Hackers will get smarter in 2023, but cybersecurity talent will be harder to find: North Bay experts

Smarter hackers and harder-to-find IT personnel with cyber experience are issues that will continue to confront companies in 2023. But there’s good news, say North Bay cybersecurity experts, with improved system safeguards and practices coming into place.

Soni Lampert, CEO, KHL Consulting in Santa Rosa, noted artificial intelligence is one tool coming into place as a early warning system for data breaches.

Still important will be employee education, policies and procedures, as well as quarterly security training, ongoing phish testing and “access to a help desk where staff can get answers in real time,” Lampert said.

Here’s what’s needed as more and more “internet of things” devices are installed in the workplace, she said.

“It is critical to segment IoT devices appropriately and use unique, complex credentials for each service, coupled with multifactor authentication (MFA) whenever possible in addition to disabling features not in use or required for device operation,” Lampert said.

She added businesses also need to verify the credibility of vendors supplying such devices.

Legacy network re-engineering

Hacker targets are not likely to change in 2023, according to Ed Brinskele, CEO of Vir2us Inc. It’s a Petaluma-based provider of an integrated cybersecurity and AI robotic solutions for zero-vulnerability computing environments.

“Some network infrastructures in use today were designed decades ago when the goal at the time was to establish an open environment so everyone could have access to the internet — but not to keep the bad guys out,” Brinskele said. “Cybersecurity was an afterthought.”

He added, with increasing threats, more small/medium-sized firms should consider adopting a “zero trust” security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.

Cyber champions in C-suite

Whatever changes in 2023, Brinskele said ransomware will most likely continue to be the No. 1 threat. In response, he suggested cultivating expertise and education efforts among cyber champions, including a chief information security officer in the C-suite.

Mandating complex password changes every six months, employing dual factor authentication and biometric voice recognition while inspecting and validating users going in and out of private networks at all levels will continue to be important.

“Tight security in not just important for small firms, 90% of the Fortune 1000 were hacked last year,” Brinskele said.

Better passwords and authentication

For Jason Herrington, vice president of technology with Rinkor Technology Solutions in Santa Rosa, outdated password use and concurred that lack of MFA heads the list of common concerns remaining important in 2023.

“This is easy to overcome by using a password manager with an MFA password generator,” Herrington said.

Along with email scams and phishing attacks, he said, attempts by outsiders impersonating someone within the business organization are on the rise.

“Network managers must stay on top of new security methods to protect and notify staff of potential external threats,” Herrington said.

And even next year, it remains critical to maintain training.

”Everyone may not be enthusiastic about getting up to speed on cybersecurity protection, but even though training can be expensive, its absence is more costly when a loss occurs,” Herrington said.

Business continuity planning

For 2023, Scott Blumin, principal with Scoja Technology services in San Rafael, recommends preparing a risk management business continuity plan.

“Such plans protect valuable assets including staff, data, customers and the firm’s reputation,” Blumin said. “The key is ensuring that everyone at the business is familiar with the plan and their role(s) in it. IT managers should take time to review the plan with staff at least twice a year.”

Handing that off solely to a vendor or managed service provider, isn’t the only answer because the vendor might be obligated only to do what’s in the agreement.

“Every team needs a strategic IT professional or technology program manager serving as a tech quarterback,” Blumin said. “A person who is aligned with company goals and has technology, security, compliance and business knowledge can ensure that the firm’s infrastructure stays up, on time and within budget, while also offering tech improvement suggestions for senior leadership.”

For example, it is not uncommon to have 30 or more devices connected at home, Blumin said. Those include computers, smartphones, tablet computers, smart devices (for music, video and TV), surveillance cameras and other security-centric devices.

“Without someone on staff who understands a firm’s home and business technology connections and security needs exposes an employer to data and financial loss, identity theft and more,” Blumin said.

Budget for tech lifespans

For 2023 David Johnson, owner of Midpoint Cyber Solutions in Fairfield, “If you don’t have a device plan or a budget in place, apply the three- to five-year rule for phasing-out hardware to the network for low-tier (three years) and high-tier (five years) devices.”

Here’s how that works, he said. Divide the cost of the devices needed to be purchases by the number of average lifespan years through phaseout, then budget a monthly amount annually until the end of those time periods.

Control personal BYOD

Because few employees want to have a phone or other device for work and one for personal use, when it comes to BYOD (bring your own device) to work, Johnston believes “mobile device management (MDM)” will gain traction.

MDM software can help keep sensitive, private information secure and be noninvasive to employees while managing smartphones, tablets, laptops, desktops, TVs and rugged devices with multiple operating systems, namely Android iOS, iPadOS, tvOS, macOS, Windows and Chrome OS.

Hiring and employee education

“We are experiencing a nationwide security skills shortage with not enough IT trained personnel to fill vacancies,” said Jason Gregori, owner of Craft Technology Solutions LLC in Santa Rosa. “Within the U.S. there are over 700,000 unfilled cybersecurity job openings and the federal government has been urging companies to focus resources on cyber defenses throughout 2022, representing a key challenge for businesses as we look into 2023.”

Employee conduct surrounding day-to-day technology operations is the leading cause of security breach incidents for small businesses, according to Gregori.

“The FBI has named business email compromise (BEC) as a $26 billion scam and predicts that the threat will increase in 2023,” Gregori said.

He said BEC is a phishing scam where cyber criminals impersonate or compromise the email account of a high-level executive in an organization and then target an employee asking him or her to make an urgent wire transfer of funds or an unexpected purchase. The greatest defense against phishing is employee education, training and awareness.

“Numerous platforms exist designed to help train employees on how to detect fraudulent emails, since there are always obvious signs that go unrecognized by the untrained eye,” Gregori said. “Implementing a dual-control and segregation of duties business process for sending money is also an excellent preventative measure.”

Special Correspondent Gary Quackenbush worked at the Wall Street Journal; headed communications departments at AT&T, Pacific Bell, General Cellular Corporation; was a senior executive at several Silicon Valley high-tech PR agencies; was West Coast editor for Telecommunications Magazine; and wrote for Windsor Times and the Sonoma County Farm Bureau. Reach him at Gary.Quackenbush@gmail.com.