Fujitsu leverer banebrydende AI-løsning til Siemens Gamesa

Where to focus your cyber security defenses in 2023

News emerged over the Christmas break of a cyber security breach at one of the last places anyone would expect that to happen. Password security management app LastPass disclosed it was itself the victim of a cyber security breach, exposing the defenses of its 33 million users.

CISOs probably weren’t expecting life to get any quieter in 2023, but now they know they are in for another bumpy ride. Threat vectors needing immediate attention are so varied that Fujitsu has isolated the key factors cyber security leaders should have high on their priority lists for 2023. We predict particular difficulties for CISOs from phishing attacks and IT/OT integration headaches. And the growing trend to bundle cyber security into cloud offerings may be causing more pain than it solves.

Phishing thrives in a permacrisis

In 2023, expect to see organizations big and small compromised as they grapple with crises both in and outside the inbox.

It’s a mistake to think that attackers are sitting in the shadows, sending out random phishing emails. However much we may dislike the consequences, the reality is that phishing is someone’s day job, and they give it a high level of professionalism and attention to detail. The canniest attackers are looking for email subjects that will trigger an emotional response and cause recipients to bypass normal precautions. The classic example is an email from the tax authorities. Most people, it seems, have a lurking concern about taxes. An email that triggers this fear can result in a momentary lapse of attention and a misplaced click.

With so much going wrong in the world, there is no shortage of new ways for attackers to press our buttons. And new ways of automating email writing – using OpenAI’s GPT engines, for example – make this an attack vector that will only grow.

In the permacrisis of the last few years, phishing campaigns have been carefully crafted around significant events – hurricane Harvey, Brexit, the 2016 US presidential election, and the earthquake in Haiti. These all gave attackers a theme that would resonate with millions of people and gave victims a timely and often plausible reason to click on dangerous links.

Anxiety levels in society are not receding: the lingering effects of the pandemic, the war in Ukraine, strikes, the increasing cost of living and a climate crisis. These and more provide attackers with continuous bait to lure their victims.

Employers are in a tricky position here. They must train employees to realize the dangers without causing alarm and distress. Strikes and pay claims are currently popular phishing topics. An email announcing a breakthrough in negotiations is likely to get around many people’s mental shields. So much so that some employers have been using this as a way of training employees to be more vigilant.

But beware – the backlash can do considerable damage to your reputation, as West Midlands Trains discovered when it emailed 2,500 employees about a one-off thank-you payment for handling the stresses of Covid. Anyone clicking the link received a message that it was a company-designed “phishing simulation test”, and there was no bonus.

Anti-phishing training is important, but getting the balance right between authenticity and scaremongering requires careful thought.

IT/OT – the end of a false dichotomy

We predict that 2023 will be when large organizations finally stop thinking about IT and OT as separate things.

The separation is historical – go back 30 years and lots of workplace equipment was not connected to anything else and the internet barely existed. OT was something very different from IT. But it’s time to consign the division to history. Very few businesses expect to thrive into the second quarter of the 21st century by shutting themselves off from the valuable data generated by their operating technologies.

The reason for the reluctance is that there are risks. Connecting opens up new cyberattack vectors, and these are already being exploited. And where operations and IT are heavily demarcated, still true in some medium- and smaller-sized organizations, security best practices still need to become standard procedure.

Does it really matter? Yes. Insight from analytics run on operational data is essential to meet multiple commitments. For example, you need to aggregate data from every operational activity to understand your real carbon footprint. Carbon pricing is going to make this increasingly important to get right. Canada’s minimum national price on carbon pollution is currently $65 per tonne of CO2e and is increasing by $15 per year to reach $170 per tonne of CO2e in 2030.

Getting over the conceptual hurdle between the two Ts is not always straightforward. The roots of the IT/OT divide go back decades and are snarled up inside many organizations’ where cultural and generational barriers are hard to change. 2023 is the year for CISOs to grasp this nettle. What “OT” equipment do you have that is connected and therefore likely to be vulnerable, and what is not yet connected but should be? Accepting organizational turf disputes as a reason for living with the status quo is no longer viable.

Public cloud “one-stop-shops” now include cybersecurity – but cost and complexity concerns will remain in 2023

Cloud adoption has its inexorable momentum. But what we are seeing now — and we predict this will be a strong trend in 2023 — is the decision by customers to use cybersecurity tools offered by the big public cloud vendors to create a sort of one-stop-shop. Apps, data, infrastructure, cybersecurity – increasingly all in one place.

It makes sense, provided you know what you are getting into. As with cloud adoption, skills shortages and costs have much to do with it. Setting up viable cybersecurity and keeping it up to date is difficult – and the skills needed are especially thin on the ground. Making the temptation to click the pick-and-play check-boxes for SIEM, SOAR, MDR and others is very great.

For example, Sentinel is Microsoft’s Security Information and Event Management (SIEM) offer on Azure. Palo Alto is emphasizing eXtended Security Intelligence and Automation Management, or XSIAM. Both are consolidating cybersecurity services into unified offerings, as is AWS, whose Security Hub provides SOAR (Security Orchestration, Automation and Response) capabilities, among others.

The risk is that customers anticipate these services falling into place in the same way as extra storage space. That’s not how it works. Cloud security environments come with steep technical learning curves and complex pricing systems. A typical pricing scenario is that you pay for logs ingested, storage, analysis, automation on top, and more when you connect VMs. And that’s all before adding a managed service offering.

Complexity can be a killer too. Getting cybersecurity services running effectively requires experienced architects who are just not out there right now. Without the right support, customers will struggle to deliver secure environments and costs will mushroom out of control as it becomes clear that one service requires another, which requires another still.

As a result, the rise of companies offering services to monitor these products will continue. What we are already seeing — and there will be more of this in 2023 — is the acquisition by larger cloud and IT services vendors of smaller security firms specializing in things like cloud MDR and SIEM services and with the necessary specialists on board to deliver.

In 2023, the search for apparent simplicity means that cloud providers offering single panes of glass and multiple security offerings in a single location will continue to pick up new customers as contracts expire with traditional vendors. It remains to be seen whether this move will be quite as savvy as purchasers hope.

To find out more, visit: https://www.fujitsu.com/global/themes/security/

Lad os få din organisation sikkert i mål

Kontakt os for et uforpligtende møde