Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
Data security is all about thinking ahead, and with an international cyberwar and a generative AI revolution underway it can be difficult for security leaders to anticipate how the threat landscape will evolve.
Recently, VentureBeat conducted a Q&A with Lisa Plaggemier, executive director at the National Cybersecurity Alliance (NCA), a former international marketer at Ford Motor Company and an ex-director of security, culture, risk and client advocacy for CDK Global, to discuss the top risks facing enterprise data in 2023 and beyond.
In this interview, Lisa shared her thoughts on the impact of the Russia-Ukraine war and cyber conflict, generative AI, quantum computing and API-based threats.
>>Follow VentureBeat’s ongoing generative AI coverage<<
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
Below is an edited transcript.
Q: What do you see as the top threats facing enterprises in 2023?
Plaggemier: “I think we’ll — for the most part — continue to see the same threats against the enterprise that we see every year. Ransomware attacks, insider threats, identity access and elevation, business/vendor email compromise attacks and other social engineering attacks aren’t going away. Homing in on 2023 specifically though, I think we’ll see the following:
New hacking targets
“Attackers are going to start to more frequently target industry sectors that have yet to adapt to better incident-response protocols. Healthcare, critical infrastructure and financial services, for example, have been grappling with these threats for much longer.
“So, although attacks there will continue — and sufficient deterrence measures have a long way to go — bad actors are now seeking out more nascent spaces to execute low-tech, high-impact attacks within education, gaming, aviation and automotive. In fact, we’ve already seen several high profile DDoS attacks in the latter two categories in the last months. Expect that to continue.
Rise of adversarial AI
“We’re likely to see cybercriminals using AI and ML models to create attacks that can eventually self propagate across a network or exploit vectors in datasets used to model ML frameworks. I think the generative AI arms race is definitely shining a light on how ubiquitous this technology is about to become. Attackers will naturally see that opportunities abound.
“For example, tactics could be as simple as using AI for deception (such as deepfakes and language-accurate phishing material) or as complex as creating and training AI to take malicious actions, make wrong decisions and collect and transmit user input data. In fact, there’s already evidence that hackers can infiltrate ChatGPT’s API and alter its code to generate malicious content — essentially skirting OpenAI’s moderation guardrails.
Vetting M&A risks
“Despite economic circumstances likely cooling down cybersecurity investment and M&A this year, private data will continue to happen at a high enough rate that proper due diligence within the industry will remain paramount.
“More consolidation and enterprise security adoption means that the cost of a cybersecurity breach has ripple effects in terms of financial losses and damage to a company’s reputation. There’s going to be a greater reliance on processes that can reduce breach risks and protect the bottom line.
“Increased third-party risk management will play a major role in recognizing downstream vulnerabilities ahead of an acquisition, such as assessing SaaS/data sprawl within an organization, past relationships with breached security vendors and solutions or an insufficient history of vetting partners.
“We’ll also likely see a much stronger reliance on ‘paper trail’ tools like a software bill of materials (SBOM) to offer a detailed inventory of the components that make up a piece of software as means of identifying potential vulnerabilities and ensure better security-by-design prior to an acquisition.”
Q: Any comments on how the Russia-Ukraine war will impact the cyberthreat landscape this year?
Plaggemier: “One of the main dangers of a prolonged conflict between both regions is the collateral damage and spiller effects of the cyberwarfare tactics both countries employ.
“Russia has long been classified as a major APT threat against the U.S. and its allies, and we could see threat actors — either from within the country or groups contracted outside of its borders — executing attacks on any sovereign nations allied against it.
“That includes an increase in attacks on critical infrastructure, including power grids, financial systems and transportation networks. We could also see continued use of malware as a vehicle for espionage and data theft, alongside disinformation campaigns designed to subtly shape public opinion on the war (that is, via social media propaganda, weaponizing far-right wing channels and opinion, fake news articles and deep fake videos).
“And we could very well see continued targeting of software supply chains to weaken the security posture of any organization, public or private, that allies itself with Ukraine.
“These threats have been front-and-center since the war began — we’ll just continue to have to defend against them the longer it goes on. Emerging technology like generative AI could potentially make that more difficult.”
Q: How do you see ChatGPT impacting the threat landscape?
Plaggemier: “I think the most prevalent attack vector that we’ll see affecting companies and consumers most explicitly will likely revolve around ChatGPT’s use as a vehicle for generating more effective phishing and social engineering attacks.
“Bad actors can use it to create more convincing spear-phishing emails and texts despite language barriers to fool folks into giving up their data, or design more accurate copy for spoofed websites, links and attachments.
“And since attackers have altered the GPT-3 API to set up a restriction-free version of ChatGPT, they can use it to code malware, help them identify the best way to position phishing links in an email and more.
“Perhaps the worst part, however, is that all of these resources are made available to low-level hackers on the black market for purchase, alongside any data these efforts have already captured.”
Q: How would you describe the role of the CISO in managing current threats?
Plaggemier: “Recent data shows that 88% of boards of directors view cybersecurity as a business risk, which means the role of the CISO is very quickly being elevated from a bearer of bad news to an advisor to the entire organization and its employees on better data security practices.
“CISOs will be held more accountable and be required to take on more responsibility for educating the C-suite and boards of directors about why there needs to be greater investment in security policies, procedures, resources and training within the organization. And to do that effectively, the modern-day CISO is going to need to know how to communicate in both a technical and business sense.
“The CISO will also be tasked with doubling down on reporting and managing an organization’s defense posture in the eyes of executives, auditors and leadership as it pertains to risk.
“Business leaders will increasingly see the CISO’s function as a business enabler (better security means less operational disruption), thus extending a CISO’s responsibility to wrangle network security on connected devices, data privacy, physical security, compliance, governance, network security and education — all without pulling teams away from their core functions.
“The role is evolving into one that regularly has to walk the tightrope with executive and security/IT teams. It’s more nuanced and complicated than ever before, especially given the world’s decentralized workforces and increased digitization.”
Q: How can organizations better manage API-based threats?
Plaggemier: “The latest T-Mobile breach was a pretty hard-hitting reminder about the dangers of API-based threats and a lack of vigilance on the part of a major company in minimizing that threat vector’s risk. I think there are multiple steps organizations can take to deter the success of these types of exploits, including:
- Taking inventory of all internal APIs to understand and address any potential vulnerabilities and ensure everything is well documented.
- Cross-reference inventory with top OWASP vulnerabilities (broken object level authorization, broker user authentication, excessive data exposure) and remediate accordingly.
- Implement better authentication and authorization protocols (such as the 0Auth 2.0 framework), validate and encrypt API requests to include only necessary information in user responses to minimize risk.
- Log activity on a regular basis and conduct security tests to find any unseen security gaps.
- Bring on a trusted vendor to improve API security standards in the long run and ease implementation company-wide.
“I also can’t stress the importance of more low-tech cybersecurity measures enough. These are more easily attainable processes that can offer a more solid foundation to build an effective security framework from.
“Processes like ensuring sufficient training protocols for employees to ID and minimize the success of BEC/VEC scams, implementing better identity access management solutions to regulate employee privileges around sensitive customer data and investing in data loss prevention and exfiltration measures, as well as instituting zero–trust policies for employees (always verify, never trust) can help shore up defenses without a major time or cost commitment.”
Q: Any comments on post-quantum computing threats and the importance of quantum-safe solutions?
Plaggemier: “I don’t think quantum computing presents an immediate cybersecurity threat in the very short term because the technology to facilitate true quantum computing capabilities just hasn’t caught up to the conceptual framework of what QC is capable of.
“That said, it’s not too far off to start thinking about what proper deterrence looks like, especially because the Biden administration has already begun looking at real-world scenarios and protocols with the Quantum Computing Cybersecurity Preparedness Act. The projection is that we’ll see quantum computing reach critical mass in the next 5 to 10 years — an inflection point for cybercriminals.
“Typically, bad actors aren’t using the most bleeding edge methodology to make schemes work. There’s a reason that low-tech, high-yield tactics still make up the core of the hacker’s toolbox — because those tactics still work.
“The same way threat actors are using generative AI to bolster those low-tech methods, is likely what we’ll see with quantum computing once it’s at a place that has more practical applications. That said, current cybersecurity technologies, awareness and legislation efforts all need to scale proportionately and quickly to create a framework that can be used to deter QC capabilities.
“Quantum computing will be able to break current encryption methods. The enterprise and the government is going to have to better understand that increased investment into quantum-safe cryptographic systems and quantum-resistant algorithms and protocols minimize code-breaking, data theft and financial losses.”
Q: What advice would you give to security leaders who are looking to enhance their organization’s security postures?
Plaggemier: “First and foremost, do the basics extremely well. Depending on the size of the organization, security leaders are likely burdened with limited resources, coupled with the continued talent gap in the cybersecurity industry.
“For example, SMBs likely have much smaller budgets to invest in vendor tech stacks or hiring massive SOCs, so security leaders need to do more with less.
“This means better education and awareness initiatives that are entrenched in business culture, training to identify the low-tech tactics that create costly breaches and ransomware situations, and investing in an MSSP in the absence of a more robust internal security team.
“Enterprise companies can see massive value from the same lessons. At the same time, they should ensure that CISOs are better empowered and equipped to bolster the organization’s security posture.
“Additionally, they can build out an effective internal security team by properly compensating potential candidates, as well as investing in deterrence tech like network detection, identity access management, SIEM and more.
“Since SOCs typically operate reactively, investing dollars into technology that can give them better intelligence ahead of a potential incident is a major advantage.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.