Cloud security is leading technology investment agendas and concerns in 2023, according to Arctic Wolf's "2023 Security Trends Report."

The survey reached more than 700 IT directors and found 53% plan to add or update the technology they use for cloud security in the next year. That represents a 31% jump from the previous year's report. The security vendor views this as a positive trend, citing its own threat detection data that shows more than 47% of the threats it responded to in 2022 included a compromised cloud component.

The second major area of investment is implementing a security awareness program, which was cited by 40% of respondents. These programs show users how threats play out and teach that "they themselves are often both the target and the first line of defense," according to Arctic Wolf.

With more than 90% of threats the vendor responded to last year targeted at employees or users, security awareness programs are suited to defend against social engineering or phishing, which are often the simplest ways for bad actors to grab login info and initial access to sensitive data.

Arctic Wolf recommends integrating an awareness program with active monitoring tech to indicate signs of a phishing attempt. "This combination prevents a strong security technology stack from being defeated by a complacent user giving away credentials to a crafty social engineer," the report said.

On the lower end of organizations' 2023 IT investment priorities is vulnerability and patch management. According to the survey, 18% of respondents plan to implement or improve an existing patch management system over the next year. This isn't because patching vulnerabilities doesn't work; research from the Ponemon Institute found that 60% of data breaches could have been prevented by using a patch.

"Patching every vulnerability that pops up" might not be feasible, but "ignoring your patch management system, or not investing in vulnerability management, will only increase risk," the report reads.

The survey found ransomware reigns as the top concern for IT organizations heading into 2023, cited by 48% of respondents. Ransomware also earned the title of top concern in last year's iteration of the report, and Arctic Wolf anticipates this trend will continue.

"Ransomware attacks continue to grow, and the growing popularity of  ransomware-as-a-service (RaaS) has lowered the barrier for novice attackers to execute this  style of attack," the report noted. "This is why it is so important for organizations to continually identify their security gaps, actively train their users in security awareness, and develop a strong response plan in the event they are subject to a ransomware attack."

Those concerns are validated by the continued prevalence of cyberattacks. In 2022, 55% of surveyed organizations experienced a ransomware attack, leaving just 42% environments untouched by ransomware.

Gaps in cloud security are the second biggest concern overall, but it's more worrisome than ransomware for 42% of respondents. And in terms of cloud security posture, just 38% of respondents think they're doing an effective job at securing cloud resources, and 26% say cloud is a significant area of security weakness.

In addition, just 25% noted patching vulnerabilities as a major concern for the upcoming year, which contradicts the respondents who claim plans to invest in this area in 2023. The vendor noted it's difficult to identify what is driving that disconnect, "but it may lie in reduced security budgets and prioritizing what they feel are the largest areas of concern," the report reads.