LONG READ

CybSafe’s 2023 security awareness predictions

Introduction

Another year, another series of year-end round-ups and predictions from industry voices. The truth is, what 2023 has in store for us is anyone’s guess—but we’re here to make an educated one.  

To round out our analysis, we’ve put together a powerhouse of a panel for our free, 2023 predictions webinar. The webinar will be hosted by CybSafe CEO & Founder, Oz Alashe. He’ll be speaking with Jinan Budge, Principal Analyst at Forrester; Lance Spitzner, Director at SANS Security Awareness; and Janet Roberts, Global Head of Security Education and Awareness at Zurich Insurance. This is not one you want to miss.

Of course, where there’s malware, there’s media. So, gear up for some sensationalist reporting. You know, the kind that makes organizations consider paying a ransom in a bid to keep a low profile, and stay out of the papers.

To be clear, ransomware, wiperware, and any other type of malware are preventable. It starts with some basic cyber hygiene: network segmentation, backups, regular patching, and vulnerability assessments.

That’s just the technical stuff. A key part of any organization’s cybersecurity defense is its people. When people feel empowered to identify and report security incidents—they do. 

But that kind of culture change doesn’t come from security awareness training. It’s the product of management taking time to understand security behaviors—why people do what they do, or don’t do what they’re supposed to—and how to influence them.

MFA is really going to blow up

Not in a good way. According to data from “Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2022”,

43% of participants had never heard of multi-factor authentication (MFA). The report is available, for free, here. 

So, while MFA adoption isn’t expected to shoot up in 2023, MFA bombing is.

An MFA bombing, or ‘MFA fatigue attack’ is when a criminal spams a target with multiple verification requests until the target eventually gives in and approves one. It’s a little like being in a family group chat and not being able to switch off the notifications.

In other words, they are designed to wear people out. And that’s just what the Uber hacker did.

2. Governance and the Analysts

Generally, security professionals can consider themselves lucky if they get to see more than a couple of major policy changes before they hit retirement. If you’re looking for an excuse to pop some Champagne, here’s what you need to keep an eye on:

Resilience and privacy are coming in hot

While cybersecurity law will likely continue to focus on the “technology” aspect of the People, Process, and Technology framework, we’re seeing ‘cyber resilience’ take center stage.

Cyber resilience is an organization’s ability to cope with unforeseen incidents, both malicious and accidental, that can cause harm, destruction, or loss of ability to serve customers.

Be it in financial services, insurance, technology companies, law firms, manufacturing, retail, or healthcare—the concept of cyber resilience will become more relevant.

Privacy laws will also continue to develop, albeit slowly. The aim will be establishing comprehensive data protection frameworks to address “security relative to risk”. While we realize nothing is likely to materialize in 2023, it’s still worth keeping one ear to the ground on developments to privacy legislation. Remember when GDPR surprised people?

This is key to enabling organizations to drive security through the dynamic and agile aspect of human-layered security, rather than through more traditional technology- and policy-focused approaches.

A government agency will put its money where its mouth is

In July of 2022, a certain report sent shockwaves through the industry.

The report confirmed something that has been an open secret for a long time: security awareness training doesn’t change security behavior. 

We know, we know. This is nothing new.

The report, “Measuring the Effectiveness of U.S. Government Security Awareness Programs: A Mixed-Methods Study”, was penned by the US National Institute of Standards and Technology (NIST).

The fuss was not about what was said. It was about who said it.

NIST is a US non-regulatory government agency. It’s responsible for providing the NIST Cybersecurity Framework—a list of recommended security controls for information systems at federal agencies.

The standards are endorsed by the US Government, and compliance with the NIST framework is a top priority for US organizations because it helps them comply with other regulations like HIPAA, FISMA, and SOX. In other words, it unlocks business.

And…an industry heavyweight stirs in the deep

In 2022, Forrester led the charge away from traditional “tick-box” approaches. It ran headfirst towards more holistic ways of quantifying human cyber risk. Forrester’s recent blog, “A Sneak Peek Into The Future Of Security Awareness And Training”, gives a taste of what’s to come.

Unsurprisingly, its work aligns with the NIST findings, and shines a light on the future. Hint: it involves using tools like SebDB to measure security behaviors instead of compliance metrics.

Forrester will continue its work in 2023, no surprises there. But, they might not be alone…

In March 2022, Gartner gave its strongest indication yet that it’s taking greater interest in the human cyber risk space.

“Progressive organizations are investing in holistic security behavior and culture programs (SBCPs), rather than outdated compliance-centric security awareness campaigns.”

It’s the clearest sign so far that Gartner is solidifying its view on the changes to the market. It’s enough for them to be taking an active interest in the category, renaming it, and possibly pulling together a Magic Quadrant in the next 12-24 months.

When it happens, it will be fantastic news for the industry.

Analysts help level the playing field by cutting through vendor marketing spin (we know, we’ve been through the process several times!), giving organizations the unbiased information they need to make objective choices.

Insurers will cozy up with human cyber risk vendors

In September 2022, Coalition announced a partnership with Curricula. Curricula is a security awareness training provider. And Coalition is an insurance company that looks to prevent digital risk before it strikes.

The partnership sees Coalition policyholders receiving free security awareness training directly through Coalition’s cyber risk management platform. In addition, Coalition is offering lower cyber insurance premiums to every policyholder with an active security awareness training program in place.

Another notable development has seen major Japanese insurance providers bundle KnowBe4 security awareness training into their cyber insurance offerings. We expect to see more partnerships in 2023.

Before we continue, let’s stop for a breather, a cup of tea (or, if you’re stateside, a mug of Joe), and a recap.

In 2023, the rapidly changing threat landscape will drive policy makers to reconsider legislation and guidance—something the Analysts have been predicting, and calling for.

The Analysts will keep pushing organizations towards more holistic ways to manage behavioral risk.

And cyber insurers will respond by; partnering with vendors to help their customers manage risk; and by refining policy-payout terms, to help themselves.

But what does this mean for you, and your organization?

In the next two sections we’ll give it our best to keep you ahead of the pack. 

Onwards!

The war on simulated phishing rages on

Some organizations will continue running phishing sims with no consideration for their employees’ well-being. As long as it ticks their compliance boxes.

Others will reel it in (we’re so sorry), and, with an emphasis on proving value, they’ll consider the “so what” of clicking. So what if people click? What caused them to click? What factors influenced them the most/least? What did they do afterwards?

In short, organizations looking to get more out of phishing sims will turn to more nuanced, considered approaches.

Mind the gap

Organizations will actively look for professionals to manage their growing human cyber risk. And while Security Awareness Manager positions will be created in many medium to large organizations, a lot of them won’t be filled.

This could lead to a surge in organizations adopting security service providers, and placing more emphasis on upskilling employees.

We’ve even heard rumors some organizations are looking into the concept of ‘zero trust’ as a way of reducing human cyber risk. 

Could this lead to organizations reducing their spend on behavioral risk and/or security awareness and training, in favor of implementing zero trust architectures? We’re a little less sure on this one, but we’re not ruling it out!