Each year, I review cybersecurity statistics and emerging trends and provide and research potential implications for industry and government from the data. While cybersecurity features and awareness appear to be improving, unfortunately, the risk and sophistication of cyberattacks fit those advances.
The Digital Ecosystem 2023
The emerging virtual ecosystem is treacherous. In today’s virtual environment, each and every company is now an available target, and each and every company, large or small, has operations, brands, reputations, and profit pipelines potentially threatened by a breach.
By 2023 and beyond, the focus will need to be on the surface and cyberattack vectors to figure out what can be done to mitigate threats and resilience and recovery. As user interest increases dramatically, so do threats. As the metaverse comes online, it will serve as a new vector of exploitation. Artificial intelligence and device learning, although it is better for studies and studies (i. e. ChatGPT). However, hackers can also use AI equipment for complex attacks. Deep fakes are already being implemented and bots continue to proliferate. And the geopolitics of Russia’s invasion of Ukraine has highlighted critical infrastructure vulnerabilities (CISA Shields Up) across threats from geographic regions, adding more DDS attacks on Internet sites and infrastructure. What was most worrying was the hacking of a Ukrainian satellite.
Here are some initial statistics about the virtual ecosystem to consider: According to a survey conducted by the Deloitte Center for Controllership. “In the last 12 months, 34. 5% of executives surveyed say their organization’s accounting and financial knowledge has been attacked by cyber adversaries. Within this group, 22% have experienced at least one such cyber occasion and 12. 5% have experienced more than one. Accounting and financial knowledge to accumulate in the coming year. And yet, 20. 3% of respondents say their organization’s accounting and finance teams work a lot and consistently with their peers on cybersecurity. » Nearly a portion of executives expect cyberattacks targeting accounting and other systems Nearly a portion of executives expect cyberattacks targeting accounting and other systems (northbaybusinessjournal. com)
Cyber trends:
AI, concept of synthetic intelligence, 3d rendering, conceptual image.
AI and ML have a huge impact on the cyber ecosystem in 2023 and beyond
International Data Corporation (IDC) says AI in the cybersecurity market is growing at a CAGR of 23. 6% and will reach a market value of $46. 3 billion by 2027 VentureBeat
My perspective: AI and ML can be valuable tools to help us navigate the cybersecurity landscape. Specifically, it can (and is) used to help protect against complicated and malicious malware, ransomware, and social engineering attacks. The contextual reasoning functions of AI can be used to synthesize knowledge and are waiting for threats.
They enable predictive analytics to draw statistical conclusions to mitigate threats with fewer resources. In a cybersecurity context, AI and ML can provide a faster way to identify new attacks, extract statistical inferences, and transmit that data to endpoint security platforms.
While AI and ML can be vital equipment for cyber defense, they can also be a double-edged sword. While they can be used to temporarily identify risk anomalies and cyber defense capabilities, they can also be used through risk actors. Opposing nations and thieves hackers are already employing AI and IM as equipment to locate and exploit vulnerabilities in risk-detection models.
Cybercriminals are already employing synthetic intelligence and device learning equipment to attack and explore victims’ networks. Small businesses, organizations, and especially healthcare establishments that are unable to make significant investments in emerging defensive cybersecurity technologies, such as AI, are the most vulnerable. Extortion through hackers employing ransomware and non-easy payment through cryptocurrencies can become a more persistent and evolving risk. The expansion of the Internet of Things will create many new targets for bad guys to exploit. There is a pressing need for industry and government to perceive the implications of emerging cyber risk. teams that come with AI and ML and to strengthen against attacks.
Also check out FORBES’ recent article on 3 key synthetic intelligence programs for cybersecurity, which adds network vulnerability tracking and risk detection, incident diagnosis and response, and cyber risk reporting programs. Cyber Threat Intelligence: Three Key Applications of Artificial Intelligence for Cybersecurity by Chuck Brooks and Dr. Frederic Lemieux Three Key Synthetic Intelligence Programs for Cybersecurity by Chuck Brooks and Dr. Frederic Lemieux (forbes. com)
Cybercrime and cyber statistics will be explored in 2023
Close-up of a summary design of a screen, warning of a cyberattack. Multiple Array. lines. [ ] of hexadecimal code are interrupted by red warnings and single-character exclamation points. The symbol can constitute threats in the virtual world: knowledge, theft, knowledge leakage, security breach, intrusion, etc.
Cybercrime is developing exponentially. According to Cybersecurity Ventures, the cybercrime charge is expected to succeed at $8 trillion by 2023 and $10. 5 billion by 2025. See: eSentire | Official Cybercrime Report 2022 There are many points driving such expansion and some of them will be explored in more detail below.
Generation of background summary of software developer programming code and PC script
Open vulnerabilities discovered in 84% of codebases
Start with open source code. Unfortunately, according to Synopsys researchers, at least one open source vulnerability was discovered in 84% of the codebases. Code, this remains a vital cybersecurity factor to solve.
The report noted, “Open source in almost everything we saw this year; It made up the majority of codebases across industries,” the report said, adding that the codebases contained a troubling number of known vulnerabilities that organizations had not patched. leaving them vulnerable to exploits. All of the revised code bases of corporations in the aerospace, aviation, automotive, transportation, and logistics industries contained open source code, and open source code accounted for 73% of the total code. “
As vital as threats related to open source code are, they can be detected through penetration testing and especially through patches. The report revealed that the patches are obviously not being applied. Threat assessments, 91% contained replaced versions of open source components, meaning an update or patch had not yet been applied. “
See: At least one open source vulnerability found in 84% of codebases: Report At least one open source vulnerability found in 84% of codebases: Report | Online CSOs
Hackers exploit code vulnerabilities and open source vulnerabilities through zero-day exploits. Recently, a ransomware gang used a new zero-day flaw to search for borrowed information on 1 million hospitalized patients. Community Health Systems (CHS), one of the largest providers in the United States with nearly 80 hospitals in 16 states, showed this week that hackers have accessed the private and fitness data of up to 1 million patients. The Tennessee-based fitness giant said in a filing with government regulators that the knowledge gap came from its use of popular record-moving software called GoAnywhere MFT. Clop claims to have hacked 130 organizations en masse, adding a network of U. S. hospitals. U. S.
My opinion: As a solution to prevent exploiting vulnerabilities and keeping open source code up to date, the report suggests that organizations use a software nomenclature (SBOMS). I agree, in addition to penetration testing, SBOMs are a vital way to map systems and organize yourself to be more cyber-secure. An SBOM is necessarily a list of ingredients that make up the parts of the software and serves as a formal record containing the main points and relationships of the source chain of the parts used in the construction of the software. I wrote a lot about this in a previous FORBES article.
In the article, Dmitry Raidman. CTO, from a company called Cybeats, presented information on the use cases of SBOMS express. They come with software provenance and pedigree transparency, ongoing security threat assessment, access and sharing with the visitor who can access and what knowledge can be seen, correlation of threat intelligence knowledge, investigation of software composition licenses and policy enforcement, end-of-life tracking of software components, SCRM: supply chain threat control and source chain filtering, repository and orchestration of SBOM documents, power in Query and retrieve knowledge.
Clearly, SBOMS is a way forward to detect and fix open source vulnerabilities in code. See: Strengthening Cybersecurity Risk Management with SBOMS Strengthening Cybersecurity Risk Management with SBOMS (forbes. com)
PHISHING button on PC keyboard
Phishing Still a Focus for Hackers in 2023
Phishing is still the tool of choice for many hackers. Phishing is commonly explained as a strategy by hackers to filter your valuable knowledge or spread malware. Anyone can be fooled through targeted phishing, especially when it appears to come from a clever non-public email in the paint chain, or from a bank, organization, or website you frequent.
Technological advances have made phishing less difficult for hackers. They can easily use numerical graphs, apply social engineering knowledge, and a wide variety of phishing tools, some of which are automated through device learning. Phishing is accompanied by ransomware and one tactic for hackers is to target executives of companies or organizations (spear-phishing), as they regularly have greater access to valuable knowledge and prepare targets due to lack of training.
According to Lookout, the highest cell phishing rate in history was recorded in 2022, with a portion of the world’s cell phone owners exposed to a phishing attack every quarter. The Lookout report was based on Lookout’s analysis of data from more than 210 million devices. , 175 million apps, and 4 million URLs in one day. The report notes that “non-email-based phishing attacks are also proliferating, with vishing, smishing and quishing (QR code phishing) expanding seven-fold in the last quarter of 2022. And that “the damage can be colossal for companies that fall victim to mobile phishing attacks: Lookout has calculated that the potential annual monetary effect of mobile phishing on an organization of 5,000 workers is only about $4 million.
The report also notes that “cybercriminals have most commonly abused the Microsoft logo in phishing attacks, with more than 30 million messages employing their logo or mentioning products such as Office or OneDrive. 6. 5 million attacks); DocuSign ($3. 5 million); Google (2. 6 million); DHL (2 million) and Adobe (1. 5 million).
See: Record number of mobile phishing attacks in 2022 Record number of mobile phishing attacks in 2022 – Infosecurity Magazine (infosecurity-magazine. com)
3D rendering Bright text Ransomware attack on pc. spyware chipset, malware, Trojan virus, Array. . [ ] Hacker attack concept
Ransomware and phishing: The current state of cyber business is alarming, as ransomware attacks are expanding only in number, but also in monetary and reputational terms for businesses and organizations.
Currently, ransomware, basically phishing activities, is the biggest risk to the public and
private sectors. Ransomware hackers to take computers and even entire networks hostage to make electronic money payments. In the recent case of Colonial Pipeline, a ransomware attack disrupted power materials on the East Coast of the United States.
“In 2022, 76% of organizations were targeted by a ransomware attack, of which 64% were infected. Only 50% of those organizations controlled regaining consciousness after paying the ransom. In addition, just over 66% of respondents reported having multiple infections remotely. ” See: New Cyberattack Tactics Accumulate as Ransomware Bills Accumulate New Cyberattack Tactics Accumulate as Ransomware Bills Accumulate | Online CSOs
My opinion: Since most of us now do our private jobs and errands on smartphones, this is alarming information. But there are remedies. Training painters to identify potential phishing emails is the first step to prevention, but many apparent signs, such as misspelled words and poor grammar, are no longer present. Scammers have more complications and painters will have to stick to the new paradigm.
However, human error is inevitable and some staff members make mistakes and fall victim to phishing. The backup formula at this point deserves to come with automated formulas that can compartmentalize worker access and lessen damage if a worker’s account is compromised. The most productive way is to identify and control your company’s administrative privileges. You can limit workers’ access or require two [authentication] steps before they pass there. Many corporations also ban certain sites that staff can’t visit, making phishing more difficult.
My other advice to yourself about phishing and ransomware is to make sure you back up your valuable knowledge (consider encrypting it too), preferably on some other segmented device on the target PC or phone. Whether you’re a small business or an individual, it’s not a bad concept to invest in anti-phishing software. This adds some other barrier. I also present the follow-up of your social and credit accounts to see if there are anomalies in a normal way.
Creative summary postcard envelope comic strip as opposed to a laptop, email and marketing concept background. . . . [ ] Double exposure
Committed commercial
Often done in coordination with phishing, business email compromise remains a serious cybersecurity issue. Research firm Trellix decided that 78% of commercial email (BEC) engagements concerned fake CEO emails that used unusual CEO phrases, resulting in a 64% backlog from the third to fourth quarter of 2022. The tactics consisted of asking workers to accompany their direct phone number to execute a voice phishing or vishing scheme. 82% were sent using loose email services, meaning hackers don’t need any special infrastructure to run their campaigns. See: Malicious actors push attack vector barriers Malicious actors push attack vector barriers – Help Net Security
“Seventy-five percent of international organizations reported an attempted Business Email Compromise (BEC) attack last year. While English remained the most widely used language, companies in some non-English-speaking countries experienced a higher volume of attacks in their own language. adding organizations in the Netherlands and Sweden, which reported a 92% accumulation of such attacks; in Spain, with an increase of 92%; Germany, with a cumulation of 86%; and France, with a cumulation of 80%. See: New Cyberattack Tactics Accumulate as Ransomware Bills Accumulate New Cyberattack Tactics Accumulate as Ransomware Bills Accumulate | Online CSOs
“Business Email Compromise (BEC) attacks are no longer limited to classic email accounts. Attackers are finding new tactics to expose their schemes, and organizations will need to be prepared to protect themselves. Attackers are profiting from a new formula called Business Communication Pledge to take credit from giant global corporations, government agencies and individuals. They leverage the collaboration team beyond email, add chat and mobile messaging, add popular cloud-based apps like Slack, WhatsApp, LinkedIn, Facebook, Twitter, and many others. to generate attacks. See: The evolution of commercial email engagement to commercial communications Evolution from commercial email engagement to commercial communications engagement (betanews. com)
My point of view: Commercial emails are a prime target for hackers. As a result, organizations want to create a business threat control strategy and vulnerability framework that identifies virtual assets and knowledge to protect, adding sensitive email. Such a threat control strategy will have to be holistic and come with people, processes and technologies. This comes with protection and backup of email knowledge and business systems such as monetary systems, email exchange servers, human resources and acquisition systems with new security equipment (encryption, data and threat detection, identity access control, firewall, etc. ) and policies. This threat control technique also includes knowing your stock and gaps, integrating cybersecurity hygiene practices, purchasing and orchestrating a proper cyber tool stack.
Fraud alert in red keys on the background of a high-tech PC keyboard with security lock recorded in Array. [ ] credit cards. Concept of Internet security, privacy of knowledge, prevention of cybercrime for payments of online acquisition transactions.
Fraud is a virtual trend, identity theft
Fraud has been a social problem, but it is compounded by the expansion of criminals into the virtual realm. The charge is emerging as more and more people bank and shop online.
Data from the Federal Trade Commission (FTC) shows that consumers reported wasting nearly $8. 8 billion on fraud in 2022, a backlog of more than 30% over the past year. Much of this fraud originated from fake investment scams and imposter scams. Perhaps most alarming in this report is that there were more than 1. 1 million identity theft reports earned on the FTC’s RobodeIdentidad. gov website. FTC Shows Alarming Accumulation of Fraudulent Activity, Costing Consumers Billions – Help Net Security
My point of view: the explanation for the rising rate of identity fraud is clear. As we become more and more connected, we become more visible and vulnerable to those who need to hack our accounts and borrow our identities. The surface risk landscape has grown exponentially with smartphones, wearables, and the Internet of Things. Plus, those cellular devices, social media apps, laptops, and notebooks aren’t easy to protect.
There are no comprehensive remedies for identity theft, but there are moves that can enable Americans and businesses to help deter threats. Below is a quick list of what you can do with your accounts, privacy, and reputation:
1) Use strong passwords. Hackers are pretty smart at guessing passwords, especially when they have an idea of where you’ve lived in the afterlife (street names), birthdays, and favorite phrases. Changing passwords can also complicate your tasks.
2) Keep a separate computer to carry out your monetary transactions and do not use it for anything else.
3) Consider encryption software for the valuable information you want to protect. Also, set up virtual personal networks for an extra layer of security when using mobile smartphones.
4) Very important; Regularly monitor your credit scores, bank statements, and social accounts. Life Lock and other reputable tracking organizations provide account alerts that are very helpful in this awareness search. The faster you stumble upon fraud, the more you will be to deal with issues related to identity theft.
5) If you are the victim of an infraction, if it is serious, contact law enforcement authorities, as this may only be part of a larger criminal business that they deserve to be aware of. In the event of a serious breach, seek legal assistance in liability issues with creditors. Also hiring an external reputation manager if necessary.
Commercial and technological concept. Internet of Things (IoT). Information and Communication Network (ICT). . . . [ ] Artificial Intelligence (AI).
Some additional resources and compilation of cybersecurity trends for 2023:
There is a very smart report through the Center for Bipartisan Policy Research on the 8 most sensitive macroeconomic hazards to watch out for in 2023. These are indexed below the article and I agree with all of them.
See: Cyber arms race, economic headwinds among the most sensitive macro cybersecurity dangers by 2023 Cyber arms race, economic headwinds among the most sensitive macro cybersecurity dangers by 2023 | Online CSOs
And for a deeper dive into cyber statistics, check out: 34 Cybersecurity Statistics to Lose Sleep in 2023 34 Cybersecurity Statistics to Lose Sleep in 2023 (techtarget. com) The article points out from the beginning that we want to perceive the knowledge and the large volume used for cyberattacks. “By 2025, humanity’s collective knowledge will succeed at 175 zettathroughtes: the number 175 followed by 21 zeros. This knowledge includes everything from streaming videos and dating apps to healthcare knowledge bases. Securing all this knowledge is vital.
See also Dan Lohrman’s annual cybersecurity trends research: “After a full year of knowledge breaches, ransomware attacks, and real-world cyber effects as a result of the Russian invasion of Ukraine, what’s next?Here is Part 1 of their annual security industry summary forecasts for 2023 and beyond. Top 23 Security Predictions for 2023 (Part 1) Top 23 Security Predictions for 2023 (Part 1) (govtech. com) and Top 23 Security Predictions for 2023 (Part 2 govtech. com)
My point of view: of course, there are plenty of other trends and statistics to explore the year. In fact, it is a treacherous cyber ecosystem, and it thrives on threats and threats. Being cyber-aware is a component of the security and threat control process. And hopefully, examining the cyberthreat landscape will plead with industry and government to prioritize cybersecurity from the sensible bottom and back up.
About the Author
Mandrill Brooks
Chuck Brooks is a globally identified thought leader and expert in cybersecurity and emerging technologies. Chuck is also an Adjunct Professor in the Cyber Security Risk Management Program at Georgetown University, where he teaches courses on threat management, homeland security technologies, and cyber security. LinkedIn named Chuck one of the “Top Five Technicians to Watch on LinkedIn. ” He was named “2022 Cyber Security Person of the Year” by The Cyber Express, and among the “Top 10 Cyber Security and Technology Experts” globally by Best Rated, as a “Top five0 Global Influencer in RiskArray Compliance”. “, via Thompson Reuters, “Best of The Word in Security” via CISO Platform and via IFSEC, and Thinkers 360 as “#2 Global Cybersafety Influencer”. Featured in Onalytica’s “Who’s Who in Cybersecurity” in 2020, 2021 and 2022. He also named one of the five wisest cybersecurity executives to watch via Executive Mosaic. He is also a cybersecurity expert for “The Network” in Washington Post, guest editor at Homeland Security Today, expert for Executive Mosaic/GovCon and contributor to Skymost sensible Media and FORBES. He has an MFA in Foreign Relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in Foreign Law from The Hague Academy of International Law.
Chuck Brooks – Cybersecurity Person of the Year