Robin Campbell-Burt, CEO at Code Red, discusses cybersecurity regulations in 2023 and how they will shape our futures
Cybersecurity is in the spotlight more than ever before. The UK government, as well as governments worldwide, have significantly increased the attention they are giving to cybersecurity. In fact, in recent COBRA meetings, ransomware has been the dominating discussion point.
Increased interest by international governments in cybersecurity usually leads to one thing, and that is increased regulations. For example, the UK government confirmed in November that it will be strengthening Network and Information Systems (NIS) Regulations to protect “essential and digital services against increasingly sophisticated and frequent cyberattacks”.
What cybersecurity trends can we expect to see in 2023?
Clearly, with cyberattacks showing no signs of rapidly decreasing and international governments continuing to announce new policies, regulations and advisories around cybersecurity, what can we expect to see in 2023?
Simon Chassar, CRO at Claroty, says that critical infrastructure will be one of the sectors under the most scrutiny and that many US regulations and advisories will be adopted by other nations across the globe in 2023.
“The US took the lead in implementing regulations after the Colonial Pipeline attack and Biden’s 100-day sprint initiative. We are now seeing other nations such as Australia, UK, Germany and Japan follow suit and implement their policies and regulations for critical infrastructure and healthcare environments.
“It’s not only governments themselves taking the initiative, but organisations such as NIST, MITRE, ISO and WEF, have started to release advisories around critical infrastructure and operational (OT) security to increase their cyber resilience. These organisations will only increase their advice to major markets such as energy, oil, water and healthcare.”
Introducing risk tolerance in Europe
However, John Stevenson, Senior Product Director at Cyren, believes that governments will be looking instead to introduce risk tolerance in Europe rather than new legislation similar to the US.
‘State and national governments tried to force good cyber hygiene by passing breach disclosure requirements’
“State and national governments tried to force good cyber hygiene by passing breach disclosure requirements like those found in GDPR, HITECH, and CA1386. In America, the federal government is telegraphing its intention to require a baseline of cybersecurity practices by announcing the Cross-Sector Cyber Performance Goals.
“The political divisions within most large Western economies don’t create fertile ground for new comprehensive cybersecurity legislation in 2023, but look for governments to establish a common risk tolerance for critical industries rather than let these companies decide for themselves which risks are acceptable.”
Stefan van der Wal, Consulting Systems Engineer, Application Security at Barracuda, says that whilst organisations are securing personal data, they are neglecting other areas of the business: “Some organisations have built very restrictive policies around data privacy. This is a good thing unless they start inhibiting business agility around data where no PII (Personally Identifiable Information) is involved.
“This can mean, for example, that organisations skip security measures that the compliance department thinks of as a data risk. Whereas the real risk is not addressing the information security risk by implementing the systems that address them.”
Additionally, there is not just the challenge of introducing new regulations to improve the standard of cybersecurity but also making sure that they are implemented properly by businesses. Compliance will become a major issue for organisations as government departments, and federal agencies ensure that cybersecurity standards are being maintained.
Internet of Things vendors to work closely with government and agencies
Deral Heiland, Principal Security Research (IoT) at Rapid7, believes that Internet of Things (IoT) vendors, particularly, will work much closer with governments and federal agencies.
“With an accumulation of IoT vendors seeking to grow their brand trust, I predict in 2023; many will embrace voluntary product security standards to promote themselves above their competitors. I also expect IoT vendors to work more closely with federal and state agencies in an effort to set those security standards for IoT technology.”
Chassar also believes that enterprises will have a number of strategies to ensure that they meet cybersecurity regulations, and this particularly affect cyber-physical systems: “The challenge for organisations in 2023 will be adopting these policies into their frameworks and corporate audit programs – it is the enterprise’s obligation to ensure compliance.
“As a result, cyber-physical systems cybersecurity will become part of a company’s corporate audit, and there will be a focus by decision-makers to ensure that it’s delivering the right outcomes of improving cyber resilience as part of digital transformation.”
Ultimately, cybersecurity regulations are going to continue to increase over the next year and will look to address several key issues. Whilst we are yet to see entirely what international governments have in store for us in 2023, it is crucial that governments try to increase cyber resilience and that organisations implement them properly.
Written by Robin Campbell-Burt, CEO at Code Red