We recently spoke with Red Sift Special Advisors Mark McGovern, Venture Partner at Sands Capital Ventures, and Homaira Akbari, President & CEO at AKnowledge Partners LLC, as well as Dr. Rois Ni Thuama, Tech100 Women Winner and Red Sift Head of Cyber Governance, to uncover the emerging cybersecurity trends and risks that should be top of mind for both practitioners and enterprises in 2023 and beyond.
Based on their interactions with other experts, customers, government officials, and more, coupled with their various areas of expertise, McGovern, Akbari, and Ni Thuama share four key areas of focus and concern across the cybersecurity landscape this year in this blog.
1. Fraud Becomes (Too) Familiar
Akbari, an award-winning thought leader in the sectors of Cybersecurity, the Internet of Things, Supply Chain Visibility, Artificial Intelligence, and Enterprise Software, kicks off the conversation with the topic of fraud, saying, “Fraud will become a new category of cybersecurity as fraudsters move deeper into cyber and digital channels,” and McGovern agrees.
“Fraud and brand impersonation is growing at an outrageous rate as it’s become considerably easier for criminals to launch these types of attacks,” says McGovern. Based on his experience developing covert and clandestine communication systems for the CIA, McGovern knows that fraudsters are no longer limited to robbing susceptible individuals. He notes that “Instead they can now engage and exploit millions of victims digitally from the other side of the world without spending a dime by using the same communication channels that we use to talk with friends, employers and brands - email, social networks, and SMS.”
“Fraud will become a new cybersecurity category as fraudsters move deeper into cyber and digital channels.”Homaira Akbari, Red Sift Special Advisor
What’s worse, is that fraudsters have the ability and incentive to be far more innovative and clever than any legitimate business.
According to McGovern, “Fraudsters make money by being creative and by luring victims in with enticing seemingly unbelievable claims that they never have to follow through on. They love to use new technologies and apps because there are no norms for users to tell what’s legitimate or expected from them. Additionally, fraudsters love to move fast. In fact, they have to move fast, because they need to avoid being tracked by law enforcement or blocked by systems operators.
Fraudsters will over the coming years devise new and more clever ways to masquerade as well-known enterprises and brands. That’s not a prediction. It’s a certainty.”
2. Automation is a Fraud-Multiplier
Digging deeper into the topic of new ways that fraudsters will be able to attack enterprises and brands, McGovern points to automation as a key way for attackers to steal even more in 2023, but he notes that’s not the biggest risk for enterprises and brands.
“It’s easy to see how online thieves will likely use advances in chatbot AI technology to automate email conversations with their victims. These AI-generated conversations will appear authentic and may be hard for even cybersecurity professionals to recognize because they’ll include data about the victim and the brand being impersonated.”
McGovern continues, explaining that fraudsters can augment their AI and automation processes further to improve efficiency. “Fraudsters can automate the process of identifying brands that can be easily impersonated using domain and register scanners. Then, using standard scripting engines and cloud infrastructure APIs, they can automatically register domains, stand up servers, and launch email campaigns that engage unwitting victims who would otherwise be great customers of these brands. These campaigns they launch will be highly automated and require little to no action by the fraudsters.”
“Users and potential partners will lose faith in brands and be skeptical of companies that were impersonated by the fraudsters. People are naturally reluctant to engage with brands or enterprises that are associated with fraud in any way. It doesn’t matter if they were the victim - or it was someone else who was defrauded.”Mark McGovern, Red Sift Special Advisor
Sadly, the victims caught in these campaigns - from local mom-and-pop businesses that have almost no online presence to global fashion brands who spend millions on their digital reputations - will be lured into a variety of traps that include harvesting payment information, identity theft, and using them as unwitting players in money laundering schemes. Once hooked, the victims are merely an asset that the fraudster can exploit, sell to other criminals, or toss back.
However, McGovern emphasizes that the real damage will be to corporate brands and reputations. “Users and potential partners will lose faith in brands and be skeptical of companies that were impersonated by the fraudsters. People are naturally reluctant to engage with brands or enterprises that are associated with fraud in any way. It doesn’t matter if they were the victim - or it was someone else who was defrauded.”
3. Regulatory Pressures Heat Up
In addition to fraud, McGovern and Ni Thuama point to emerging cybersecurity standards and regulations as pain points for enterprises in 2023. As a result, both expect to see many more enterprises addressing issues like email spoofing and domain impersonation.
“Undoubtedly we will see businesses that fall within the scope taking significant steps to comply with their legal obligations with the most mature organizations taking the lead.”Dr. Rois Ni Thuama, Head of Cyber Governance, Red Sift
Following the introduction of the new cybersecurity rules by the US Securities and Exchange Commission, it is likely that other market regulators will follow suit looking to provide investors with the same level of visibility, clarity, and confidence.
According to Ni Thuama, an award-winning doctor of law and subject matter expert in corporate governance, cyber governance, and risk management, “Savvy investors will seek out the safest markets that will prompt a race to the top. As it stands the US has a first-mover advantage. In 2023 expect to see market regulators climb on board that regulatory train.”
In Europe, the Digital Operational Resilience Act (DORA) officially passed into law in the Fall of 2022, but Ni Thuama says the countdown clock for enterprises to implement has started ticking.
“Undoubtedly we will see businesses that fall within the scope taking significant steps to comply with their legal obligations with the most mature organizations taking the lead. A critical catalyst likely to prompt the accelerated adoption of best practice lies in the fact that penalties for failing to comply includes criminal sanctions”.
4. International Risks
Akbari brings our conversation to a close with thoughts on Nation States and organized crime networks, saying, “The overall frequency and sophistication of all types of cyber-attacks from these groups will increase over the next year.”
For example, as Russia runs out of money because of biting economic sanctions, runs out of resources in their war on Ukraine, and runs out of allies, options, and possibilities, Russia will refocus its attention in the digital world.
Ni Thuama elaborates, saying, “Businesses will be dealing with an uptick in cyber attacks. Targets are likely to be US critical national infrastructure as well as US commercial interests in the US and abroad.
In all likelihood, US Companies will treat the threat of accelerated Russian Activity as severe and seek to manage exploits, particularly addressing angles of entry known to be used by Russian organizations. Firms with a more sophisticated cybersecurity posture will likely mandate minimum standards for their supply chain to defend their business.”
Secure your organization in an emerging threat landscape
The cyber threat landscape is complex, and it’s important that businesses are taking all appropriate measures to harden themselves against threats. Find out how Red Sift helps organizations to see, solve, and secure the greatest vulnerabilities across their digital infrastructure here.