Forecast for 2023 Privacy and Cybersecurity Landscape
So far, 2023 is shaping up to be a big year for data privacy and cybersecurity. We have put together a forecast from industry experts and reliable sources. Here’s what to expect:
Increased Demand for Privacy by Demand.
According to ISACA’s Privacy in Practice 2023 research report released in January of 2023, any organization that practices privacy by design will see correlative benefits, like being able to ensure the privacy of its sensitive data, which is often times credited to these organizations receiving a high amount of board support for the prioritization of privacy objectives and maintaining a sufficient amount of privacy employees to satisfy their design needs.
Despite the benefits of practicing privacy by design, the percentage of organizations surveyed by the association only totals 30% — which is up two points since the end of 2022. The ISACA report provides the three greatest obstacles to forming a privacy program in an organization are a lack of competent resources; lack of clarity on the mandate, roles, and responsibilities; and lack of executive or business support.
The report provides that the greatest contributor to a lack of resources are privacy staff shortages and the growing, yet vastly satisfied, demand for personnel in technical, legal, and compliance roles. The ISACA report indicates that 53 percent of survey respondents said their technical privacy teams were understaffed, while 44 percent noted a need to fill legal and compliance positions. Technical demand is expected to grow by 69 percent and legal and compliance demand by 62 percent.
A statement by Safia Kazi, an ISACA principal in privacy practices, in the report provides that this expected increase evidence how “it is more important than ever to cultivate and train a strong, skilled privacy workforce to meet the demand.” That will require some action by executives and board members.
The report provided that the most commonly cited basis for privacy failures in an organization , receiving a 49 percent vote from respondents, is a lack of training. A statement from Verizon's 2022 DBIR report likewise provides that human factor was the culprit behind 82% of breaches and is predicted to continue as one of the greatest risks posed to organizations worldwide. In order to combat this human error, ISACA provides that in 2022 85 percent of responding organizations require their employees to receive privacy awareness training, with 59 percent of then requiring the training to be conducted on a monthly basis. According to the report, 73 percent of these organizations felt that these training requirements had a positive impact on their organization.
Bolstering the claims that many organizations receive a lack of executive or business support for the implementation of privacy by design is the fact that one 55 percent of the organizations reviewed believe their board of directors adequately prioritize privacy objectives and 43 percent believe their privacy budget to be underfunded.
With the increased concern surrounding privacy at an organization-wide level year after year and the growing consumer demand for organizations to effectively engage in such privacy tactics, there is potential for the reluctance to implement privacy by design to subside. According to Anne Toth, trust, privacy and tech policy advisor, and member of the ISACA Digital Trust Advisory Council, “privacy by design is a smart investment that pays dividends in customer trust.”
Healthcare Will Still be a Big Target
The number of ransomware attacks on hospitals more than doubled between 2016 and 2021, according to the Journal of the American Medical Association. That’s why healthcare companies are projected to get serious about cybersecurity budgets in 2023, with an average increase in spending of more than 15 percent according to Chris Bowen, founder and CISO at data security firm ClearData.
Bowen spoke about cybersecurity in healthcare to Healthcare Dive, as did Google Chief Clinical Officer Michael Howell. The latter predicted that “data protection and trust will be pivotal this year as a national conversation around privacy sparked by the overturning of Roe v. Wade stretches into 2023. In the wake of the ruling, a number of period tracking apps, data brokers and tech companies like Apple and Google took steps — often under regulatory and public pressure — to enhance privacy and security protocols
Say Goodbye to Passwords
Despite the increased conversation surrounding password security and data privacy, at the close of 2022, human behavior still hasn’t changed much. CNBC released an article revealing that the three most common passwords during the year were “password” “123456” “123456789.”
That’s why 2023 may mark the end of passwords. On May 5, 2022, Apple, Google, and Microsoft announced a shift away from personal password selection as they committed to providing platform users with a passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. Under this new standard, websites and applications will be accessible to consumers by using biometric verification or by using a device PIN. The release notes that this access method “protects against phishing, and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.”
Federal Privacy Legislation Might Pass
In 2022, several U.S. states passed state privacy legislation, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CDPA), the Utah Consumer Privacy Act (UCPA), and the Virginia Consumer Data Privacy Act (VCDPA).
There are more on the way. Security Magazine predicts that by the end of 2023, 10% of U.S. states will have their own data privacy legislation. Meanwhile there’s still hope that 2023 might be the year we see a federal data privacy law, which boasts strong bipartisan support. And Gartner predicts that by 2024, 75 percent of the world will be covered by privacy legislation.