For many security professionals, 2022 was not an easy year. We saw ransomware attacks reach new levels, economic conditions force teams to do more with less, and insider threats reach alarming new heights. As we look ahead to 2023, the threat and regulatory landscapes seem more demanding than ever. Between added stressors on both employees and companies, as well as changing laws complicating cybersecurity and data protection programs, the need to evolve how we protect people, data and companies is becoming continuous. Below I share my predictions for security in 2023.
1. Insider Risks will persist, if not grow
Tough economic conditions will continue, but how it impacts companies and their employees may shift this year. Over the last year, we’ve seen numerous companies particularly in the tech sector, lay employees off in droves. Of course, this typically leads to an increase in an already rampant Insider Risk – departing employees taking intellectual property (IP) they believe belongs to them, not the company. Even in more stable times, two-thirds of employees admit to taking data from their last job to help them in their current job. However, the heightened anxiety of being in the next round of layoffs, on top of the increased stress of covering work left behind, may only increase. This could lead to more self-serving insiders causing increases in a number of Insider Risk types, including IP theft.
2. Managing your program may only get more complicated
In recent years, federal and state governments have increasingly driven cyber hygiene and governance within their realms of influence, with 2023 looking to be no different. From a governance perspective, the U.S. Securities and Exchange Commission (SEC) has proposed to enforce more in-depth and capable cybersecurity oversight within public companies. While this may help some cybersecurity programs get the attention and support they deserve, it may also slow down progress for even more companies, with more “armchair quarterbacks” guiding Chief Information Security Officers (CISOs) on how to do their jobs.
In the data and privacy realm, state privacy laws are becoming more common and more complicated. Revisions to California’s privacy law, as well as Virginia’s new privacy law, have already taken effect earlier this year, and more is on the way. Colorado, Connecticut and Utah are all expected to enact privacy laws applicable to their residents’ data in 2023. While it is expected that many requirements within these individual states will overlap, some additional requirements and how each state enforces these laws may make dealing with this growing body of privacy laws difficult for many companies.
3. Protecting your data could get harder
On top of all the other complexities we are facing this year, there is the possibility of government-led removal of non-competes in employment contracts. A proposal recently released by the FTC could make the Insider Risk landscape even more complex for practitioners, banning one of the few legal paths companies have to deter employees from taking IP directly to competitors. However, the proposed change and the overwhelming support from the public, underscore the reality that organizations shouldn’t be relying solely on non-competes in the first place. Organizations should always have the right data protection protocols in place that effectively monitor for and respond to the potential loss of IP and other data. Finally, they should focus on cultivating an open and transparent culture rather than depending solely on legally binding contracts.
With all of these realities, it will be important for companies to keep the following points in mind.
- Empathy and support must not be lost during tough business times. Remembering that employees are humans, both in the mistakes they make and the support they need, can drive security changes that can significantly reduce risk.
- Secure work habits must be instilled in the company culture, not just an afterthought. Ensuring that leaders across the organization embody your security best practices will show employees their importance and may reduce some of the more common negligence incidents in the future.
- Leverage your technologies to proactively reduce risk via methods like zero trust architecture and modern data loss protection techniques. Reducing the likelihood of unauthorized access in the first place and increasing your visibility into where your data is going will do wonders to reduce the most common risks posed by insiders.
As we look ahead to 2023 and beyond, how we address Insider Risks has to improve. Cybersecurity teams will have to take more proactive measures, knowing that the increased compliance levied on them will not suffice.