Data security predictions for 2023 – APAC
This post is related to a recent webinar I hosted.
2022 in review
2022 was a landmark year in the data security space globally, but it seems like it was the year that things really hit close to home for us here in APAC.
Where 2021 was huge in the northern hemisphere, with JBS Meats, Colonial Pipeline and Kaseya, 2022 saw a large number of high profile breaches across APAC.
From Bunnings, Medibank and Optus in Australia, to AIIMS and Indian Railways in India, there was no shortage of large scale attacks that caused immense harm to organisations and victims who had their data taken.
A common theme for most of these attacks is that they were not particularly sophisticated. In many of the recent breaches, attackers simply logged in to the target network with stolen credentials, or accessed an open API.
Looking ahead at 2023
I recently ran a webinar where the panel and I discussed predictions for the year ahead in the data security landscape.
In short, attacks are increasing because it pays well - ransomware operators are running a successful business and will continue to cause havoc.
This will result in further legislative change in the region, as well as an increasing appetite for regulators to utilise their enforcement powers.
Data extortion to increase
Ransomware operators have been profiting handsomely from their criminal actions in the region, and we'll see a rise in attacks in 2023 - there are still large numbers of businesses with inadequate defences that prove to be an easy target. Most cybercrime groups are operating out of regions with little to no ability for foreign law enforcement to take action, so their actions will likely continue unabated for some time.
Attacks against centralised services to increase
Why go after a small organisation when you can target a centralised cloud or IAM service, and take vast amounts of data? The Shared Responsibility Model means that cloud service consumers are completely responsible for the security of their data, yet we know that cloud systems and data are difficult to secure, and under growing threats of attack.
Supply chain attacks
Between Solarwinds and Microsoft Exchange, these style of attacks have proven to be extremely effective. Open source software is also a risk here - malicious code can very easily be introduced to a common software library used by many. See what happened when a previously unknown bug was found in Log4j in late 2021 - chaos.
Targeted insider threats
Traditional insider threats were disgruntled employees, perhaps one that is leaving for a competitor. But with groups like LAPSUS$ bribing your employees for network access, and with economic conditions meaning those employees being far more likely than ever to take that bribe, it's a whole new world. This type of attack will likely grow significantly in 2023, because it works, and it's hard to detect.
APIs and keys / secrets will be a major target
2022 saw significant attacks against services that hold application keys and secrets. These private keys and passwords stored in services like Github are just one piece of very low hanging fruit.
Increased regulatory scrutiny
Businesses in the region have been put on notice. In Australia, the maximum penalty for a breach of the Privacy Act has risen from $2 million to 30% of adjusted annual turnover, or $50 million, whichever is higher.
Ransomware and data breaches have become dinner table conversation, and public sentiment is very much behind the recent legislative changes. The next big breach in Australia will see action from an emboldened regulator with increased funding and powers.
The rest of APAC region has seen sweeping changes in this space too. Many of the major economies in the region, bar India, have recent and comprehensive data privacy legislation, with increased penalties on offer to regulators.
CISOs must do more with less
Economic conditions as we enter 2023 have become extremely challenging for all businesses. Many CISOs and CIOs are looking at all potential options to cut costs, including vendor optimisation and automation. Security teams will need to be able to meet their regulatory and reputational requirements to their stakeholders and customers, without any significant increases in budgets. stems that automate and make sense of the noise will be crucial.