Tuesday, 31 January 2023 Cyber attacks accelerated in 2022, further highlighting predicted changes to cybersecurity awareness and operations. In this publication, cyber experts Brendan Read reviews the firm’s 2022 cyber predictions and discuss the evolution of cyber threats and resilience into 2023. “As we predicted, 2022 saw greater momentum around the introduction and evolution of regulations and guidelines to foster and drive a national uplift in cyber defences across industries.” Cyber related legal action came into the spotlight with Federal Court action taken by the Australian Securities and Investment Commission (ASIC) against financial institution RI Advice, alleging cybersecurity failures. Cybersecurity governance evolved, with benchmarking and guidance established by the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre. The accountability of C-suite and senior level executives was further reinforced, and the human element of cybercrime was highlighted through employee-driven data breaches. “Heading into 2023, it is clear organisations will face new and more insidious methods of data theft, operational disruption and reputational damage.” We predict cybersecurity threats will continue evolving. With more sophisticated artificial intelligence (AI) and deepfake technology, threat actors are likely to further exploit the human element. We expect critical infrastructure and senior level executives to remain lucrative targets due to their potential for extreme disruption or access to highly sensitive data respectively. Alongside this, we also predict a modernisation of privacy laws and even tougher penalties for organisations failing to protect their systems and data. Increased insider threats and vulnerabilities: the human element “Most cyber attacks exploit a human element.” While mistakes are commonly made due to deficient cybersecurity awareness, we are also seeing malicious threats increasingly instigated by internal stakeholders, such as a disgruntled or opportunistic employee or contractor. The human element will further drive accountability of business leaders and industries to recognise and mitigate these threats and vulnerabilities. Critical infrastructure threat expands to Internet of Things Critical infrastructure has long been on the radar as a highly attractive target. In 2023, we expect threat actors will further exploit vulnerabilities in Operational Technology (OT) and the Internet of Things (IoT). Following notable hacks on modern Tesla1 and Jeep Cherokee2 vehicles, global authorities are looking to regulate the use of these technologies in these and other critical systems, such as medical devices, to further mitigate risk. AI: the double-edged sword The evolution of AI, in many ways, has been beneficial to society – from improving systems to help with fraud detection to those now providing mental health support, legal advice and medical diagnoses. There is no doubt, however, that the technology can be exploited with ill intent. While ChatGPT has shown potential to help students to cheat on assessments3 and deepfake technology is proving an increasingly concerning threat. Used to impersonate trusted individuals, we expect deepfakes to become more convincing, tricking victims to complete online tasks that lead to significant data theft or other disastrous consequences.4 Prepare for rising cybercrime during economic downturns Historically, an economic downturn also sees a rise in crime rates. We expect to see the same with cybercrime in 2023 as economic hardship is predicted to continue. Cybercriminals will continue to operate with the anonymity and lower risk of capture afforded to them online. Consequently, organisations will need to balance cyber-vigilance with budgetary constraints - efficiency will be key. Tougher privacy laws support the shift to data minimisation We are seeing a heightened attention to penalties for serious and repeated data breaches. Through legislative reform, we are seeing tougher reporting requirements and penalties for cybersecurity failures. These developments, however, also elevate the lucrative nature of stolen data. As a result, we expect organisations will move from a ‘more is more’ approach to data to minimising the data stored and, thereby, at risk. 2023 is the year organisations need to be more cyber smart than ever, not only focussing on defence but also effective response. Cybersecurity resilience, harm reduction and reputational protection will need to be at the forefront of every organisation’s mind in coming months. Download the full publication below. Download Publication 1 Grace Kay, A 19-year-old security researcher describes how he remotely hacked into over 25 Teslas (January 26 2022) Business Insider <https://www.businessinsider.com/teen-security-researcher-describes-how-he-hacked-into-25-teslas-2022-1> 2 Zach Guzman, Hackers remotely kill Jeep’s engine on highway (July 21 2022) CNBC <https://www.cnbc.com/2015/07/21/hackers-remotely-kill-jeep-engine-on-highway.html> 3 Lauren Croft, ‘Authentic’ law school assessments to combat use of ChatGPT to cheat (23 January 2023) Lawyers Weekly <https://www.lawyersweekly.com.au/newlaw/36513-authenticlaw-school-assessments-to-combat-use-of-chatgpt-to-cheat> 4 Alice Cumming, ‘Increase in very convincing AI-generated deepfakes’ causing rise in fraud expert hires in 2023 (January 18 2023) Business Leader <https://www.businessleader.co.uk/increase-convincing-ai-generated-deepfakes-causing-fraud-expert-hires-2023/>