Reflecting on 2023 Cybersecurity Trend Predictions: A Year in Review

Last year, we made predictions about the cybersecurity trends that would define 2023. Now, with the year coming to a close, it’s time to look back on those forecasts and see where we were right and where we may have missed the mark.

What is very clear is that whilst some trends held true, others took unexpected turns. Our prediction that supply chain attacks would persist rang especially true, as significant incidents at Capita, the UK Police Force, and 3CX demonstrated. As anticipated, the rise of IoT devices and the regulation of these devices also intensified.

However, some trends, like the push for global harmonisation of data regulations, did not advance as quickly as predicted. And passwordless authentication, while gaining steam, is still yet to fully replace passwords.

This blog post will re-examine each trend we forecast and analyse where things stand today. By reviewing our hits and misses, we aim to provide an honest assessment of the cybersecurity trends that matter now and equip organisations with the insights needed to prepare for the next year ahead.

Trend 1: A Privacy-First Approach to Information Security

Last year, we predicted 2023 would usher in a privacy-first approach to cybersecurity, primarily driven by strengthening data privacy regulations worldwide. This forecast proved accurate, as privacy became a central consideration for policymakers and tech leaders.

Major platforms like Google did indeed shift towards privacy-centric models—the deprecation of third-party cookies in Chrome and the launch of the Privacy Sandbox initiative emphasised user privacy. Though imperfect, these changes represent a seismic shift for the ad tech industry. Apple similarly extended its privacy push with further upgrades to its App Tracking Transparency.

The growing patchwork of data privacy laws also compelled organisations to prioritise privacy. 

Europe

GDPR continued to be the benchmark for digital rights. 

Even jurisdictions without specific laws felt pressure to align with GDPR to enable data flows, with considerable effort and time being spent creating data bridges to allow data to transfer across geographic borders compliantly. 

United States

California led the charge with an amended California Consumer Privacy Act coming into effect in 2023. Other states, including Virginia, Colorado, Utah and Connecticut, have also enacted their own privacy laws. 

At the federal level, Congressional bills like the Data Care Act and Online Privacy Act signal a broader push to establish a national privacy framework.

APAC

In China, more detailed content has been rolled out step by step under the Personal Information Protection Law (PIPL) with a focus on export security assessment procedures and Standard Contractual Clauses (SCCs) for data exports. and India’s proposed Digital Personal Data Protection Act moved the needle in Asia. Whilst in Australia, the government planned to overhaul the Privacy Act, with various changes proposed to modernise it and make it more relevant in the digital age

This expansion of privacy legislation globally made compliance more complex but reinforced privacy-first information security.

Our prediction around privacy frameworks also proved true. Adoption of standards like ISO 27001 and ISO 27701 accelerated as organisations sought to systematise their privacy programs. These frameworks provide helpful roadmaps for instituting data protection controls and formalising privacy management.

While progress has been made, the privacy landscape is still evolving. Some laws like PIPL, while in place, are evolving slowly, and many companies still lack mature privacy programs. However, the growth of privacy regulations and increasing user expectations around data security have firmly established privacy as a foremost concern for cybersecurity and business leaders—those who don’t prioritise it in 2024 risk falling behind peers, regulators, and consumers. A privacy-first approach is no longer optional but foundational to trust and success in the digital economy.

Trend 2: Global Harmonisation of Information, Privacy & Data Regulation

Last year, we anticipated growing momentum towards harmonising privacy and data regulations across borders. The intent was to streamline compliance for companies operating globally and improve interoperability. However, the complexities of reconciling diverse legal frameworks meant progress on this front was more muted than expected.

Some tentative steps were taken to align regulations internationally. Initiatives like the EU-US Data Privacy Framework focused on enabling transatlantic data flows through shared standards. APEC continued developing its Cross-Border Privacy Rules system to bridge Asia-Pacific jurisdictions. However, significant gaps remain between major privacy regimes.

The European Union’s GDPR remains the most expansive data protection law worldwide. Efforts to influence other jurisdictions towards GDPR alignment have achieved mixed results. Laws like Brazil’s LGPD took cues from GDPR, but other regions opted for tailored regulations. And countries like India and China enacted internet sovereignty laws asserting greater digital control.

Divergent national interests present a crucial challenge to harmonisation. Governments often view privacy laws as upholding sovereignty and limiting outside influence. This makes convergence around a standard set of rules difficult politically. Competing priorities around privacy versus economic growth also impede consensus.

While substantial worldwide harmonisation remains elusive, organisations can still prepare for this complex landscape. Following recognised international standards and frameworks helps ensure baseline compliance across jurisdictions. Investing in adaptable data governance programs enables adjusting to new requirements. And monitoring legal developments across target markets is essential to stay ahead of the evolving regime.

Though the path to harmonisation is long, alignment on core data protection principles could develop over time. But, managing compliance across disparate regulations will likely remain the reality in 2024.

Trend 3: A Passwordless Future Ahead

Last year, we predicted 2023 would see increased adoption of passwordless authentication as companies sought to enhance security and user experience. This trend largely played out as anticipated.

Major technology firms helped accelerate the passwordless future through high-profile implementations. Microsoft announced passwordless sign-in for commercial Azure Active Directory users, leveraging FIDO standards for multi-factor authentication. Apple deployed passkeys in iOS 16 and macOS Ventura as a secure alternative to passwords. Google, Facebook and others also expanded passwordless rollouts.

Consumer response has been largely positive, as passwordless systems remove the friction of memorising credentials. However, for broader business adoption, these systems are often paired with stepped-up identity verification requirements that balance security and usability.

Our prediction about integrating passwordless authentication with zero trust architecture and identity access management held true. As organisations look to validate user identities across networks, devices and environments, zero trust principles help protect access. Tools like single sign-on and adaptive multi-factor authentication help manage logins while preventing credential reuse.

However, passwords persist in many systems. Legacy applications and services that lack modern authentication capabilities pose barriers to going completely passwordless. And costs of overhauling legacy infrastructure can slow adoption. So, while the momentum toward passwordless continues, the death of the password may not entirely be here yet.

In the year ahead, we expect further integration of passwordless systems with layered identity management protections. Organisations concerned about phishing risks could pilot passwordless rollouts in low-risk areas first. And user education will be essential, as passwordless represents a shift in decades-old login behaviour. But used judiciously, passwordless and zero trust strategies can take identity management to the next level.

Trend 4: The Supply Chain Problem Persists

Last year, we forecasted supply chain cyber-attacks to intensify as threat actors sought new infiltration points. Unfortunately, this prediction fully materialised, with significant incidents demonstrating the supply chain’s continued vulnerability.

Several high-profile companies fell victim to sophisticated supply chain attacks in 2023, including BA, Boots, and the BBC, breached via their payroll companies’ use of a file transfer tool named MOVEit. Tech giant Okta also suffered a breach of over 5,000 employees’ data through a third-party healthcare provider. And ransomware gangs increasingly targeted managed service providers to access their customers downstream.

These incidents underscore the risks of overlooked weak links and over-trusting partners. In response, businesses doubled down on supply chain cyber strategies, adopting frameworks like ISO 27001 and NIST to establish comprehensive information security controls and processes that account for third-party interactions; this includes implementing regular security reviews for vendors, prioritising cloud security to lock down provider environments, and pressuring managed service providers to demonstrate cyber readiness to clients.

While positive steps, supply chain security remains a work in progress for many organisations. Culture shifts take time, as deeply ingrained trust between partners can’t be dismantled overnight. But threats will continue to evolve, meaning supply chain vigilance cannot wane.

Looking ahead, we expect Third Party Risk Management (TPRM) programs to become ubiquitous across industries. Cybersecurity will increasingly factor into procurement decisions. And oversight of vendors will tighten through audits and mandatory disclosures. While the supply chain problem won’t disappear in 2024, businesses have renewed the imperative to tackle these persistent threats.

Trend 5: Internet of Things (IoT) Risk Landscape

Last year, we anticipated that the proliferation of IoT devices would expand the attack surface for organisations. This forecast was borne out, as unsecured IoT emerged as an Achilles heel in 2023 cyber incidents.

Attackers consistently targeted vulnerable IoT devices to gain network access. The Log4j vulnerabilities in IoT systems were exploited to deploy crypto miners. Unprotected healthcare IoT devices were compromised to steal patient data. DDoS attacks leveraged poorly secured IoT cameras and routers to overwhelm victims.

In response, long-awaited IoT security regulations gained traction globally this year. The EU’s Cyber Resilience Act will mandate baseline IoT security standards starting in 2024. The US, UK and others are pursuing similar rules to close IoT vulnerabilities. These laws aim to curb the spread of noncompliant devices.

On the enterprise side, IT teams rushed to inventory connected assets, update IoT device firmware, and monitor traffic across IoT environments. Segmenting IoT networks helped limit lateral movement after infiltration. But for many, the unknown and unmanaged IoT scale made timely remediation difficult.

While regulators and businesses work to address risks, IoT integration continues proliferating rapidly. Gartner predicts there will be over 30 billion IoT devices by 2025, up from 11.4 billion in 2021. This massive expansion of the IoT landscape will challenge even the most robust device security regimes.

In 2024, we expect IoT security management to become a dedicated focus area. Organisations will embrace IoT visibility and access tools to reign in device sprawl. And more businesses will look to platforms that simplify asset management and threat detection across complex IoT ecosystems. But constricting this ever-widening attack surface will require vigorous and coordinated efforts.

Trend 6: Managing the Cybersecurity Skills Gap Creatively

Last year, we predicted creative approaches would emerge to help manage the cybersecurity skills shortage limiting security teams. 

With cyber roles remaining chronically understaffed, firms did indeed get creative with sourcing talent, recruiting from adjacent fields like IT, compliance and engineering to access untapped talent pools. Apprenticeship programs helped mould interested candidates lacking direct experience. And spotlighting softer skills for cyber roles encouraged wider applicant pools.

Outsourcing also grew to optimise processes and free up internal cyber resources. MSSPs took on outsourced monitoring and response for strained security operations centres. Cloud providers supplied managed security services to reduce infrastructure burdens. And consultants provided specialised expertise to fill knowledge gaps.

However, outsourcing introduces potential risks, as seen in major third-party breaches, if not managed closely. And companies still needed help to land senior cybersecurity leadership; a gap outsourcing could not fill.

Heading into 2024, managing cyber workforces will remain imperative. Training programs, creative recruiting and better resource use through outsourcing will likely expand. However, acute shortages of advanced cyber skills persist. The industry’s reliance on overburdened but essential security personnel will continue for the foreseeable future. Ongoing creativity and investment will be vital to success.

Key Takeaways: The Road to Stronger Cybersecurity

If 2023 has taught companies anything, effective information and cybersecurity are now essential to business success. 

Certain trends like supply chain attacks and IoT sprawl clearly accelerated as predicted. But other areas, like passwordless adoption and global regulation, moved more gradually than expected. All of which underscores that cybersecurity requires agility and vigilance. Complacency is dangerous when threats morph so readily. 

To stay ahead, organisations must monitor trends continuously, not just yearly. They should pilot emerging solutions cautiously, even when the promise is great. Investing in adaptable foundations like security frameworks, risk-based security and workforce development enables pivoting to meet new challenges.

As we look forward to 2024, expect more volatility, from geopolitical tensions driving state-sponsored attacks to quantum computing and AI introducing new technological risks. Collaboration will be critical, from public-private partnerships to vendor ecosystems partnering to raise baseline resilience across interlinked supply chains. Cyber risk is here to stay, but our collective efforts can create a more trusted digital ecosystem that balances progress and protection.