Reflections on Cybersecurity Events from 2022 and What to Watch for in 2023
Hear from CyberGRX staff as they reflect back on the notable cybersecurity events from the year, key takeaways, plus what should be on your radar in 2023.
Log4J - One Year Later
Of course, no one can forget how the year started, with the fallout from the Log4j breach– one of the most widespread security vulnerabilities in recent history. While developers at Apache scrambled to quickly release patches, 25% of downloads today are still the vulnerable version of the software, an endemic problem attackers will exploit for years to come. Reflecting back, what could have been done differently? Caitlin Gruenberg, Director of Solutions Engineering at CyberGRX, says the Log4J incident shouldn't have caused as much panic as it did. She says if companies had been constantly evaluating and reevaluating their cybersecurity systems looking for vulnerabilities and those of their third parties, the fallout from the Log4j hack could have been significantly less dramatic.
Attacks on Critical Infrastructure Around the Globe
This year also brought a disturbing number of cyber attacks targeting governments and critical infrastructure around the globe. Russia launched numerous cyber attacks as part of the ongoing war in Ukraine, in an effort to disrupt military intelligence and humanitarian efforts. Mid year, Costa Rica went on lockdown following a month of devastating ransomware attacks. Australia was also hit hard this year, with attacks on some of the country’s largest service providers, including Medibank, Optus telecommunications, and Energy Australia. And let’s not forget the attacks taking down 14 US airport websites, including New York, Chicago, Atlanta, Denver, and Los Angeles. CyberGRX CISO Dave Stapleton says it comes as no surprise that governments have ramped up cyber programs significantly in the past year. In 2023, he encourages organizations to participate in public and private partnerships, and engage in industry-focused information sharing groups (ISACs). He also hopes governments will incentivize good behaviors, such as adding increased security tools vs. issuing punishments when a breach does occur.
2022 was also a year many CISOs and security professionals resigned from their roles. Both the CISO and CPO at Twitter resigned after the social media giant was purchased by Elon Musk. Additionally, many CISOs at the state level have stepped down to pursue other opportunities. We’ve previously addressed the question of why are CISO’s resigning, but now we have to ask what’s the impact of their resignation? “The resignations are a sample of a larger trend,” according to CyberGRX CEO Fred Kneip. When significant events occur, there is always a consequence. Kneip cautions organizations, “If a company was well equipped to defend against security threats a year ago, they may not be as well equipped now with reduced security staff. This will have a ripple effect across the ecosystem of vendors. Organizations can no longer assume that an organization is in good standing in regards to risk and will need to reassess the security posture of some of these third parties.”
Layoffs and the Operational Security Impact
Indeed, 2022 had its share of resignations– and layoffs, too. Most recently, we saw small and large organizations make reductions in their workforce as they prepare for an uncertain economy ahead. And the impact of these company layoffs are creating a new operational security concern, too. CyberGRX Chief Product and Technology Officer, Frank Price explains that organizations should be watching for an increase in orphaned accounts and a higher risk for insider threats in 2023. Additionally, for those organizations who may still have layoffs coming, he advises to consider how devices from remote employees are being wiped prior to shipping, so as to avoid being intercepted and sensitive data exfiltrated, creating a larger concern in the new year.
Controversial Decisions and Ethics
Finally, 2022 had its share of murky situations that tested one's ethical compass, according to Brianna Groves, a Security Engineer at CyberGRX. For example, Joe Sullivan’s cover-up of the Uber breach and Pieter Zatko’s whistleblowing on Twitter. Per Groves, “The fortuity of those events gives us an opportunity to examine moral politics. The Uber and Twitter decisions are positioned at clear ends of the spectrum. A CISO's responsibility is to develop and implement a stable information security program, but security leaders are constantly challenged by patterns that might put them in a morally-compromising position. Pressure from executives and board members, the quiet assumption of termination on the heels of a security incident, or the expectation of solely taking the blame and public criticism for an incident, are some examples that might provoke unethical actions. The complexity behind what motivates morality one way or the other weighs heavily on decisions as well,” Groves says.
Goodbye 2022, Hello 2023
And so, with its ups and downs, we say goodbye to another year. We’ll see what 2023 holds for us all, but until then, we wish you silent nights, an uneventful holiday break, and confidence in your third-party risk management program throughout the new year.
Set yourself and your organization up for an efficient 2023 and renewed confidence in your TPRM program. Check out what our Risk Exchange offers you and the impact it will have on your productivity and risk management. Book your no-obligation demo now.
Get Cyber Risk Intel delivered to your inbox each week: