With technological advancements and adoption of latest technologies by organizations, the rate of cyber-attacks are also increasing. Every day bad actors are evolving their ways of cybercrime. The number of cases of phishing, malware, ransomware, spyware, Trojans, financial fraud, denial of services and other attacks are increasing and attacks are becoming more sophisticated and frequent. Just like companies are leveraging the latest technologies for their operational and financial benefits, cyber criminals are also using technologies to instrument an attack. Cyber warriors - CIOs/CISOs are doing their best to safeguard organizations from these attacks by implementing technologies. But still few areas lack focus and that could be potential areas for cyber security threats. Moreover, another area other than technology is the shortage of skilled cybersecurity workforce which will be seen as a big setback. With the number of attacks increasing everyday, there is only a sizable number of security professionals to curb these attacks.
On this backdrop, let’s take a look at the views of CIOs/CISOs on the cybersecurity challenges of 2023.
Prof. Triveni Singh IPS, SP, Cyber Crimes, Uttar Pradesh Police
“Organisations must have a comprehensive security strategy”
Some of the top cybersecurity challenges that are likely to continue to haunt the industry in the years to come include:
Ransomware attacks: Recent attacks on AIIMS showed the havoc Ransomware attack poses. These attacks have increased in frequency and severity and can have devastating consequences for organisations. The ransomware attack has become the biggest fear for corporations, the government and all critical infrastructure.
Phishing attacks: With the growing potential of AI and machine learning, social engineering attacks like phishing are becoming more sophisticated and difficult to identify. Threat actors are exploiting ChatGPT and other free AI tools to intensify their phishing attacks.
Cloud security: As more organizations adopt cloud services, ensuring the security of their data and systems in the cloud is becoming increasingly important. Increasing IoT security: Post pandemic, the increasing use of IoT devices creates a vast attack surface for hackers to exploit, the lack of security standards and best practices makes it challenging to ensure that these devices are secure.
The shortage of skilled cybersecurity professionals will continue to be a major concern in the years to come, despite the increase in cybersecurity spending. The demand for cybersecurity professionals is growing rapidly as more organizations rely on technology and digital systems to conduct their business, and the threat landscape becomes increasingly complex. The latest study shows, in 2023 there will be 2 million vacant jobs in the cybersecurity sector.
With cyber security risk increasing every day it is a must for organisations and institutions to conduct a risk assessment which can help them identify areas of vulnerability and potential threats to the organization, enabling the implementation of targeted security measures. Organisations must have a comprehensive security strategy ensuring all the areas are covered that includes physical security, network security, and data security.
Security is not one responsibility of CISO/CIO but every individual in the organisation needs to be sensitized about the latest threat and mitigation to secure the organisation. Employees can be a significant vulnerability, so educating them on security best practices and how to recognize and avoid potential threats can help reduce the risk of a security breach.
Sandeep Jamdagni, Head IT & IS, Ashiana Housing
Trained cyber professionals – A major challenge
The top cybersecurity challenges are:
• Ransomware and spear phishing attacks on corporates
• Cloud attacks due to miss configurations or poor credential management
• IoT attacks and default credential setting in remote site devices
• Zero-day attacks due to non-patching of critical and end user devices
• Shortage of trained cyber professionals
Cybersecurity skilled workforce is the major challenge and will continue to be on the top in 2023 also. There is always a race between attacker and protector. Small organizations hesitate to hire skilled and dedicated cybersecurity professionals due budget issues. This leads to less enthusiasm in attracting new professionals to choose cybersecurity and put their efforts into acquiring skills.
Human beings are the weakest link in the chain of cybersecurity. A trained and cybersecurity aware manpower prevents most of the cyberattacks. Regular employee and IT team awareness programs/training are conducted for cybersecurity threats and challenges.
Regular patching of critical and end user devices. A complete visibility of assets with classification is done to protect the corporate services. A continuous program with Plan -Do-Check-Act is formed to continuously review and update the cyber security posture of the organization.
Sanjeev Singh, CISO and Data Protection Officer, Birlasoft
Malware and Ransomware attacks to become more sophisticated
The top cybersecurity challenges for 2023 would include the following:
1. Greater Privacy and Regulatory Pressures: I expect to see many more privacy laws enacted in 2023, increasing the complexity of compliance.
2. Supply Chain Vulnerabilities: In an increasingly interconnected B2B world, I expect to see more supply chain attacks, such as the Okta hack by LAPSUS$ and Kaseya by REvil. The only way to deal with them would be to treat everything as hostile, thereby increasing the complexity of defensive architectures.
3. Talent Shortages: This is expected to continue, especially for more skilled technical roles requiring a problem-solving mindset.
4. Malware/ Ransomware: This will continue to evolve, and defenders will have a tougher time catching up.
5. Budget Pressures: With a subdued economic outlook in 2023, security leaders will have to find more cost-effective ways to secure their businesses and maximize their existing security investment’s value.
Security leaders not only have to enable business growth, balancing it with increased protection levels, but also try to improve user experience and achieve all of this within the constraints of potential economic slowdown. The best way to achieve this is by focusing on improving RoI from existing security investments. Most of the time, the security tools deployed are much more capable than the value derived from them.
We should also look at simplifying security architectures to reduce the indirect cost of managing disparate solutions and achieve improved outcomes. Security leaders will have to focus their investments on surviving attacks rather than only towards preventing them because prevention will eventually fail. This will require engineering prevention and detection throughout the attack kill chain and plan resiliency of critical assets. Lastly, modern technology allows dynamic risk measurement for users and devices and security should become more risk aware to flexibly enforce restrictive policies based on the risk level of users and devices. This will allow much better user experience for low-risk users, which are the majority typically.
Dr. Lopa Mudraa Basuu, Executive VP - Cybersecurity & Technology Risk, Sysinnova
“Use of AI & ML will continue to increase for attacking purposes”
Cybersecurity challenges that are going to haunt industry in 2023:
• Inefficient Technology Risk management will continue to inject poison silently into the veins of enterprise technology stack. The toxic outcome will be a very vulnerable digital ecosystem. A critical pain area of enterprise IT & Security that has direct impact on business
• IAM & Access Governance will continue as major challenge
• Ransomware & malware will continue as major threats
• Use of AI & ML will continue to increase for attacking purposes
• Increased use of Automation to craft sophisticate attacks
• Reduced visibility due increasing complexity of digital ecosystem will trigger Supply Chain Risk in manifolds
• Cyber skill gap is the biggest challenge at every level of security function
• Striking balance between business demand and increasing compliance & regulatory requirements
• Protecting OT and IoTs from weaponization
• Sustainable Cyber Resiliency is a major challenge
Cybersecurity skilled force is a global issue, one of the industry study reports indicating that by 2025 there will be 3.5 million unfilled cybersecurity positions globally. It is indeed itself imposing a huge risk on industry. I would see it as a great positive risk for Indian youth. They should grab this opportunity, explore and opt for the different career options available across the cyber domain.
Dr. Harsha Thennarasu, Chief IT & Cyber Security Advisor, HKIT Security Solutions
“Cyber security protection level must be increased only by proactive solutions like Managed Detections and instant response”
As we have witnessed in 2022, there are major threats that are AI-based Ransomware attacks and methodologies, sophisticated crafted phishing attacks and state sponsored attacks between countries.
Talent acquisition would be a major challenge. But we have strategies to hunt for smart freshers who have a lot of thoughts and fresh minds that can be a part of a cybersecurity team along with experienced team leaders.
Cyber security protection level must be increased only by proactive solutions like Managed Detections and instant response. It would also be strongly recommended to the leadership to increase the budget for cybersecurity exclusively to adopt latest technologies and hunt various talents from hackers and e-hackers point of view. At least two bug bounties (internal and external) will be proposed to showcase how strong the organizational security is.
Arvind Singh, CTO, EVP-IT, Puravankara
“Security as a service” may solve the challenge of skilled workforce in cybersecurity
IThe top cybersecurity challenges that are going to haunt the industry is the changing and constantly evolving cybersecurity threat landscape beyond common categories of cyber threats (like malware, social engineering, man in the middle attacks, denial of service, and injection attacks) with evolving technologies like AI, Robotics, DroneTech & IoT, Blockchain, 5G, hybrid infrastructure and workplace getting larger and bigger. Even the recently launched, most talked, conversational AI model – ChatGPT, though getting adapted virally, is also raising big security concerns.
With premium institutes like AIIMS getting targeted in India, many organisations across globe getting ransomware attack leading to cyber extortion where the organizations are made to sit across the table and negotiate the deal to come out of the situation is making the future more uncertain.
Skilled force in cybersecurity will continue to be a challenge, looking into the scarce resources and quality compromises, beyond standard tools & technology, “security as a service” might shape up providing necessary proactive round the clock end to end monitoring. The technology and security partners will also need to put their skin into the game in order to make it a real shared responsibility as any association and partnership moving forward might be result oriented due to the increasing investments and rising cybersecurity uncertainty with ever evolving digital technology and business models.
Seema Sharma, Global CISO, Servify
Misconfigurations of cloud services security settings: A key security challenge
Securing and governing Multi-Cloud Environments: Misconfigurations of cloud services security settings continues to be the biggest security challenge and this compounds with the use of multi cloud environments each with a different array of vendor-provided security controls.
It is really challenging to know all these security controls and not all organizations have adequate cloud security posture management strategies and also lack qualified staff who are familiar with the CSP specific security controls for configuring and securing their cloud deployments and hence it is easy for a misconfiguration or security oversight to happen.
Insecure Interfaces/APIs: CSPs often provide a number of application programming interfaces (APIs) and interfaces for their customers. In general, these interfaces are well-documented in an attempt to make them easily-usable for a CSP’s customers.
The documentation designed for the customer can also be used by a cybercriminal to identify and exploit potential methods for accessing and exfiltrating sensitive data from an organization’s cloud environment.
Ransomware Protection: Ransomware attacks are increasing in both volume and sophistication. Deploying an anti-malware solution is not enough. Following a Defense-In-Depth approach in implementing security controls, including raising cybersecurity awareness on social engineering, which accounts for 98% of cyber-attacks is essential to reduce cyber risk associated with ransomware attacks.
Data Loss/Leakage: Due to external and insider threats and the root cause ranges from some user or program accidently deleting or overwriting sensitive date, making block storages like s3 buckets publicly available, a malware /ransomware encrypting sensitive data to the improper sharing of sensitive data on SaaS based cloud storage solutions which allows link based sharing.
The shared link can be forwarded to someone else, stolen as part of a cyberattack, or guessed by a cybercriminal, providing unauthorized access to the shared resource.
Data Sovereignty/Residence/localization Challenges: Most cloud providers have a number of geographically distributed data centres. Organizations storing their data in the cloud often have no idea where their data is actually stored within a CSP’s array of data centres. This creates major concerns around data sovereignty, residence, localization control requirements.
Vivek Dharia, CIO, KNP Securities
Protecting remote and hybrid work environments to be the top challenge in cybersecurity
The top cybersecurity challenge is how and where more the external penetration tests happened and exploitable misconfiguration. Also, safeguarding remote and hybrid work environments will continue to be the biggest challenge in cybersecurity.
Companies are facing a huge cybersecurity talent shortage. It is due to rapidly changing advancements in technology and threat landscape but for this we have to build skills primarily in-house instead of by hiring experts.
There are some measures like updating and upgrading current softwares, antiviruses and hardwares, encrypt data and create backups, conduct regular employee training, make rules to control account access, try to execute signed software policies, and make disaster recovery plans ready.
Bipradas Bandyopadhyay, CIO, Zuari Infraworld India
Lack of skilled workforce pose a major challenge
Industry would need to deal with few cybersecurity challenges notably, how to ensure that organizations and their employees do not fall prey to social engineering attacks that work on phishing/vishing methods, how to protect the edge locations of an organization that may be not properly secured, how the sensitive data leakage can be prevented by mitigating ransomware/other methods of attacks which are very rampant nowadays.
Resources are scarce in the field of cybersecurity in the present time while the frequency and severity of cybersecurity threats are multiplying manifold each day.
Lack of skilled force to handle such threats is a major concern for all the organizations. Proper training including certifications, cross-skilling of existing resources etc. are the needs of the day to manage this shortfall of skilled resources.
Security Efforts have to be in-sync with business processes, else it becomes obstructive in nature and reduces productivity of the organization. Hence, Security strategy of an organization needs to be closely related to its business strategy to ensure business growth.
However, standard security measures such as MFA (Multi-factor Authentication), Zero-trust architecture, relevant physical access controls, defence in depth (layered defence mechanism) etc. are easily implementable in the organization without impacting business growth.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
