Written by Jon France, Chief Information Security Officer at (ISC)².
Cybersecurity awareness has its benefits and drawbacks, one of which is higher premiums for cyber insurance. The global cybersecurity insurance market is projected to be worth USD29.2 billion by 2027, up from USD11.9 billion in 2022. In Asia Pacific, the demand for cybersecurity insurance is only set to grow given the increase in fines due to non-compliance and regulatory developments. This is largely due to heightened awareness of the financial and reputational risks of cyber incidents such as ransomware attacks, data breaches, vulnerability exploitation and more.
At the same time, underwriters are also making requirements for obtaining cyber insurance much stricter, requiring things like two-factor authentication and adoption of specific technologies like EDR, XDR and more. These documents which used to be two-page questionnaires are now full audits and 12+ pages long. On that note, increasing cyber insurance premiums and stricter requirements to obtain insurance will be interesting hurdles to watch in 2023.
On the flip side, we’ll likely also see an increase in demand stemming from the rising incidence of supply chain issues. Because of these issues, companies will likely start requiring vendors or third parties they work with have some form of cyber insurance. With geopolitical issues spilling out across borders coupled with cyber threats companies are constantly facing, companies are going to prioritize protecting their most critical assets (including their reputation). Demand for cyber insurance will continue to increase, as will prices and requirements for obtaining these policies next year.
Quantum implications are here and will be painful to adapt to in 2023
Making infrastructures quantum-resilient is going to be more difficult than imagined, both for the public and private sectors. One major area of concern when it comes to quantum is national security. Governments have secrecy policies that last for decades. Some of those policies might be threatened by quantum computing as the technology evolves, with much of the information under these policies being transmitted (and potentially captured in encrypted form) with algorithms that may not be quantum safe. Within the next 5-10 years, quantum technology will likely become commercially available. This can be a real threat to past and outdated encryption algorithms, many of which are used to conceal the nation’s top secrets.
Quantum computing is going to be able to overcome complex roadblocks at speeds that will render multiple forms of current encryption useless. For the private sector, trade secrets, intellectual property, financial data and more are at the same risk if a bad actor gets their hands on quantum computing capabilities and breaks the encryption keeping critical assets under lock and key. While building cyber resilience in preparation for quantum technology could have started a decade ago, now is the second best time. In 2023, we’ll see both the private and public sector’s increased awareness around the challenges associated with quantum resilience. We’ll also see efforts begin to take hold more significantly to prepare for quantum computing. Much of the encryption infrastructure in communication networks that keeps information safe now is deeply embedded, i.e., certificates, and will take years to transition to quantum resilient algorithms, posing a timeline issue for changeover before the general availability of quantum computing.
Wiperware attacks will increase
Although wiperware, ransomware’s close cousin, has been around for nearly a decade now, we saw a drastic increase in the number of wiperware attacks in 2022. The motivation behind wiperware is almost always to sabotage victims, especially during times of war, as we see with Russia and Ukraine. Seven different types of wiperware have been used to attack Ukrainian organizations in attempts to weaken their abilities to conquer Russia. We can anticipate a rise in nation-state-motivated wiperware attacks in 2023 as the Russia/Ukraine conflict continues, and we can expect to see other nations utilize these attacks in future conflicts now that they’ve become more prevalent on the global scene. Additionally, with the rise in wiperware, there’s likely to be a rise in phishing attacks, given that it’s the most common vector for distributing ransomware and wiperware.
The industry will continue to underestimate the importance of securing OT infrastructure
Operational technology is one of the highest-targeted and lowest-prioritized technology areas out there. OT is low-hanging fruit for attacks and is so ingrained in critical infrastructure systems that are struggling to keep up with the pace of change in cybersecurity. These systems have more tangible, real-world impacts on broader populations than traditional IT systems, yet many are built on legacy systems that have long life/replacement cycles and are outdated quickly, and are often dangerous to patch or “unpatchable” in the first place. This is an obvious attack surface for hackers, especially nation-state actors because incidents can have far-reaching, physical effects. The tensions rising in the Russo-Ukrainian war and in China and Taiwan only exacerbate the potential threat against OT systems. Securing these systems doesn’t mean forcing “new” technology onto the systems. It’s not about zero trust or having more regulations or more patching requirements. It’s about increasing visibility into assets, implementing mitigating controls and building resiliency plans. This is to help mitigate downtime and impact if the worst happens. In 2023, we’re likely to see the industry continue to misconceive what is needed to secure these systems and witness a major attack on critical infrastructure because of it.
The recession will cause a reduction in spending on training programs
Despite the idea that cybersecurity may be a recession-proof industry, it’s likely that personnel and quality will take a hit during the economic downturn. We’re not seeing core budgets for cybersecurity being cut as of now, but the more ‘discretionary’ areas, such as training budgets, are likely to see scalebacks. This goes for both security awareness training at companies of all sizes and training cybersecurity professionals on how to adequately protect their critical assets. The industry is already facing a skills shortage and unfortunately, we’re likely to see that skills shortage worsen as the recession takes hold in 2023 due to the increased demand for skilled cybersecurity workers.
