread destruction. Hackers try to hit governments and countries where it’ll hurt most by targeting power grids, water suppliers, telecom networks, and government agencies – in other words, the assets that are “so vital to a nation’s security or economy that everything could collapse without them.”
This was seen in Australia in September 2022, when Optus, one of the country’s biggest telecommunications companies, was targeted in an attack. The hacker stole names, dates of birth, phone numbers, addresses, passports, healthcare, and driver’s licence details belonging to 9.7 million customers, in what is considered one of the biggest data breaches in Australian history.
After it was clear the telco would not pay a $1 million ransom and drawing the attention of the entire nation, the hacker uploaded the information of 10,000 customers online, but days later stated that there were too many eyes on the situation, apologised for their involvement in the attack, and promised that they had deleted the only copy of the data and would not upload any further files. Yet chaos continued to ensue, with millions of customers having to get new identity documents, and Optus facing ongoing backlash from the government and the public.
Experts suggest that these targeted attacks on critical infrastructure are likely to increase through 2023. In their Global Risks Report 2023, The World Economic Forum named “cyberattacks on critical infrastructure” as the 5th biggest risk that is currently manifesting, following the energy supply crisis, cost-of-living crisis, rising inflation, and food supply crisis.
5. Ransomware attacks will continue to advance and rise
In 2022, there was a 13% increase in ransomware attacks compared to 2021 – and it’s expected that 2023 will follow a similar trajectory.
For businesses, ransomware is one of the most dangerous, costly, and unrelenting threats. In fact, it’s one of the fastest-growing threats that they currently face. According to Splunk’s 2022 State of Security report, almost 80% of organisations have experienced a ransomware attack, and 35% of those reported that an attack had led them to lose access to their systems and data. On top of this, 66% stated that either they or their insurance company had made a payment to reclaim stolen data.
For cybercriminals, ransomware has proven again and again to be a successful and lucrative method of attack, and due to the secrecy of their work, there’s still little risk of persecution. Nowadays, all that’s needed for an individual to start a career in cybercrime is a credit card (and perhaps a lack of a moral compass), thanks to the boom of the ransomware-as-a-service (RaaS) economy.
Over the past couple of years, we’ve seen cybercriminals continue to develop more effective, repeatable techniques, aiding the RaaS industry in its growth. Now, even low-level cybercriminals can pay a fee to access already-developed ransomware which enables them to execute highly successful attacks at a speed that even the most advanced security teams would struggle to keep up with.
Last year, IBM X-Force released a study that revealed that from 2019 to 2021, the average duration of ransomware attacks dropped from more than two months to just over three days. This means that the time businesses have to respond to attacks is reduced by 94%. The use of RaaS reduces the window for businesses to respond to and mitigate an attack even further.
Of particular concern is the emergence of LockBit, which is one of the most prolific ransomware strains currently on the market. In 2022, LockBit was used in approximately half of ransomware attacks, most likely due to its success rate and speed. When tested, LockBit moved at lightning pace, encrypting 100,000 files in a median time of only 5 minutes and 50 seconds, and at its quickest, encrypted 25,000 files in a minute. And it’s only continuing to evolve.
Discussing the outlook for ransomware in 2023, VP of Privacy, Safety and Security at Google, Royal Hansen stated:
“Globally, we’ll see the continued growth and prominence of ransomware attacks across [the] public and private sectors. Across the wider attack surface, industry-specific threats and capabilities will grow, affecting verticals including healthcare, energy, finance and more.”
For businesses looking to help reduce the risks of a successful ransomware attack, the Australian Cyber Security Centre offers the following advice:
- Update your device and turn on automatic updates
- Turn on multi-factor authentication
- Set up and perform regular backups (including to an offline external storage device)
- Implement access control
- Turn on ransomware protection
- Prepare your cyber emergency plan
6. ‘Zero Trust’ will become more widely adopted
With businesses aiming to secure their networks as they continue to operate remotely or in a hybrid model, research firm Gartner is anticipating that in 2023, businesses will shift away from virtual private networks (VPNs) and instead use zero trust network access (ZTNA), which is a security solution that allows secure remote access to an organisation’s resources, such as applications, data and services based on predefined access policies. Gartner has forecast that ZTNA will be the fastest-growing network security segment and is predicted to grow 31% in 2023 alone.
As the name suggests, the ‘Zero Trust’ model of security operates on the philosophy that the name implies – trust no one. The model necessitates that all internal and external users consistently provide authentication, authorization, and validation in order to acquire and keep secure access to applications and data on an enterprise network. Most importantly, zero trust provides organisations with the ability to control access to systems regardless of where the user is located. This prevents hackers from being able to access all of your data through a single-entry point. Instead, they’ll have to prove, or rather forge, their identity every step of the way.
With the increasing number of high-profile data breaches and cyberattacks and the continuing difficulties that businesses face securing their networks as remote work endures, it’s not surprising that companies are searching for more robust security measures to protect their systems and data, although they seem to have been slow to adopt new changes. A study conducted in 2022 showed that 97% of the IT and security professionals that were surveyed viewed zero trust as a priority for their organisation. “However, only 14% are in the early stages of adopting a zero trust model, while just 17% have actually started to roll it out.” Throughout 2023 we can expect to see more organisations embracing a zerotrust model in an effort to secure their data.
Protect your business in 2023
Did you know that approximately 95% of successful cyberattacks are due to human error? All it takes is a distracted employee clicking on a malicious link or paying a phony outstanding invoice to clear the clutter.
Most businesses don’t consider fortifying their businesses' defences until they’ve suffered from a cyberattack or had a near miss. Don’t wait until it’s too late.
MailGuard offers cloud-based email filtering which anticipates, predicts, and learns from emerging threats, such as phishing, spear-phishing, and malware, keeping email users safe from harm up to 48 hours ahead of competitors.
Protect your staff and business from cyberattacks. Talk to an in-house MailGuard expert at any time of day by:
- Calling 1300 304 430,
- Or emailing sales@mailguard.com.au
