What are the top cyber risks for 2023? Current security risks are compounded by the digital transformation of today’s ongoing remote workforce, longstanding supply chain disruptions, and increasing concerns about ESG. In addition, cyber attacks are on the rise, with damages to businesses expected to exceed $30 billion in 2023.
Managing cybersecurity threats is critical to the success of an organization, and it’s important to develop processes that help your business identify the risks they know about — and uncover the ones they don’t. In this article, I will outline the biggest cyber risks facing organizations today and three forward-thinking ways to raise risk awareness across your organization to get ahead of emerging threats.
What Are the Top Cyber Risks for 2023?
The top cyber risks we’re projecting for 2023 include cybercrime, internet of things (IoT), malware automation, third-party (and perhaps fourth-party and nth-party) risks and threats — plus the ever-present human element. Here are the top threats to look for.
Hackers have actually successfully created an ecosystem where they are selling their successful malicious code, sometimes even as a service. Now, criminals that may not have the capability to write complex code can execute attacks on businesses with purchased code, allowing inexperienced hackers to deploy complex attacks and casting a wider threat landscape for organizations. The original source of the code may even get a cut of the profits!
2. Internet of Things (IoT)
Digital transformation has forced the world to become more digital — and the more devices we connect to, the more doors we potentially leave vulnerable to hackers. In 2023, analysts at Gartner predict, there will be 43 billion IoT-connected devices in the world — that’s a lot of potential vulnerabilities! While it was once believed that certain devices were lower risk — including home appliances, cars, and alarm systems — attackers have learned ways to use the “lower risk” devices as a gateway to access other networked devices that might contain sensitive data.
3. Malware Automation
Similar to how we incorporate automation into our business processes, hackers can use a machine to automate their attacks, allowing them to execute thousands per day. Ransomware attacks are incredibly common — with Colonial Pipeline, JBS Foods and the Washington DC Metropolitan Police Department as just a few prominent examples. Last year the Harvard Business Review reported that the amount companies paid to hackers had grown by 300%.
4. Third-Party (Fourth-Party, Nth-Party) Risks and Threats
When companies ramp up their digital technologies, they often turn to third parties and outsource IT and security support needs. In 2023, organizations may also need to consider fourth-parties and “Nth parties”, the vendors, services, and applications of your vendors’ vendors. Organizations relying on vendors are transferring risk to these third, fourth, and nth parties and the main organization is potentially exposed if those groups aren’t securing data properly.
5. The Human Element
The one constant in cyber security is the human element. Human error might mean someone clicks on a phishing link or accidentally misconfigures a firewall. Education, training, and vigilance are needed to reduce the likelihood of a mistake having a serious impact.
Three Forward-Thinking Practices for Raising Cyber Risk Awareness
As threats to company data evolve, the protections that companies use to fight those threats also must evolve. The old-school, traditional risk management model did not accommodate a dynamic risk environment. Groups need to evolve to a new way of thinking to better manage the evolving risk landscape.
1. Align Cybersecurity With Business Goals
In order to make sure that security plans are adopted from the top down, it’s critical to match them against the company’s business goals, thereby building a plan that will be supported by the executive team and embraced by the organization. Identify key stakeholders who directly impact the organization’s strategic objectives, and make an effort to understand their priorities. This knowledge will help you identify key performance indicators and potential revenue targets. Be sure to ask these leaders what risk factors might get in the way of meeting those goals, which will help you identify key risk indicators. From there, map your business unit’s goals to these key performance indicators, revenue targets, or key risk indicators.
Compliance is also a factor here. For example, if your company wants to expand to Europe in 2023, there may be a revenue target associated with the growth. However, a major risk of not accomplishing this goal is not being GDPR compliant. As a security or compliance professional, you should understand your industry’s specific regulations and make sure your risk appetite is in line with your company’s business goals and potential regulatory burdens.
2. Work Faster, Smarter, and “Win” Together
With goals aligned across the business, you need to bring everyone on board and break down knowledge silos. Maintaining a strong cybersecurity posture needs to be a core value for the entire company, with continuing communication and cooperation amongst teams.
In order to get there, standardize a common framework throughout the organization that builds a consistent language for security and works to effectively communicate risk issues across the business. Promote easy-to-understand terminology and share information. Maintain continuous touchpoints and data sharing with key stakeholders, from senior management to key partners and observers in the trenches. Bring security awareness into the culture beyond just the incident response team. It will be a win-win for everyone.
3. Provide Actionable Insights to the Board and Executives
Find common ground and use competitive benchmarking when communicating with and presenting to the board. Use language they understand, and focusing on financials is a great entry point. The fallout from data breaches can have lasting repercussions, from reputation damage to significant business costs — both of which are top concerns for board members.
Make sure language doesn’t appear to be too technical and is written in a way that is simplified and accessible for senior teams. Speak clearly and concisely, focusing on key points. Remember to marry the data security priorities to the business goals and refer to company KPIs. Guiding board-level discussion and investments around cybersecurity is integral to your organization’s success.
Cyber Risk Management: Preparation Through Information Sharing
What’s the best way to get a strong ROI on existing security efforts? Making sure to operationalize your initiatives and get more visibility from existing tools. Integrate risk management into company frameworks, and make that information visible and transparent to other parts of the organization. Curated dashboards can be an effective and efficient tool — a security compliance management solution that provides a single source of truth makes data accessible to every part of the organization.
Remember: Being transparent with information improves the visibility of the security team and the company’s security positions, and also feeds into the company’s culture. This will bring cyber risk management beyond checking boxes and merely meeting compliance requirements to raise your organization’s data security support and capabilities to the levels needed to defeat today’s cybersecurity threats.
Mary Tarchinski Krzoska, CISA, is a Market Advisor at AuditBoard. Mary began her career at EY before transitioning to a risk and compliance focus at A-LIGN, and brings 9 years of global experience including SOC, HIPAA and ISO compliance audits, consulting on business continuity and disaster recovery processes, and facilitating risk assessments. Connect with Mary on LinkedIn.