#1: Start thinking ahead to cybersecurity concerns in the metaverse
The metaverse, digital twins, and similar advanced technologies will present new security challenges for organizations and individual users. Artificial intelligence solutions will be needed to validate the legitimacy of identities and controls.
When we think of the metaverse today, we often envision immersive gaming environments such as Fortnite. However, the metaverse will eventually reach beyond gaming into nearly all aspects of business and society. This new type of digital interface will present unforeseen security risks when avatars impersonate other people and trick users into giving away personal data.
We are already seeing significant attack patterns that compromise users who click on a bad file or a malicious link. It could be a credential-harvesting ploy conducted through a spoofed URL, or a social engineering attack launched through a natural language message that triggers malware or ransomware. Then there are doctored videos of synthetic media “deep fakes” which can cause viewers to question whether someone or something they see is real or fake. We also find this trend with digital twins that allow users to conduct physical facility maintenance remotely through a digital environment. We can expect to see more of these holographic-type phishing attacks and fraud scams as the metaverse develops.In turn, folks will have to fight AI with stronger AI because we can no longer rely solely on the naked eye or human intuition to solve these complex security problems.
#2: Threats will increase from nation-state attackers and lone wolf hackers
Cyberattacks from nation-states are accelerating and adding a dangerous new element to the security landscape, while threats from independent hackers are also becoming more perilous.
We see a growing concern from Russian state actors as they become more desperate in their ongoing war against Ukraine. They will likely try to inflict greater pain, so the best security strategy is to reinforce the protection of the most critical infrastructure against attacks.
However, the biggest U.S. nation-state cyberattack threat comes from China, which has set a goal to dominate 20 major global industries. The fastest way to achieve that goal is through cyber espionage to gain access to intellectual property, chip designs, healthcare information, and more. That is absolutely something we must pay attention to.
At the other end of the spectrum from the threat of nation-states, don’t underestimate a 14-year-old lone wolf hacker who can also infiltrate and compromise your environment and cause lasting damage. We have already seen this play out through social engineering attacks at Uber, Twitter, and elsewhere. With the proliferation in access to the cloud, automation, and shared software repositories, it has never been easier to be a successful bad actor.
#3: Advice for security leaders in 2023: beware the human element
Organizations that fail to address the human element of security will suffer because security training is not effective enough to protect users from all the types of unrecognizable attacks.
My advice is to protect the human side of your security posture because the most unprotected part of your IT stack involves your employees and partners, including third-party contractors. Security training is focused on the people side of the business, but these attacks are now so sophisticated that it’s not realistic to expect users to detect malicious intent with training alone. Training is necessary but it should not be the only line of defense. That’s why we need to augment user security training by putting stronger AI controls in place. Just remember that your people are your most attacked vector and the most unprotected aspect of your security posture. You simply cannot train these kinds of attacks out of users.
#4: Mobile workplace trends will create new blind spots for enterprises
Personal communication channels (gaming, LinkedIn, WhatsApp, Signal, Snapchat, etc.) will play a much bigger role in the attack paths that bad actors engineer to target businesses. Once an individual user is compromised, the bad guys can move laterally to get to the business. And because email has at least some protections in place today, cybercriminals are turning more attention to these other communications channels instead and seeing much higher success rates.
The biggest gaps in security postures come from the personal data of employees in the newly hybrid workforce. These blind spots are becoming more readily apparent as organizations adopt new channels for personal messaging, communications, and collaboration. Attackers are targeting employees through less protected personal communication channels, like WhatsApp, Signal, Gmail, Facebook Messenger to perpetrate an attack. Then it just becomes a matter of penetrating laterally through the organization from their external foothold.
Also, more people are working on the same device for their business tasks and their personal life at the same time now, which is a significant blind spot. I only see that trend accelerating in this coming year. It all comes back to how do I validate that you really are the person who I am communicating with? Or is this the trusted file or corporate website link that I assumed it was?
The single biggest threat to any company is not machine security anymore – it is truly the human security factor. That is why these attacks on humans will continue to increase because humans are fallible and they get distracted, and many threats are not easily identified as malicious.
#5: Security risks will only grow in the economic downturn
Don’t expect major cuts to security budgets in the coming year as the risks from cyberattacks continue to rise.
At a high level, we should expect a downturn in overall IT spending as the economy tightens. But even despite the downturn, security is so important that it will continue to drive its current spending levels to combat the risks from increasing threats.
One of the key security challenges involves ransomware, which remains a board-level topic. With ransomware, it is not a matter of if it will strike – it is only a matter of when. Solving this problem will require putting more proactive mitigation controls in place to be prepared before an attack occurs. In fact, the number one cause of ransomware starts with phishing at the user level. Protecting the human element from spear phishing, credential stealing, and business email compromises can greatly reduce the chances of ransomware.
Another critical area of concern involves the danger of an insider threat, which is even more problematic in a downturn. CISA defines an insider threat as the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities. Disgruntled employees may gain access to protected information before leaving their company, and then take the data or credentials home with them. However, insider threats do not always come from disgruntled employees, as they often stem from unintentional mistakes. At the end of the day, the security policy should always be to not trust anything, and to verify everything.
Also, in addition to building better security controls, security teams should emphasize the need for security insurance policies. Most companies are given almost unlimited budgets to react to cyberattacks after the fact, but they get much smaller budgets to put proactive security measures in place before an attack occurs. Taking a proactive approach is comparable to preventing a heart attack before it happens by eating well and exercising.
One final point about security in a downturn – we will see more cases of fraud and scams attempted on the personal side of communications as well as the business side, through business email compromises and business text compromises. This could involve cases such as asking users to change their personal bank account info, or to call a toll-free line to give up protected information. We expect these kinds of attacks to become more weaponized in the coming year.
#6: Increase in scams abusing fear, uncertainty and doubt in a down economy
Seniors are increasingly targeted by phishing scams to take advantage of their relative lack of technical computer skills and limited awareness about this new wave of security threats.
The FBI recently published a significant scam report about cryptocurrency frauds that target seniors, and we expect to see this trend accelerate in the coming year as we move into an economic downturn and recession, which will lead to still more desperation. Unfortunately, more seniors will fall prey to these kinds of get-rich-quick schemes as crypto scams from bad actors become more prevalent.
In addition, service providers like GoFundMe will have an increased responsibility to verify the legitimacy of campaigns on their sites by putting in more brand protection controls. This goes back to how do you verify and validate if this is a real user, real campaign, or real piece of information on the site? We may even see government regulation start taking shape to enforce this responsibility.
