What’s new in 2023 for cybersecurity?
Cybersecurity is one of the biggest challenges in IT. Simply maintaining all the critical systems, sensitive information, and business processes that support your organization is one thing. Securing them is a whole other challenge. As this industry evolves and defenses grow more and more advanced, many organizations find that they have been “left in the dust” regarding new standards and requirements.
These growing sets of requirements, compliance standards, industry buzzwords, and new vulnerabilities can overwhelm just about anyone. In fact, we hear on many occasions that leadership loses sleep over this growing set of seemingly impossible standards and threats. Our goal with this blog will be to outline, in the simplest terms possible, the new standards faced by many organizations and the reason these requirements are changing so rapidly.
What are some new compliance changes coming in 2023?
Compliance can come in many forms. Whether it be the tried-and-true PCI compliance for payment card processing or the new CMMC compliance for DoD contractors, one thing is certain: everyone has cybersecurity requirements, and everyone words them differently. For 2023, we expect to see some fairly significant changes coming down the pipeline for most organizations.
The two primary changing compliance standards that we will focus on for this post are Cyber Liability Insurance and CMMC. These both affect the largest subset of organizations and can drastically impact the way you operate.
Cyber Liability Insurance Compliance: Cyber liability insurance is held by a large percentage of organizations and covers damages related to activity associated with data breaches, cyber incidents, or IT disasters. These policies come with built-in “requirements” that must be reported on annually in order for the carrier to evaluate risk. Certain requirements are required to maintain a policy, such as multi-factor authentication on email and administrator accounts. Every year, these requirements and suggestions grow in both scope and complexity. At this point, maintaining a relatively standard policy requires dedicated security efforts, generally in the form of a specialized security team or partner.
CMMC Compliance: Rapidly approaching, in June 2023 CMMC will start to appear on bids for the Department of Defense. CMMC (Cybersecurity Maturity Model Certification) is a system through which the DoD will validate the security of its vendors and award contracts based on compliance. These standards are not straightforward; in fact, there are 110 controls that need to be followed to the letter in order to secure sensitive information stored by DoD vendors and contractors. Within the coming months, CMMC will be a listed requirement for bidding on DoD contracts.
What are new cybersecurity standards for 2023?
Cybersecurity is an ever-growing industry, with new defensive standards releasing very often. A few of the most exciting standards and changes are outlined below.
Managed Detection and Response with Cyber Hunt: A mouthful for sure – but Managed Detection and Response with Cyber Hunt is the new standard for protecting your organization’s servers, workstations, laptops, and other assets. Basically, this can be viewed as a very advanced anti-virus solution that has a team working on the backend to ensure all the systems are secure. Threats are investigated, devices can be quarantined, and response options are diverse. The Cyber Hunt portion falls in the vein of “zero-trust” security, in which it’s always assumed that a bad actor has compromised the environment and a security team works through events as if a threat is actively in the system.
Passwordless Logins: If there is one thing both IT and end-users can agree on, it’s the universal hatred of passwords and password management. This is where passwordless logins come into play. Instead of juggling 100+ passwords in a password manager, passwordless relies on a system that validates your identity by correlating things such as a phone prompt and the device you are using. Essentially, you would get a prompt on your phone to confirm it’s you and login to email with the push of a button. It’s more secure , more convenient, and a great way to win some points with users and improve security.
Data Loss Prevention and Sensitive Data Monitoring: It’s all about the data. Sensitive data is the fuel that powers the IT engine, but just like fuel it can be volatile. Billing info, client data, employee records, project management files, and much more are all considered proprietary and confidential information that can cause major damage if lost or compromised. This is where data loss prevention and sensitive data monitoring come into play. The idea is simple: tag all your sensitive data, encrypt all your sensitive data, and secure all your sensitive data from moving unacceptably. The core concept of identifying and tagging your sensitive data is the most significant hurdle for most organization. Microsoft has an entire tool suite, Microsoft Purview, dedicated to this critical data compliance standard. Our team is trained and certified in Microsoft security and always available to help get this formidable effort started.
Cybersecurity Awareness Training and a Security Culture: Perhaps the most significant improvement any organization can make towards improving their posture – a “culture of security.” By training your users with managed phishing email awareness campaigns and persistent modern-threat training, you can create an environment where your team acts as a “human firewall” to detect and report threats they see in the environment.
Cybersecurity is a specialized, dedicated effort that demands separate goals from standard IT operations. Staying up to date on the newest trends and requirements can be overwhelming. The Scarlett Cybersecurity team hopes that this helped clear up some of the mystery around new requirements. As always, please feel free to contact us if you have any questions or need assistance implementing new security controls.
