Editor’s note: The following is a sponsored blog post from Hyperproof.
As we approach 2023, it’s natural to look back on the biggest security events that took place this year and anticipate their effect next year. The previous two years have shown that our world is full of complexity and uncertainty, despite all the advances in data collection, compliance operations automation, and SaaS technology.
Risk modelers and analytics experts know we can’t predict or control the world with any degree of certainty, but it’s important to brace ourselves for the upcoming threats and new opportunities the coming year will present. Here are three key risk management predictions we have for 2023 that will shape the risk management industry.
1. Internal assessments will become more important as security breaches hit the news
Cybersecurity breaches have been a hot topic in 2022, with several high-profile cases making national news. Joe Sullivan, who led security at Uber, was recently found guilty of deliberately concealing a breach of customer and driver records to government regulators.
Specifically, Uber’s bug bounty program is now under fire, and regulators have their eyes on the ride-sharing giant’s method of paying “white hat” researchers up to US$10,000 to report security vulnerabilities. The case has already resulted in a shift in how security professionals handle data breaches, and its ripple effect is set to carry into 2023.
Another case that hit the news recently was the FTC seeking action against Drizly — and its CEO, Cory Rellas — for cybersecurity failures affecting over 2.5 million consumers. Notably, the FTC specifically called out and sanctioned Rellas — a new move for the governing body. This change in posture may indicate a larger shift towards enforcement at the FTC, particularly for organizations that don't have adequate controls around the protection and disposition of consumer data.
And lastly, Twitter. Whistleblower and former head of security for Twitter, Peiter “Mudge” Zatko, released an 84-page complaint about the social media giant, alleging all manner of cybersecurity shortcomings, like:
- Poor access controls that left the company in violation of a consent decree with regulators
- Ill-defined roles and responsibilities for cybersecurity
- An inability to segregate different types of data
These comments were — to put it lightly — not well received, especially considering Twitter’s more recent problems as Elon Musk acquired the company in October of 2022. Twitter’s Chief Privacy Officer, CISO, and Chief Compliance officer have since departed, and the FTC has their eye on the tech giant. Twitter is now facing mass resignations in the wake of the turmoil.
One lesson carries across all of these stories: the importance of effective internal assessments, as they are critical tools to find weaknesses in your security program and assure that those weaknesses are fixed. We predict a sharp increase in internal investigations with adversarial discovery in 2023 as companies watch these major news stories play out in real-time. Tech companies like Twitter and Uber are conducting massive layoffs in the midst of this turmoil, demonstrating the profound business impact cybersecurity breaches have, especially during times of economic uncertainty.
2. Cryptocurrency regulation will quickly evolve
With the recent news of FTX’s collapse and the economic fallout that ensued, cryptocurrency is top-of-mind, even for the average person barely educated on the subject. Retail investors are now pulling out in droves after the cryptocurrency darling — with an initial valuation of US$32 billion — suffered a swift fall from grace, losing billions in value and hurting the broader market.
FTX’s new CEO, John J. Ray, who took the helm after FTX CEO and Founder, Sam Bankman-Fried stepped down, alleges that the company made an effort to conceal misuse of customer funds. Ray, who has previously overseen the cleanup effort at Enron, issued an assessment of FTX’s management practices, citing poor record-keeping, compromised systems integrity, faulty regulatory oversight, and a lack of experience among senior managers.
And to top it all off (as if this weren’t enough to raise security and compliance concerns for the pros and governing bodies), within hours of filing for bankruptcy, FTX reported “unauthorized transactions,” which led outside analysts to believe the company lost about $477 million in a suspected hack.
So, what does this mean for security, compliance, and risk professionals? To start, FTX customers may not recover their assets, which could result in legal action. A legal battle of this caliber could result in a shift in perspective from regulatory bodies on how cryptocurrency should be monitored. The U.S. Securities and Exchange Commission (SEC) might see FTX’s collapse as a justification for tightening regulations on digital tokens and exchanges, and Congress may be more inclined to pass new regulatory laws.
The volatility of the crypto market, combined with its new frontier of economic trade, has opened regulatory and security loopholes that governing bodies are still trying to adjust to, and we expect to see new conversations (and plenty of crypto regulation) emerging in 2023.
3. SMBs will have to increase security control monitoring to avoid cyber attacks
Smaller companies are more vulnerable to cyber attacks, but why? Simply put, they don’t have the budget or resources to combat ransomware attacks, which is why they are a high priority for threat actors. For example, multi-factor authentication has transformed from merely a suggestion to a must-have in the last two years as the pandemic increased the number of people working from home and in more vulnerable security environments.
More controls in place means more processes for maintaining those controls, which results in more manual processes that IT security professionals must handle. For example, SMBs will need to map out the GDPR compliance legalese to controls for breach notifications, or quickly finding CIS Control Group 3 to help with data disposal.
IT, security, and risk management professionals will need to better collect and organize their evidence in preparation for applications and renewals of their cyber insurance policies. They might also consider a tool that enables them to link risks to controls to decide how much coverage they actually need.
Prepare for 2023 and beyond
The road ahead might be paved with uncertainty, but one fact remains constant: automating as many manual risk management and compliance operations processes as possible will be essential to adapting to the changes ahead. With an increase in cybersecurity audits, new crypto regulations, and increased control management, IT security professionals face increased workloads in the coming year.
One thing organizations looking to operationalize risk management and compliance operations can do to prepare is consider new tools to assist with the predicted changes that can streamline workflows. The right tools help with evidence, control, and risk management in a single platform so security and compliance teams can focus on what matters most: adapting to these anticipated regulatory changes and keeping your organization safe and secure.