The cyber threat landscape is changing constantly, with criminals taking advantage of the latest advances in IT to mount increasingly sophisticated attacks. Trends concerning the use of tech such as artificial intelligence and ransomware have dominated the headlines in 2023 – and these are set to cause even more disruption over the coming year.
As experts in the field will testify, businesses wishing to maintain effective defences need to be proactive, so what should their leaders be looking out for in 2024?
AI will pose a growing threat, but defenders will use it too
AI has featured in a relatively small proportion of reported incidents over the past year, but this will change as criminals start using the technology to “personalise and slowly scale up cyber attacks”, predicts Phil Venables, CISO at Google Cloud.
“By using AI-based large-language-model algorithms, attackers can make malicious content that looks, flows and reads like the original, making it even harder to detect phishing emails and messages,” he warns.
More broadly, the use of generative AI to create fake news and related material on the internet could massively increase the spread of disinformation, thereby “reducing public trust in online content”.
But, while AI presents a clear danger in the wrong hands, the technology’s capacity to process and contextualise huge volumes of data also has the potential to reinforce firms’ cyber defences.
“This will come to fruition in 2024, with AI enabling defenders to strengthen detection and accelerate analysis,” Venables says. “It will equip them to respond quickly and at scale.”
Ransomware gangs will target smaller businesses
Any enterprise can be targeted by cybercriminals, whatever its size. Quentyn Taylor, senior director of information security for Canon in EMEA, predicts that smaller firms will increasingly bear the brunt of ransomware attacks in 2024.
This is partly because the falling cost of so-called ransomware-as-a-service offerings has made this data-locking weapon so accessible, reports Dr Tiffany Harbour, senior cybersecurity adviser at tech consultancy Access Partnership. She says that small businesses and local authorities “will be more at risk than ever” next year, given that they have relatively little money to spend on shoring up their defences.
Taylor expects that a growing number of firms will put plans in place next year to mitigate the risk of ransomware attacks as part of their efforts to reassure shareholders and attract new investment.
“Businesses are reporting net-zero claims in their statements and I wouldn’t be surprised to see similar disclosures on cybersecurity,” he says.
Attackers will probe weak links in supply chains
One of the biggest supply chain data breaches of 2023 was the attack on a popular file-transfer application called Moveit. Criminals exploited a vulnerability in the software to break into thousands of organisations.
Supply chains will remain prominent targets in 2024, according to Tristan Morgan, managing director of cybersecurity at BT.
“Events such as the Moveit vulnerability affected many businesses, including international airlines and large retailers,” he says. “Globally, this one hack cost businesses more than £7.9bn, affecting more than 1,000 companies and 60 million people.”
Such incidents illustrate how easy it can be to break into big companies via their suppliers. Morgan believes that the success of this attack will encourage more criminals to attempt similar exploits. His opinion is supported by Gartner, which has predicted that 45% of all organisations will have experienced attacks on their software supply chains by 2025.
As the risk of cyber attacks grows and supply chains are increasingly threatened, Morgan forecasts that there will be a shift next year towards so-called zero-trust models – a security strategy based on the ‘never trust, always verify’ principle.
“Zero-trust architecture aims to protect the back door from supply chain attacks by requiring verification from anyone trying to connect to your systems,” he says. “This helps to block unwarranted access.”
The shortage of security skills will worsen
The well-documented cybersecurity skills gap is set to widen in 2024 as companies struggle to find the talent they require to repel ever-more sophisticated attacks.
With experienced defenders so thin on the ground, firms are more likely to commit basic errors that criminals will be quick to exploit, warns Ian Thornton-Trump, CISO at security firm Cyjax.
The shortfall “may also impede the security improvements that organisations want to undertake, such as addressing their technical debt and legacy systems exposure”, he says.
“Those working in cybersecurity must ensure that they remain relevant and able to support digital transformation,” Thornton-Trump adds, noting that expertise in fields such as zero-trust architecture, AI and the conversion of legacy solutions to the cloud will be particularly sought-after.
If they’re to solve this skills shortage, businesses must “establish processes for talent progression, offering effective training and higher wages”, he argues. “Workforce development prioritising women, people with disabilities and under-25s is required.”
Plugging software holes will become more difficult
Software holes were constantly appearing in 2023, often paving the way for supply chain breaches such as the Moveit attack. New vulnerabilities are being announced and fixed all the time – most organisations have heard of Microsoft’s Patch Tuesday. But keeping abreast of them all will become an increasingly daunting task, according to Sean Wright, an independent security researcher.
He describes the challenge for businesses: “As soon as you’ve asked a team to patch one set of vulnerabilities, they’ll need to address more issues, often with a limited time in which to do so.”
To exacerbate matters, a significant proportion of firms aren’t responsive enough to the warnings they receive. Even after a security problem is disclosed along with the appropriate fix, they will often ignore the alert or be “incredibly slow” to apply the patch.
Wright predicts that more companies will be scrutinising their suppliers next year to check whether they’re taking the appropriate action quickly enough. With this in mind, he would strongly advise firms to focus on their asset management and vulnerability programmes.