Expert_Report_Background_InfoSec-3

Special Report

What to Expect in 2023: Trends and Predictions for Information Security

Get the PDF

As we start a new year, it is important for us to look at the current status of information security, with all the unique situations happening worldwide. From big tech companies suffering from significant employee layoffs to interest rates reaching heights we have not seen in many years, it is an interesting time to be in the cybersecurity space.

But what exactly are we facing currently?

Data Breaches: The New Nightmare of Businesses

In 2022, we had quite a few data breaches ranging from SMEs to large tech companies. These breaches have been a nightmare for their customers and employees. But they‘ve also caused a great deal of harm to the companies themselves.

In Q3 2022 alone, a total of 108.9 million accounts were breached. This number is a 70% increase over the previous quarter.

Here are some of the top breaches and cyberattacks in 2022

  • Microsoft’s speculated data breach
    A hacking group called “Lapsus$” gave potential evidence that they had compromised Cortana, Bing and a few other Microsoft products. It was in late March of 2022. Microsoft announced they had contained the attempt, and only one specific account was compromised. Microsoft also stated that no customer data had been stolen. However, this still enforces the idea that cybersecurity should always be on the radar, no matter the size of an organisation or the time and money invested.
  • Insider Threat from A Former Employee – Cash App 
    In April 2022, the company Cash App explained that a former employee had managed to breach one of its servers. According to Cash App, the hacker had a particular issue with the business and got involved in large amounts of sensitive customer information. As a result of this attack, the company contacted more than 8 million customers, explaining the incident. It was concluded that account credentials had not been obtained from the attack, but a small amount of identifiable information was gathered.
  • Red Cross Data Breach 
    An attack was made in January 2022 against the Red Cross, attacking some servers hosting information of more than half a million people’s data. The action to take the servers offline was taken to stop the suspected attack. Sadly, at the time of writing, no one has been identified as a culprit for an attack.

Today’s 3 Biggest

Information Security Challenges

Every year, information security challenges get more complex. If you’re looking for new ways to protect your company, here are the top three challenges you’ll want to keep an eye on.

1. Cybersecurity Attacks

The pandemic dramatically altered cyberspace as most of the world became more dependent on the internet. While businesses worldwide changed their operations to slow the virus spread, cybercriminals adapted to spread other viruses.

In fact, cybercrimes have increased by 600% due to the COVID-19 pandemic. By 2025, we estimate that such crimes will cost the globe $10.5 trillion, which is more than 300% more than the cost in 2015. It is of the utmost importance that companies invest enough time and resources to combat such attacks to reduce the chances of being a part of that statistic.

2. Bring Your Own Devices Security Issues

A frequent by-product of organisations allowing employees to work from home is introducing a more delayed Bring Your Own Device (BYOD) policy. As more people work from home, they may already have laptops or desktops that they wish to use to assist them with their work – especially if the work equipment is slower than the equipment they already own.

BYOD, on the surface for both staff and employees, may seem like a win-win; however, it is not without its risks. Organisations must ensure that they have put the correct actions in place to manage the new threats that BYOD can introduce. Such risks include:

Unpatched devices that either don’t have the patch installed or (even worse) are out of vendor patching and now no longer receive any form of official security patching.

A lack of control over where data is located, with the risk of data being duplicated across multiple devices. It can make managing any sensitive data on those devices a real challenge.

Having a conflict with staff who own such devices when questions around device management come into play. Suppose an employer lets employees use their phone to access their company email accounts. Over time, this device will need to be updated to prevent old security vulnerabilities from being exploited.

If the employee refuses or (more likely) forgets to update their device, the device could be more vulnerable to attacks. In addition, requesting a mobile device management (MDM) solution to be installed onto such a device can cause conflict with the staff member over their privacy.

3. Remote Working

Organisations are now offering remote working contracts to their staff more than ever. It was stated that 56% of respondents had worked remotely for less than a year in 2022. This is great for companies expanding the number of people they can hire, as recruiting employees from other countries is now possible. However, introducing drastic changes in how we work often introduces new risks and challenges.

Home network setup – because of employees working from home, the security of the network they connect is now part of the risk surface and must be addressed. A quick win for this is introducing a mandatory VPN for those devices, which creates a tunnel to the organisation’s own network. It should drastically reduce the attack surface for this device (this is the sum of potential vulnerabilities that are exposed in which a hacker can use to obtain sensitive information or carry out a cyberattack). It will also often result in the device being connected to a static IP address, which can be helpful for other internal technical projects.

Public Wi-Fi – One of the best parts of having a remote working team is that they can work in places outside the office and their homes. This can be a convenient option for many reasons, but it also comes with risks. Employees can connect to unprotected Wi-Fi hotspots where a malicious actor can try to capture sensitive traffic sent through a hotspot (known as a man-in-the-middle attack). That can be mostly resolved by following these actions: 

You prefer to read offline?

Download your report!

Strengthening Cybersecurity through the EU‘s NIS2 Directive

„There are only two types of companies: those that have been hacked and those that will be.“ Robert Mueller, former FBI director

What is the NIS2 Directive about?

The new EU Directive, NIS2, imposes stricter legal requirements for cybersecurity in Europe with the goal of:

Strengthening cyber-resilience of a comprehensive set of businesses operating in the EU across all relevant sectors,

  • Achieving a managed security posture maturity,
  • Addressing the security of supply chains,
  • Streamlining reporting obligations,
  • Introducing stricter supervisory security measures
  • And achieving deep-rooted cyber resilience in Europe.

NIS2 Directive brings legal requirements for cybersecurity risk management measures and reporting obligations. It’ll help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world.

How does the NIS2 Directive boost the overall level of cybersecurity in the EU?

NIS2 Directive provides legal measures to increase cybersecurity in the EU by ensuring and

Building on the NIS1 strategy on the security of network and information systems to ensure Member States are appropriately equipped and prepared,

Establishing corporation and information exchange among all the Member States by setting up The Network and Information Systems NIS Corporation Group,

Creating a culture of security across 7 sectors vital for the economy and society that also rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

What is different compared to the NIS Directive?

Compared to the previous regulatory framework, the scope has been extended, comprising both private and public organisations which employ 50 people, have an annual turnover or balance sheet of more than EUR 10 million or fall under one of the new “essential” sectors.

Additionally, cybersecurity governance takes on a stronger role for NIS2 than it did for NIS Directive, with approval and supervision duties imposed on the top-level management.

What is the deadline for the NIS2 Directive?

As this directive is not a regulation, European member states must transpose the new act into national law by 18 October 2024. Currently, roughly 160,000 in the EU and 20,000 organisations in Germany are directly affected by NIS2, whereas there are more than 1.2 million organisations across the EU and more than 200,000 in Germany affected indirectly. 

What are the requirements of the NIS2 Directive?

NIS2 measures are based on “all-hazards approach” aiming to protect both network and information systems and the physical environment of those systems from incidents. The requirements include:

  • Policies
  • Incident Management
  • Business Continuity
  • Supply Chain Security
  • Training
  • Asset Management
  • Reporting Obligations

What are the NIS2 Directive fines?

Fines for non-compliance with the NIS2 Directive can be substantial. In some cases, fines may be as high as €10 million or 2% of the entity‘s global turnover, whichever is higher. In the most severe cases, fines can be as high as €20 million or 4% of the entity‘s global turnover, whichever is higher.

National authorities also have the power to impose other measures such as orders to suspend or restrict an entity‘s activities to protect the security of networks and information systems. It is, therefore, important for OES and DSPs to ensure that they comply with the requirements of the NIS2 Directive.

What are the key provisions of the NIS2 Directive?

The NIS2 Directive aims to adapt to the current needs and make it future-proof. It introduces several key provisions that aim to enhance organisations’ cybersecurity in the EU. These include:

1. Expansion of Scope

One of the most significant changes introduced by the NIS2 Directive is the expansion of scope. The directive applies to a broader range of organisations than the previous iteration, including online marketplaces, search engines, and cloud computing services. This expansion of scope aims to ensure that a more extensive range of organisations is held accountable for the security of their networks and information systems. The new scope will also include any businesses in sectors defined as “essential”. This includes the following sectors:

  • Public administration
  • Providers of public electronic communication networks or services, social networking service platforms, and data centre services
  • Manufacturing of critical products, such as pharmaceuticals, medical devices, or chemicals
  • Food
  • Waste management, including wastewater treatment.
  • Postal and courier services
  • Space industry

2. Cybersecurity Incident Reporting

Under the NIS2 Directive, organisations that provide essential services must report any significant cybersecurity incidents to the relevant national authority within 24 hours of becoming aware of such incidents. This provision aims to improve the response time to cyber threats and ensure that member states have a comprehensive overview of cybersecurity incidents across the region. It is worth noting that some member states already have mandatory reporting requirements in place, and the NIS2 Directive builds upon these requirements.

3. Strengthening of Security Requirements

The NIS2 Directive also strengthens the security requirements for organisations that provide essential services. These requirements include implementing appropriate technical and organisational measures to ensure the security of their networks and information systems. They must also ensure effective incident response plans are in place to mitigate the impact of any cybersecurity incidents.

4. Certification Schemes

The NIS2 Directive introduces a framework for creating certification schemes for cybersecurity products and services. These schemes will help identify and select products and services that meet a high level of security requirements. They will also promote the development of cybersecurity products and services that meet the needs of the EU market.

Companies who wish to be compliant with NIS2 can create and maintain an Information Security Management System (ISMS) from frameworks such as ISO 27001 to be compliant with the NIS2 directive.

Will NIS2 impact businesses in the UK?

NIS was fully implemented in the UK for businesses due to it being part of the EU; however, as a result of other factors, NIS2 is not yet mandatory in the UK. On the flip side, the UK Government is currently reviewing the effectiveness of NIS2 to see if they wish to implement it anyway in some form. The recommendation should be that UK businesses need to prepare for the likely im- implementation of either the NIS2 requirement itself or a UK-modified version.

There is truly little information about NIS2 in the UK due to it being an EU legislation. However, a resource stated that “Following Brexit, the UK is no longer required to follow the NIS2 Directive”.

Information Security World is Evolving. What is Next?

Information security is one of the many industries which never stands still. There are always new vulnerabilities and new framework standards that must not be ignored. Otherwise, you risk being left behind. So, what is next for information security?

Sadly we have yet to create crystal balls that can predict the future, but we can speculate with trends that we have seen before to assist us with this question.

Virtual Reality: Will it Evolve or Solve Cybercrime?

The modern digital age consists of rapid technological advancements that have reduced the world to a mere touch of our fingertips. And while this all does seem exceedingly exciting, these technological advancements have also impacted the modern threat landscape.

However, the debate on whether the impact of modern technology is good or bad for cybersecurity is ongoing. Introducing new advancements to make our lives easier is fantastic, but the risks that these changes add to the mix should be assessed and addressed before someone else takes advantage. It is important to think about the ever-evolving virtual reality (VR) space, which is still not a mature for information security. As a result, individuals and organisations must do their due diligence to ensure that data is not at risk. Things to look out for when thinking about protecting data when VR is implemented:

Ensure that all applications that use the VR device are vetted and tested to see what permissions it requires and that it is free of malware. It is easy to fall into the trap that VR applications are their own different kind of breed. However, they should be treated no differently than how you would implement any other third-party software.

Make sure that firmware and software are up to date when the vendor has applied any new update.

With some headsets starting to get a couple of years old now, ensure that such an appliance still receives software patching from the vendor. It is crucial to ensure that the device can get an update for new threats. It also means you may face issues with some information security frameworks if it is found out that you are using devices that are no longer receiving vendor patching.

The Upgrade to Smarter Cars, Are They Really Safe?

New vehicles (especially electric ones) come with far more automated features than ever. It creates the potential for cars to self-drive or automatically detect a likely accident and make the relevant changes to avoid it. This new technology is a fantastic invention; however, it does open many alarming risks and exploits.

That includes attacks such as the possibility for hackers to:

  1. Obtain access to the central control unit of the vehicle and cause it to emergency brake for no apparent reason, potentially causing a severe crash
  2. Control the microphones used in the vehicle to eavesdrop on conversations.

But what can a business do to help reduce the risks of an attack on their vehicle?

Add multi-factor authentication to processes which may control the vehicle. This can include the app that the car uses (as some vehicles can be operated by smartphone apps). In addition, you can enable multi-factor when using the key fob (if possible).

Research into software that investigates tampering of code within the vehicle. People with physical access to the vehicle with high levels of knowledge (for example, a malicious actor pretending to be a mechanic) can modify or append code. Why? To track you or find out your driving history so they can steal the vehicle at a later stage. So, make sure you do your research.

Prohibit unverified apps or services from being downloaded onto the vehicle infotainment system. A recommendation: Advise your consumers not to use an internet browser in their vehicle as the added risks may not be worth the functionality.

Top Information Security Threats to Expect in 2023

1. A Lack of Funding in the SME Space

As many economists and mathematicians have calculated, we will likely drop into a global recession shortly (with some stating that we already are). As a result, many organisations will struggle to keep their heads above the water financially over the coming months/years. Funding additional projects to increase cybersecurity practices may be further down the list as it once was. As a result, more organisations may be compromi- sed due to a lack of security controls being implemented, not from a lack of wan- ting but due to insufficient funds to get the right minds together to consult and implement such changes.

2. Cloud Breaches from Improper Configurations, Data Sharing and Compromised Credentials

It was stated that 27% of organisations using public cloud platforms suffered a breach in 2022. When more than 1 in 4 cloud platforms receive compromises, it should be a high priority to ensure that configurations are done correctly to a high standard.

For increased security, organisations should also enable features such as multi-factor and industry-recognised encryption.

Getting Ready for 2023: Make Life Easier and More Secure with Policy-as-Code Implementation

Policy-as-code is another way of saying that a policy is hard-coded into a system to remove human error and, therefore, human risk as much as possible. That is achieved through process automation, like forcing an employee to change their password at a specific interval and having controls around them, making stronger password and not just their previous password with an incrementing number at the end.

As more organisations introduce ISO 27001 controls into their environments, it is crucial to automate as much as possible to save time and money and, importantly, reduce risk.

ISO 27001 On the Rise: How the Certification is Driving Value for SMEs and Corporates

With ISO 27001 / 27002 updating with some major changes, it may be helpful to think about how many people are using the standard to help them strengthen their security posture. Year after year, for over a decade, ISO 27001 has risen in its implementation by approximately 20%. It started with around 6,000 in 2006 and to a staggering 30,000 plus per year in 2020. As a result of these statistics, it can be seen that the ISO 27001 framework is a heavily growing standard that, when implemented successfully, can drastically lower the chances of a compromise in some situations.

Navigate the complexities of the ever-changing information security landscape with assurance. Discover the potential of our ISO 27001 certification solution in strengthening your security measures and safeguarding your organisation against emerging threats.


You prefer to read offline?

Download your free report

About the author

Emrick_Etheridge_Blog_Author

Emrick Etheridge

Product Content Owner -
Information Security (CIS LA)

05-dataguard

Emrick Etheridge is the product content owner for Information Security and a certified ISO 27001 Lead Auditor. Prior to DataGuard, Emrick studied Computer Science at Anglia Ruskin University (Cambridge) before entering the world of Digital Forensics and Information Security for a Cambridge-based company. In these roles, he consulted merchants who required either a digital forensic investigation or re-certification. Emrick was also a certified Cyber Essentials assessor at the heart of the pandemic, which proved to be an interesting time in the industry. In his current role, he helps SMEs create an Information Security Management System (ISMS) to strengthen their security posture as well as consulting them on their path to obtaining ISO 27001 certification.