What's next in 2023 for Cybersecurity?
As we find ourselves nearing the end of 2022, the question is being asked - what's coming in 2023? From regulations, digital identities and the battle of reality - we asked our experts their thoughts on what's next for cybersecurity.
Self Sovereign Identities on the Rise
2023 will see the first digital identity wallet supporting trusted cross-EU border transactions where consumers will have ultimate control of where and how their electronic Identity will be used. The introduction of a wide scaled use of self-sovereign identities will be the biggest factor in driving the democratization of consumer/citizen identity globally.
- • Driven by an expansion of the 2014 eiDAS regulations, and further with the September 2022 release of the eIDAS 2.0 - Toolbox European Digital Identity Framework, innovation will rapidly advance with the promise of cross EU border digital Identity interoperability.
- • Expect transformational society impact through the introduction of wider applications and consumer adoption as emphasis around useability as well as increased privacy has been built in by design.
- • Consent will be key to increasing consumer privacy protection especially around how and where their data will be used or shared
- • Digital wallets will be the de facto method for users to Bring Their Own Identity (BT.YOI) supporting a wide range of commercial and government use cases including bank account set up, proof of adequate age (without sharing exact birthdate), accessing medical records, and interacting with government services to name a few.
- • Considering mobile device and Cloud applications will be prevalent methods for access to digital wallets, the importance around mobile and cloud cybersecurity will only increase in significance.
Messaging Tools are Gaining, but Email will Still Remain Popular in 2023 – and Beyond
In my almost 20-year career in the IT world I have been exposed to a lot of predictions. Even though some of them were wrong (inevitable), they still triggered interesting discussions and thought processes. One of these was made in Germany at the it-sa trade show by one of the collaboration platform providers in 2018. “Email will be gone in the next five years,” they stated and seemed convinced their statement would come to fruition.
Now, looking back at these last five years there have been changes in the way we communicate. Messaging services and apps are used more and more in the business world, such as Microsoft Teams, making email more reserved for internal communication.
But why is it that there are 4 billion daily email users (and climbing) ? One of the answers is hidden in the last paragraph. Its messenger´s, so the plural. Every company uses the messaging tool of their choosing. Even if the same messenger is in use, admins are afraid of opening this communication platform to external parties as they are afraid of creating a new attack surface.
So even after 50 years, going into 2023 email will remain one of the few communication standards where we can reliably exchange information worldwide. As long as it is secure and reliable, I wouldn't expect major shifts for years to come.
Virtual Reality, Augmented Reality and Mixed Reality: Who will be the Winner at the end?
Future technologies such as Virtual Reality (VR), Augmented Reality (AR) and Mixed Reality are all considered to be areas of tremendous growth. Several tech giants like Meta, Microsoft, Nvidia, Alphabet, Qualcomm and even Apple have already chosen their side and are investing workforce, time, and money in them.
Meta, the parent company of Facebook which we have seen appearing quite often in the news lately, is a firm believer that the metaverse is the ‘new big thing’ and investing billions of dollars to make Mark Zuckerberg’s dream come true. This 3D VR immersive world is the new hype and is slowly but certainly shaping up. Although, some might wonder if these platforms will ever be populated with more than marketing teams and GAFAM developers. Currently, opinions are mixed, so it is wait and see for the time being.
Apple, on the other hand, has pinned all its hopes on AR, where a user can put on some form of glasses and live in a world where his/her/their real-world is visually augmented and where data, information and other details are superimposed on it.
With the enormous investments being made by these tech firms in the different worlds/technologies, we may find that, in 2023, to see these forms of technologies being further integrated into our lives. Training, education, marketing, entertainment, and medicine (i.e. surgery); they all have huge potential – which still needs to be discovered and developed. We might still be several years away from when all of these “realities” are well established, but 2023 should give us a good view of where we are heading towards.
What Does PSD3 Entail and When Can We Expect it to Come into Force?
Open Banking has continuously developed in Europe since the launch of the Payment Services Directive 2 (PSD2) back in June 2016.
In May 2022 the European Commission (EC) published a targeted consultation to gather evidence for its review of PSD2 and develop new legislations like PSD3.
There are many areas of discussion of what PSD3 may look like. No matter what, it will amend current legislation to make payment faster and safer while aligning better with the EUs legal framework. Some indication of what could be addressed:
• Unregulated activities such as transactions using crypto assets, buy-now-pay later services, operating payment systems, digital wallet service and payment processing services
• Changes to strong customer authentication (SCA)
• Tackling fragmentation in Europe more effectively by including a more precise and concrete specification of API standards, directory services and infrastructure
It is still early days for PSD3 but a top priority is to ensure a wide adoption of the highest level of security standards and cross-border European payment solutions. The appropriate bodies of the EC will review any questions from the consultation as well as any additional findings and work towards a draft of PSD3, which is expected in early to mid-2023. The adoption of this directive may be three to five years away until companies are forced to fully comply with it, but business leaders need to keep up with these new developments. We predict that companies will be investing in technology related to PSD3, and optimizing their digital practices to build efficiencies for their business.
Authenticating Identity will be More Important Than Ever
Without diving headlong into politics, Elon Musk’s opening salvo on Twitter saw him offer verification checkmarks for $8 and within hours the platform was banning and suspending imposter accounts – many for impersonating Musk himself. It’s become the most recent anecdotal example of just why the ability to verify the authenticity of something has never been more critical, especially when it comes to identity.
With every passing day, more and more of our lives become digital. In real life we have ID cards, passports, government documents that can authenticate our identities. On the internet things are still continuing to evolve. This a problem that is especially acute in the world of cybercrime, where impersonating another individual is oftentimes the starting point of a much larger breach or attack.
This is why organizations work to secure their networks and devices by implementing a robust PKI, it’s why email security safeguards such as S/MIME are being reconsidered and more widely implemented and why Europe is doubling down on digital signatures. And as we move into a new age of deep fakes and misinformation, where cyber threats will only become more dangerous and pernicious, the pressing need for strong authentication of identity will just continue to crystallize.
People’s Perception on Security and the CA Market will Change
In year’s past, organizations would implement very basic security software that required little oversight. Today, the situation is very different. Companies now understand their future is not so secure and rogue elements are becoming smarter by the day. New cyberattacks take place constantly, and IT companies and IT departments are struggling to contain them.
In 2023, we can expect to see a two-fold increase in security awareness, as well as products utilizing Public Key Infrastructure (PKI), but also cloud security more broadly, especially in developing markets like APAC and African countries as compared to the west. For example, some commendable work that we will see is in India, where the government has already been educating its citizens about the dangers that can lurk on their computers and phones. Because of this, people are increasingly becoming better educated on digital security, so this will continue to grow in 2023 and beyond.
In addition, there will be adoption of products which are easy to use, integrate well and can suffice for many use cases – taking the approach of “killing two birds with one stone”, as companies grow weary from having to rely on a plethora of security tools (there’s just too many different products on the market, so it will be good to see a shakeout.)
Certificate Authorities like GlobalSign will see skyrocketing demand, as they are compliant and are backed via reliable certificates.
Furthermore, we will see some new entrants to this market, especially operating systems (Microsoft, Apple, Linux) as they understand the need for centralized integrations through the Cloud. Some segments like ecommerce and defence will see huge demand. According to research firm MarketsandMarkets, we are setting at around $130M in CA, and we will see this grow to $230-250M.
2023 Data Laws: Where Are we Headed?
Before we can consider what the next 12 months could have in store for us, it is important to recap on the last year. So, what happened in 2022? Of course, we saw many cases, judgements and some enforcements. However, what really stood out were the changes and adaptions to the global legislative landscape. On the back of the very serious Medibank and Optus breaches, Australia is proposing a sweeping overhaul of data laws, in response to a widely misunderstood cookie requirements implementation by web developers the UK is considering ripping up parts of the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) has triggered a snowball of other states reviewing their own rules and many other nations are scrutinising their legal frameworks regarding data.
It is almost certain that 2023 will see both a continuation and growth of these activities. We are already witnessing data breaches featured on mainstream news and this will be a common place feature in the next year. As public awareness builds so will the demand and expectation of privacy and protection of information.
As much as it is hoped that even with its changes to local law (if they go ahead), the United Kingdom (UK) will retain its European Union (EU) adequacy decision. Should it lose that status then it will very quickly become clear how difficult it is to trade, communicate and interact with other nations and it is for this reason that we will see countries whose data laws are outdated begin to review and update them to meet, at least at the conceptual level, the high bar set by the GDPR.
The areas where expectations of the most, relatively speaking, seismic shift in data laws occurring is the United States. Here, the changes are multi-pronged and include the case for data protection laws at the federal level gathering pace. Historically, and to this day, there has been no unity or centralisation of a common set of principles in this area, outside of specific industry verticals (think FTC, HIPAA etc here). The actions taking place in the spaces of open banking will almost certainly mandate the move to this central, managed and aligned legislative cohesion resulting in the bi-product bonus of a privacy model which can span all states, all industries and be the vehicle for efficient and frictionless data transfers throughout the nation.
One of the biggest headlines for next year will surely be the new framework agreement between the US and the EU. Long awaited since the invalidation of Privacy Shield back in 2020, a replacement is hotly anticipated for the early part of 2023. It will, of course, take time for this to settle in and to be able to rely on it as a legal basis for transfer, but the hope for it to replace the current Transfer Impact Assessments (TIA) is high.
There are questions which are impossible to predict. Will the UK scrap GDPR and start again? Will Max Schrems instantly challenge the Privacy Shield replacement? Will political instabilities in certain regions derail policy in this area? Will more countries adopt data localisation requirements? There are some absolute certainties though – the importance of data protection will grow, awareness of data uses will heighten and data will become even more invaluable to fraudsters prompting organisations worldwide to continually monitor and improve their own infrastructure protection.
2023 will be a year to watch and hold onto your seats.
Automated Certificate Management will be an emerging driver in the DevSecOps
In 2023 and beyond, security will no longer be a second thought in DevOps pipelines. It is only in the past several years that DevSecOps has emerged as an important segment of the overall DevOps industry. But given the massive increase in data breaches, phishing attacks and more, it’s abundantly clear that developers have to increasingly relying on tools such as automated certificate management for ensuring security into their systems.
I say this because, to have a DevSecOps-centric approach, developers need to ensure that security is injected into every development life cycle layer, which is not possible without automated certificate management. Automating certificate management helps to ensure tight security in their development pipeline.
1. Visibility of Certificates - A centralised PKI infrastructure will help organizations track and manage their certificates from committing the code on version control systems to the deployment
2. Automation & Integration in CI/CD - With the help of the ACME protocol, it’s easy to configure and install certificates into the vicinity of the CI/CD pipeline
3. Security Awareness & Enforcement - Automated Certificate Management infrastructure helps Developers understanding of the security Protocols and they will be able to enforce certificate in their automated workflows to secure their end-to-end infrastructure
So, organizations who want to ensure security into their systems, must focus and invest more in the Automated Certificate Management.
Latin America’s Automation Industry Will Have to Implement More Cybersecurity Solutions Next Year
In 2023, Latin America's economies will begin recovering from a combination of impacts: the pandemic, economic disrupation and cyberattacks. Taken altogether, the result is the region, which comprises 33 countries, will require greater productivity. Automation is the key, as it will optimize production in various industries such as automotive, agrifood and mining, which are the region's top sectors. Therefore, having access to computer security systems that allow for these technologies to be implemented efficiently is critical, but also a challenge for our region.
Fortunately, large corporations plan on investing in automation in the next year. According to the third edition of the Futurum Research’s Now and Next Report, 77% of companies intend to enhance their investments in automation. Likewise, Gartner predicts that 85 % of infrastructure and operations (I&O) leaders envision automating their enterprises within three years.
The automation processes utilize software and connectivity systems that are susceptible to attacks and, because of this, they demand implementations that solve these vulnerabilities, so the production systems can be improved. In that sense, the investments should be destined not solely for the automation process, but companies should also take into consideration the security processes required to avoid any attack in order to not jeopardize a company’s productivity.
eIDAS 2: New horizons for the European digital identity
In June 2021, the European Commission presented a proposal aimed at reviewing the current directive no. 910/2014 (eIDAS Regulation) with the introduction of new changes to the electronic identification, authentication and trust services scheme (eIDAS 2).
These changes establish a new legal framework for the European digital identity and for the eIDAS regulation, aiming at the acceleration of the digitalization process for public and private services within a cross-border context.
The current directive did not contain a specific indication for "electronic identification" tools, consequently each state implemented one or more solutions without any interoperability or precise rules for mutual recognition.
By September 2023 the new EU digital ID must be made available to every EU citizen (or resident) and business; it will be used for both online and offline services across Europe and also for storing sensitive personal data (i.e. health related data) within a document.
The most relevant news and the key element of the new proposal is the introduction of the European digital identity wallet, a biometrically-secured identification and authentication tool.
The wallet will contain a PID (Person Identification Data) which stores the identification data and credentials linked to its identity. Through this wallet users will be able to prove their identity and share information across Europe.
This tool will certainly simplify and unify the identification procedure in Europe whenever a citizen will need to use a public administration service, i.e.: enrolling in a university, filing tax returns, opening a bank account, requesting a birth certificate, accessing to different medical systems etc.
The offer of digital identity wallets from mobile app providers is already increasing and at a certain point the European Commission will need to regulate the market offer.
The majority of citizens, as well as many private businesses, seem to be ready to adopt digital identification across the EU states for most of their services. But will the Public Administration be also ready to implement and adapt their systems? This is a question we may not find answers for quite a while.
2023 will bring changes for remote working, cloud infrastructure and data security, and global collaboration
Every year we think we have a handle on what and how improvements and, advancements in technology bring us. In the last couple of years, we have seen huge wrenches, such as the pandemic and now the war in Ukraine, which have catapulted those changes and made us re-evaluate how we work, live and play.
The pandemic brought changes that have now stuck with us or still learning to deal with, namely remote work and digital communication. This year the war in Ukraine has brought more change and concern particularly about cyber warfare.
Remote Work - Phishing attacks are a pervasive security threat to the IT sector, with many people still becoming the victims of phishing emails. Not to mention, employees are using their personal devices for two-factor authentication, and they may well have mobile app versions of instant messaging clients.
Cloud Infrastructure and data security – Data breaches are costing more than ever and ransomware is more prolific every day in all areas of business, most notably the healthcare, finance and education industries. It’s not enough anymore to simply secure your website. Hackers are savvier than ever!
Global collaboration and digital signing - The global digital signature market is growing at a staggering pace. Most notable will be the launch of the EU Digital Identity Wallet (and eIDAS 2). In a nutshell a digital signature creates electronic trust between individuals, companies, and government entities by standardizing electronic identification and signatures across the world. The faster you can get business conducted domestically or worldwide securely and within compliance guidelines will determine your competitiveness in the marketplace.
The Mandates are Coming
After seemingly unending cyberattacks of all varieties, governments worldwide are starting to get itchy. As U.S. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuburger said in October, “If you’re a provider of tech, you’re responsible for providing a baseline of security in that tech.”
Just a month earlier, international cybersecurity leaders met at the WSJ CIO Network Summit. The Wall Street Journal headline about the September 21 event summed things up well: Cybersecurity Investments Are No Longer Optional, Officials Warn.
At the event, the chief executive for the UK National Cyber Security Centre, Lindy Cameron, said that “too often an organization wasn't prepared.”
The messages are pretty clear - changes are coming.
With that in mind, don't be surprised if the U.S. government – and others - announce some time in 2023 the intention to put mandatory cybersecurity regulations in place by 2025. The regulations will be viewed as a necessary evil to ensure that companies, both large and small, take necessary measures to put cybersecurity measures into place. Until cyber gangs are stamped out, such new regulations may be impossible to avoid. The good news is these regulations should help reduce cyberattacks. The bad news: like taxes, the new regulations will probably be in place for many years to come.