Digilantism may be on this rise in 2023, securing digital assets and cryptocurrency will be a key focus, and the cost of compliance may reach breaking point for many organisations, according to a new trends report for 2023 from Tesserent.
Additionally, Roger Spence, Director Client Services and Michael McKinnon, CIO at Tesserent, warns Australia may consider a Cyber Militia, as a way to bolster our cyber defences at the national level during times of crisis, in a similar way to how we maintain a regular Army Reserve in a part-time military capacity.
Innovative ways to address the cyber skills shortage
"The Australian Minister for Cyber Security, Hon Clare ONeil, has been explicit in her public goals for Australia to be the safest cyber nation on Earth," says McKinnon.
"In 2023, industry and government will need to focus on innovative ways to address the shortfall in highly skilled cyber professionals. This may involve a genuine national discussion about the focused skilled migration programs for cyber practitioners, greater emphasis on formalised personnel transfers within Five Eyes, QUAD and AUKUS nation states and funding initiatives such as an extension to the current ADF Cyber Gap Program which is set to end in 2023.
"Additionally, we may see fee relief for cyber related tertiary training, like what we have seen with nursing and other disciplines," McKinnon adds.
"Additionally, Australia may start a discussion regarding the formation of a national Cyber Militia, as a way to bolster our cyber defences at the national level during times of crisis, in a similar way to how Australia maintains a regular Army Reserve in a part-time military capacity."
Digilantism vs. Cyber Militia
Against the backdrop of the Australian Government's ramping up of hacking back largely in response to the Medibank data breach, the private sector is reminded that unless you're working for the Department of Defence such activity is illegal, not to mention unethical (as defined by virtually all cybersecurity industry codes of conduct), says McKinnon.
"With growing frustration in the community including personal vendettas arising from the swathe of compromised data being leveraged by scammers, security researchers in 2023 may be tempted into digilantism, a form of hacking back, despite better advice not to," he says.
"Coincidentally, given the severe skills shortage in cybersecurity generally, its entirely plausible that the Australian Government in coming years may call for volunteers in times of need, under the banner of a state-backed c."
Securing digital assets and cryptocurrency
While the cryptocurrency industry despite broad media coverage actually remains tiny (in terms of market capitalisation of only USD$900 billion) compared with global economic markets (around USD$120 trillion, or over 130x larger), McKinnon says recent developments with the collapse of the international exchange FTX highlight again the challenges of securing digital assets that rely on custodial management of private encryption keys.
"Few people understand the intricacies of cryptography, and put too much trust in other parties in these notionally decentralised systems, mostly due to the complexity and lack of good solutions when self-managing private keys," he says.
"New players are likely to emerge in 2023 and beyond around the increased use of secure hardware wallets and generally making this problem more accessible to the masses, but in reaction, more attackers are likely to target custodial exchanges and any third parties holding keys for others."
Compliance cost breaking point
According to McKinnon, many Australian organisations are experiencing an unprecedented pressure on spending related to ensuring compliance to all legal, contractual, and regulatory mandates; whether its APRA, ASIC, or PCI-DSS, or ISO27001, or third party security questionnaires that now justify the existence of many compliance teams.
"With the Australian Government threatening more fines for organisations that might suffer a data breach, the challenge is where preemptive spending will be directed in 2023 – should it go towards legal protections and larger compliance teams, or towards tangible initiatives that can genuinely lower the risk, or somewhere in the middle?
"Some experts, especially in the financial sector, have suggested that banking might not be profitable at all in the future if compliance burdens continue to expand at the rate they have in the last decade; and many other organisations are experiencing the same effect," he says.
"Tesserent predicts that we'll see some kind of reset or push back emerging in 2023 as businesses realise that compliance must be easier, not harder. Perhaps through choosing smarter partners in cyber, and leveraging technology to automate compliance systems."
Acceleration of identity management coupled with data loss prevention
With a growing focus on Zero Trust technology solutions and architectures, McKinnon says identity management will become the weakest link to address in 2023.
"Users will become the credential. Proof of identity won't rely on traditional authentication methods but will, instead, look for ways to prove that the user is who they really claim to be," he says.
"Solutions that boost current approaches to multi-factor authentication, especially leveraging verified biometric/facial recognition technologies, will start to become the minimum standard in mature organisations and a benchmark for aspiring ones."
To combat inevitable cyber breaches, McKinnon says data loss prevention solutions will become more widespread and leverage artificial intelligence and machine learning to accelerate data categorisation and classification to minimise potential damage and reduce data leakage.
"Data classification systems will become more sophisticated in order to determine what data is valuable and vulnerable," he says.
"And systems will become more adept at detecting data leakage through more channels such as social media and encrypted paths, possibly leveraging polymorphic encryption in 2023."
Take no prisoners
"CISOs are the subject of many industry jokes with alternative suggestions on the roles acronym – Career Is Soon Over rising as a popular one," notes McKinnon.
"It highlights the risk of extreme accountability this role requires often to breaking point, and in the new year, in light of recent breaches in Australia and New Zealand, we're no doubt likely to see a much more feisty and determined vigour from cybersecurity leaders," he says.
"There is no more time left for not taking immediate action, and letting teams get away with a lack-lustre response to addressing serious cyber risk.
"Maybe the acronym will mean Complacency Is Sent Overboard in the future."
Quantum computing still in infancy
McKinnon says that while Quantum computing is emerging, it will still be in a nascent state in 2023, but is one to watch for future developments.
"We are several years away from something of direct concern, but smart CISOs should keep a watchful eye on this space."