Cybersecurity in 2023 & Beyond: What to Expect and What Can Be Done

In many ways, the Cybersecurity industry is sitting at a crossroads. Over the last 5 years, we have seen astronomical growth in the number of cyber-attacks, successful breaches, $ damages and individual victims. Worse still, the higher these numbers climb, the more likely they are to grow further. That’s because, year after year, it becomes more apparent how much there is to gain from committing cybercrime. It’s as if we’re on a runaway train and, unless we alter course soon, we’re bound to see some of these events occur:

Things will get a lot worse before getting better

Firstly, and most obviously, we are going to see a rise in $ damages and total quantity of victims from said attacks. Yearly damages from cybersecurity incidents are expected to grow from $8.44 trillion in 2022 to $23.84 trillion by 2027. This unsustainable growth rate is more than enough justification to revisit the way we protect data. Unfortunately, though, there are more pressing issues to worry about.

Cyberwarfare spilling over

State sponsored cyber-attacks have been in the news lately taking a central role in the Russia-Ukraine war. For years, Russia has been seen as the primary cyber agitator but that may be about to change as the political, militaristic, and economic benefits of state-led attacks become clearer. We expect Iran & China to take Russia’s place as tensions between them and the West continue to sour.

Cyber Insurance to become redundant

For businesses, we’re foreseeing the end of insurance against cyber-attacks, at least one offering any meaningful recourse. The rising severity and frequency of attacks together with the exploding liability associated with privacy breaches will push insurers loss-ratios too far up, leading insurance to become either absurdly expensive or impotent. Comparing this point with the previous, it may seem like small fish, however, it’s anything but. Without the protections provided by insurers, it is highly likely that high-profile cyber-attack-related bankruptcies will start to occur. In Australia, Medibank is already at risk of succumbing to this fate after their recent breaches - with speculation that the associated class actions could cost $billions, just shy of their entire market cap. Without meaningful insurance cover, it is feasible that organizations even the scale of Medibank could end up being the first of many to implode.

A GPPR-esque federal US privacy law

Onto social media, an area increasingly embroiled by foreign policy tensions. TikTok is under increased scrutiny by Western governments for fears regarding the data they collect on its users. Increasingly more governments have been banning the app from government phones and we do expect a total ban of the platform if TikTok does not respond with progressive change. On a more positive note, we do expect the trend of increasing consumer-focused privacy regulation to continue, with the US adopting a federal law like the GDPR. This would be good news should it occur, but there is always the risk that overextended regulation will hinder innovation as we are now currently seeing in the EU.

Zero Trust models are not Zero enough

By and large, our view on the future of cybersecurity is grim. However, slowly but surely a movement is forming towards a Zero Trust Cybersecurity model which can turn the tide in favour of the defenders. The US’s new cybersecurity budget and strategy plan favours Zero Trust security. Moreover, companies such as Viasat Inc, Lenovo and others are all starting to make the switch. The team here at Tide Foundation is more than glad to see that change is happening, and even more proud to be a part of it, but the shift is neither nearly fast nor deep enough. Also, it must be said and acknowledged that in the shift toward Zero Trust cybersecurity, we’re tending to concentrate authority in key individuals and core systems that act as the final arbiters of authority in the Zero Trust architecture – Ironically, the unavoidable need for blind trust in those people and systems remains an Achilles Heel in virtually every system. A vulnerability that we’re working to remove, by allowing platform developers (e.g. Identity & Access Management Systems) to lock down systems with keys no one will ever hold.

A fundamental change is required to enable Zero Trust to be true to its name

If there’s one thing that’s clear from today’s escalating cyber-breach reality it’s that the current paradigm is broken and unless something fundamentally changes, it’s just going to get worse. The Zero Trust model is based on an important new concept that requires us to revaluate trust in digital systems, and perhaps anywhere generally – and we absolutely agree it’s the way to go. The move towards Zero Trust is very promising, but currently just moves the needle only slightly, leaving a lot of problematic blind-trust on the table. We must keep pushing that needle further until Zero-Trust is truly zero.