The past 12 months have been a challenging time for cybersecurity professionals around the world. In particular, they have had to deal with an increase in cyberattacks linked to the war in Ukraine.
At the same time, a global recession has led to massive layoffs in the tech industry. As a result, cybersecurity departments are increasingly understaffed and burnt out.
As a new year approaches, many cybersecurity professionals reflect on the challenges they’ve faced over the past year and offer lessons on how to improve in 2023.
Jake Moore, Global Cybersecurity Advisor at ESET, believes that events such as the war in Ukraine and mass layoffs provide the greatest learning opportunities for cybersecurity professionals.
“For 2022, I think the majority of infosec professionals have noticed that resilience is not just a term used in cybersecurity, but also a term used to describe the ups and downs of the whole industry. industry as a whole,” he says. “From collaborating to try to mitigate the impact of a cyber war coming from Russia, to tech layoffs across multiple organizations, including top security departments.”
He says cybersecurity professionals, many of whom work for overstretched departments, have shown a “remarkable level of resilience” in the face of heightened uncertainty and ever-evolving cyberattacks.
With that in mind, his biggest lesson is to “expect the unexpected more than ever.” “Nothing in this industry can ever be predicted, but learning is key to its future success,” he says.
Don’t always trust popular cloud apps
People should remember that popular cloud applications are not always reliable and can be hacked by cybercriminals, according to Neil Thacker, information security manager at Netskope EMEA.
In 2022, it has seen many cases of cybercriminals using apps like OneDrive, GoogleDrive, GitHub, Box, and Dropbox to distribute malware and command-and-control (C2) services.
“Too many organizations continue to allow direct access to these services, without providing any form of online security checks to identify when these are being used and if it is for malicious purposes,” he says.
“The lesson here is that traffic to and from cloud applications [software as a service] and cloud infrastructure [infrastructure as a service] should be secured and inspected to identify this type of attack vector and mitigate risk.
Phishing goes beyond emails
Another lesson from Thacker is that organizations need to go beyond tabletop exercises and email security to mitigate phishing attacks. He says that these two methods are not effective enough on their own.
Indeed, cybercriminals are increasingly using genuine cloud application links to direct employees to fake login pages, tricking them into entering their usernames, passwords, and MFA credentials. Cybercriminals even convince many employees to provide access to data via “impostor apps”.
“The lesson learned here is that phishing is no longer a problem confined to email security,” says Thacker. “Search engines, social media and blogging sites, as well as legitimate services such as Google Docs and Microsoft OneDrive, are all platforms used in phishing campaigns.
“So it’s crucial that user training starts at the initial click point and happens ‘just in time’. Phishing simulations and email security can be used to apply messages on how to detect and report phishing attacks, but are not exhaustive when it comes to training and countering new methods of phishing in 2022 and beyond.
Invest in modern network and security architectures
Over the past year, Thacker has also noticed that many organizations have accelerated network security and transformation projects in response to “high inflation, talent scarcity, and blockchain disruptions.” global supply”.
“The Triple Squeeze [inflation, talent shortages and supply chain issues] in 2022 has meant organizations have been pushed to consolidate and converge their network and legacy security gear to find efficiencies,” he said.
“As businesses prepare for a global recession and the additional risks that come with economic challenges, it’s important to be able to scale up or down network and security spending.”
Thacker says the lesson here is that organizations can help network and security transformation initiatives through the use of modern network and security architectures, such as Secure Access Service Edge (SASE).
“This can include reducing risk, improving employee productivity and reducing costs in a particularly uncertain economic environment,” he adds.
Master the basics
Threat actors are constantly devising sophisticated new ways to launch cyberattacks against organizations and individuals, and this may have led many cybersecurity professionals to “focus on interesting vulnerabilities,” according to analyst Tope Olufon. senior at Forrester.
But he thinks that shouldn’t come at the expense of cybersecurity basics like asset management, patch management and auditing. Its biggest lesson for 2022 is that getting the basics right is the “foundation of effective cyber risk management.”
It also encourages cybersecurity professionals to increase their understanding of new technologies, while sentiment, culture, and personality should play an even bigger role in security design.
Olufon also recommends that security professionals work more with their peers in IT and others in the company. “Jamie, the network engineer, probably has a background you don’t, and listening will make your life easier,” he says.
Confidentiality is essential
Privacy has always been a crucial part of cybersecurity, but Rebecca Harper, head of cybersecurity analytics at compliance specialist ISMS.online, believes it’s the “only future of cybersecurity.” ‘information “.
“With many countries adopting stricter data privacy regulations, moving towards a privacy-first approach is quickly becoming a necessity,” she says. “For example, Google is phasing out third-party cookies in 2023, while Apple has expanded privacy features since App Tracking Transparency in iOS 14.5.”
In 2023, she expects privacy legislation to have an even greater impact on the information security strategies of businesses and governments around the world.
Harper’s lesson is that privacy is “essential to restoring consumer trust.” “As the demand for privacy escalates, so do the consequences of breaching privacy,” she says. “Not only do the new laws provide for fines, but brand perception – and therefore potential sales – are at risk whenever privacy is violated.”
Fight against professional burnout
As cyberattacks grow in number and complexity, it’s understandable that IT security professionals can feel stressed and burnt out.
Rick Hemsley, head of cybersecurity at EY, says business leaders need to understand the pressure cybersecurity professionals face and the impact it can have on their daily lives.
“Teams need to be able to not only track and measure threats, which lead to stress and burnout, but also have the tools to proactively spot and manage them,” says he.
Hemsley also believes that the best security leaders will take steps to better understand and improve their departments’ operating models.
“They think about how their teams are structured, appropriate staffing levels, talent development, and how they deliver internally, co-source and outsource,” he says.
“These security leaders are also starting to have more data-driven conversations with the C-suite and stakeholders, using threat intelligence and aligning it with business strategy, allowing them to instead become a catalyst for a shift in confidence.”
Hemsley argues that for companies looking to innovate sustainably and rapidly, they must put cybersecurity at the heart of all digital transformation initiatives. He explains that “the opening of this new dialogue between the IT teams and the C-suite will be decisive in moving forward”.
Improve cyber resilience
As the surface of cyberattacks increases, businesses increasingly need to strengthen their IT security defenses and improve their resilience against cyberattacks.
António Vasconcelos, technology strategist at SentinelOne, says organizations need to be able to effectively contain, minimize, mitigate and recover from cyberattacks.
“This resilience includes protecting your most valuable assets, such as personally identifiable information and intellectual property, reducing supply chain disruptions, and managing damage to your reputation.”
But Vasconcelos warns companies that they can’t just buy cyber resilience. Instead, it’s something they have to earn.
“While that means different things to different organizations, there are a few fundamentals that hold,” he says. “This includes separating and segmenting higher value assets from common assets, adopting a principle of least privilege or always verify before trust protocol, and breaking silos of siled security.
“Frameworks like ZTNA and XDR are accelerators and get organizations on the right path to achieve the cyber resilience they need to face the threats of today and tomorrow.”
2022 has been a tough year for the cybersecurity industry as a whole, and with the war in Ukraine and global economic turmoil showing no signs of slowing down any time soon, it’s clear that 2023 will bring similar challenges to security professionals. cybersecurity. Hopefully, however, these lessons can help them strengthen their defenses in the future.