We made it! We got to the end of 2022, and while most cybersecurity vendors will use this time to make predictions on what the year ahead has set in store for us, we at Barrier Networks are cranking things up a notch, writes Jordan Schroeder, managing CISO at the cyber resilience product company.
We’re not going to be gazing into a crystal ball, and we certainly won’t be calling in Mystic Meg. Instead, we’re going to use our expertise and ear-on-the-ground knowledge to take a stronger stance and share with the world what we think will inevitability happen in the cyberspace in 2023.
But, before we get into that, let’s first discuss what happened in 2022…
Let’s just say we didn’t here without any war wounds. Businesses large and small were hit with devastating attacks that left them debating the stability of their future. While ransomware criminals upped the ante with a tsunami of attacks that netted them millions and cost organisations billions.
Let’s be honest though, this will be the same next year. Cybercriminals aren’t backing down, but the good news is neither are defenders.
As a result, 2023 is going to be about the three Rs. You know the ones, Regulation, Regulation ….and Relationships.
Want to hear more? Let us divulge …
Regulation: Tracking of Software Bill of Materials (SBOMs) across the supply chain
Remember Log4J? Well, if that incident taught us anything, it’s the importance of knowing what code you are running, and what code makes up your supply chain.
In 2023, we are likely to see the UK draft new regulation to hammer down on SBOMs in a GDPR-level style. This will be built on the American Executive Order from 2021 and the subsequent work by NIST to support it.
Organisations will be required to understand every component that makes up their products that they pass on to customers and pass that knowledge to the next step in the supply chain. They will then need to share this with their partners and suppliers. This will make it much easier to patch vulnerabilities quickly, and it will also significantly improve supply chain resilience.
Organisations will also have to implement properly constructed SBOM libraries so they can understand what tech they are using and have a consistent and easy way to patch and mitigate bugs, while ultimately minimising their cyber risk.
Regulation: MSSPs will implement a minimum level of security for their customers
In the last few weeks, the European government has announced the launch of the NIS2 Directive. The regulation scope has been expanded to cover Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) as “essential entities”. This means these companies, including Barrier, will be held to a higher standard for how they run their business.
But in addition to this increased standard, we will start to see MSPs and MSSPs offer a baseline of secure-by-design services so that the services used by their customers meet established security standards, by default.
To do that, MSPs and MSSPs will need to be transparent in what security they offer, and do not offer, in each of their services so that customers can know where the gaps are, instead of assuming that the MSP/MSSP will just handle all possible security issues.
Right now, too many customers are making too many assumptions about their MSP/MSSP security, and you know the old adage, “when you assume, you make a mess out of your and my assets”.
Relationships: Industries will unite to improve their cyber resilience
We are seeing slowly improving security standards and regulations. NIS2 has recently been released, ISO 27001 and Cyber Essentials have had new versions this year, and NIST Cyber Security Framework (CSF) version 2 is due to be released soon.
However, despite these improvements, organisations are feeling uncertain about their practical security, and many are seeing the need for deeper and more stringent standards to combat the unrelenting tide of cyberattacks across all sectors.
In response, some sectors, like industrial organisations, are going to work together to build on existing standards and regulation and make even more improvements to their security defences, as a sector.
These organisations will pull together, much like the aviation and finance industries have been doing for years, to learn more about the threats they are facing and work together to understand how they can better defend their networks against attacks as a collective. So, there you have it. These are our security inevitabilities of 2023.
Much like cyberattacks, these aren’t an if, they are a when.
Best get prepared now.
