The past 12 months have been a trying time for cyber security professionals globally. Most notably, they’ve had to contend with a rise in cyber attacks linked to the war in Ukraine.
At the same time, a global recession has resulted in mass layoffs across the technology industry. Consequently, cyber security departments are increasingly understaffed and burned out.
With a new year just around the corner, many cyber security professionals are reflecting on the challenges they’ve faced over the past year and coming up with lessons on how to improve in 2023.
Jake Moore, global cyber security advisor at ESET, believes events such as the war in Ukraine and mass layoffs offer the biggest learning opportunities for cyber security professionals.
“For 2022, I think the majority of infosec professionals have noticed that resilience is not just a term used in cyber security, but also a term used to describe the ups and downs across the whole industry as a whole,” he says. “From working together trying to mitigate the impact of a cyber war coming out of Russia, right through to tech layoffs across multiple organisations including the all-important security departments.”
He says cyber security professionals, many of whom work for overstretched departments, have displayed “a remarkable level of resilience” in the face of increased uncertainty and constantly evolving cyber attacks.
With this in mind, his biggest lesson is to “expect the unexpected more than ever”. “Nothing in this industry can ever be predicated, but learning is key to the future of its success,” he says.
Don’t always trust popular cloud apps
People must remember that popular cloud apps aren’t always trustworthy and can be breached by cyber criminals, according to Netskope EMEA chief information security officer Neil Thacker.
In 2022, he saw many instances of cyber criminals using apps such as OneDrive, GoogleDrive, GitHub, Box and Dropbox to distribute malware and command-and-control (C2) services.
“Too many organisations continue to allow direct access to these services, without providing any form of inline security control to identify when these are being used and if it is for malicious purposes,” he says.
“The lesson to be learned here is that traffic both to and from cloud apps [software as a service] and cloud infrastructure [infrastructure as a service] must be secured and inspected to identify this type of attack vector and mitigate the risks.”
Phishing goes beyond email
Another lesson from Thacker is that organisations shouldn’t just rely on simulation exercises and email security to mitigate phishing attacks. He says these two methods aren’t effective enough on their own.
This is because cyber criminals are increasingly using genuine cloud app links to direct employees to spoofed login pages, tricking them into entering their user names, passwords and MFA information. Cyber criminals even convince many employees to provide access to data through “imposter apps”.
“The lesson learned here is that phishing is no longer an issue confined to email security,” says Thacker. “Search engines, social media and blog sites, along with legitimate services such as Google Docs and Microsoft OneDrive, are all platforms being used in phishing campaigns.
“It’s therefore crucial that user education begins at the initial click point and happens ‘just in time’. Phishing simulations and email security can be used to enforce the messaging on how to spot and report phishing attacks, but are not all-encompassing when it comes to training and counteracting new phishing methods in 2022 and beyond.”
Invest in modern network and security architectures
Over the past year, Thacker has also noticed that large numbers of organisations have accelerated network security and transformation projects in response to “high inflation, scarce talent and global supply chain disruptions”.
“The triple squeeze [inflation, talent shortages and supply chain issues] in 2022 has meant organisations have been pushed to consolidate and converge their legacy network and security equipment to find efficiencies,” he says
“As companies prepare for a global recession, and the additional risks that come with economic challenges, it’s important to be able to scale up, or scale down network and security spend.”
Thacker says the lesson to learn here is that organisations can aid network and security transformation initiatives through the use of modern network and security architectures, such as Secure Access Service Edge (SASE).
“This can include reducing risk, improving productivity among employees and driving cost efficiencies during a particularly uncertain economic environment,” he adds.
Get the basics right
Threat actors are constantly devising new, sophisticated ways of launching cyber attacks on organisations and individuals, and perhaps this has led many cyber security professionals to “focus on cool vulnerabilities”, according to Forrester senior analyst Tope Olufon.
But he believes this shouldn’t come at the expense of cyber security basics such as asset management, patch management and audits. His biggest lesson of 2022 is that getting the basics right is the “bedrock of effective cyber risk management”.
He also encourages cyber security professionals to increase their understanding of new technologies, while sentiment, culture and personality need to play an even bigger role in security design.
Olufon also recommends that security professionals work more with their peers in the IT department and other people throughout the business. “Jamie the network engineer likely has context you do not, and listening will make your life easier,” he says.
Privacy is essential
Privacy has always been a crucial part of cyber security, but Rebecca Harper, head of cyber security analysis at compliance specialist ISMS.online, believes it’s the “only future of information security”.
“With numerous countries adopting stricter data privacy regulations, the move towards a privacy-first approach is quickly becoming a necessity,” she says. “For example, Google is phasing out third-party cookies in 2023, while Apple has developed privacy protection features since App Tracking Transparency in iOS 14.5.”
In 2023, she expects privacy legislation to have an even bigger impact on the information security strategies of businesses and governments across the globe.
Harper’s lesson is that privacy is “essential for re-building consumer trust”. “As the demand for privacy intensifies, so do the consequences of violating privacy,” she says. “Not only are there fines from new laws, but brand perception – and therefore potential sales – are at risk every time privacy is violated.”
Considering that cyber attacks are always increasing in number and complexity, it’s understandable how IT security professionals can feel stressed and burned out.
Rick Hemsley, cyber security leader at EY, says business leaders need to understand the pressure faced by cyber security professionals and the impact this can have on their daily lives.
“Teams need to be able to not just track and measure threats, which is leading to cases of stress and burnout, but instead have the tools to proactively spot and manage them,” he says.
Hemsley also believes the best security leaders will take steps to better understand and improve the operating models of their departments.
“They are thinking about how their teams are structured, what are appropriate staffing levels, talent development, and how they deliver in-house, co-source and outsource,” he says.
“These security leaders are also starting to have more data-driven conversations with the C-suite and stakeholders, using threat intelligence aligning it with business strategy, which is allowing them to instead become a catalyst for trusted change.”
Hemsley argues that for businesses looking to innovate sustainably and quickly, they must put cyber security at the heart of all digital transformation initiatives. He explains that “the opening of this new dialogue between the IT teams and the C-suite will be critical moving forward”.
Improving cyber resilience
As the cyber attack surface grows, there’s an increased need for organisations to shore up their IT security defences and improve their resilience to cyber attacks.
António Vasconcelos, technology strategist at SentinelOne, says organisations must be able to contain, minimise, mitigate and recover from cyber attacks efficiently.
“This resilience includes protecting your most valuable assets, like personal identifying information and IP, reducing supply chain disruption, and managing damage to your reputation.”
But Vasconcelos warns businesses that they can’t simply buy cyber resilience. Instead, this is something they must earn.
“Although it will mean different things to different organisations, a few core principles hold true,” he says. “This includes segregating and segmenting higher-value assets from common ones, adopting a least privilege principle or always verify before trust protocol, and breaking the silos of compartmentalised security.
“Frameworks like ZTNA and XDR are accelerators and enablers for organisations to walk the right path to achieve the cyber resilience they need to tackle threats today and tomorrow.”
The year 2022 has been challenging for the entire cyber security industry, and as the Ukraine war and global economic turmoil show no signs of slowing down any time soon, it’s clear that 2023 will pose similar challenges for cyber security professionals. Hopefully, however, these lessons can help them strengthen their defences going forward.