John Stevenson, Senior Product Director at Cyren, looks ahead to 2023 highlighting the cracks in MFA, the skills gap, the emergence of cyber security compliance, and the need for layered email defence.
Cracks in multi-factor authentication
Phishing will remain an unsolved problem leading to countless account takeover attacks. As businesses enable MFA, phishers will update their tactics to defeat additional verification steps like one-time codes sent to phones or email addresses. So-called strong authentication methods that rely on mobile phones and email accounts (that were never intended to be identities) will be the first to prove insecure for high-risk use cases. Passwordless authentication won’t yet solve these issues due to insufficient lifecycle management solutions and incompatibility with legacy systems.
The skills gap becomes the skills chasm
The shortage of skills and labour in the cyber security space will worsen as businesses reduce their workforces in preparation for the economic downturn. Alert fatigue will increase for security and helpdesk analysts facing a steady stream of high-volume, low-quality alerts. Cyber security leaders will accelerate adoption of solutions that outsource and/or automate investigation and response to alerts. Automating incident response workflows is one of the more promising use cases for artificial intelligence so look for that application of AI/ML to rapidly mature.
Cyber security compliance on the horizon
State and national governments tried to force good cyber hygiene by passing breach disclosure requirements like those found in GDPR, HITECH, and CA1386. In the US, the federal government is telegraphing its intention to require a baseline of cyber security practices by announcing the Cross-Sector Cyber Performance Goals. Cyber insurance issuers are also setting a higher bar for due diligence to avoid a breach. The political divisions within most large Western economies don’t create fertile ground for new comprehensive cyber security legislation in 2023, but look for governments to establish a common risk tolerance for critical industries rather than let these companies decide for themselves which risks are acceptable.”
Layered email defence
Organizations are acutely aware that attackers know the best ways to slip past defences / defenses and lure distracted employees with social engineering emails. The age-old defence in depth approach will evolve beyond email filters and security awareness training to include additional layers of automated detection and response to hunt and eliminate target attacks like spear phishing and business email compromise. Like intrusion detection systems evolving as a response to attacks that got past the network firewalls, and endpoint detection and response evolving as malware authors learned how to evade detection by traditional anti-virus agents.