2023 introduced a variety of new challenges to the ever-changing business landscape, including the rapid expansion of artificial intelligence (AI) and adoption of SEC cybersecurity rules for public companies. Predictions of cybersecurity trends in 2024 demonstrate a continuation of some of these trends, but also another additional shift that could significantly impact business valuations.
Increasing use of AI in attack and defense
A 2024 AlixPartners Disruption Index survey reported 67% of executives identified AI and automation as one of the next biggest disruptive opportunities. Organizations and ransomware operators alike are harnessing AI’s capabilities. In 2023, the number of ransomware attacks doubled, with growth of automation supporting these figures. In 2024, we may see further advances as attackers leverage generative AI capabilities to boost phishing complexity and propel ransomware. AI-driven cyber attacks, including detection evasion and deception, may also present additional risk to a business, if targeted correctly.
While generative AI is used to build business cases and generate text, it can also be used to craft e-mail attacks in the style of a known individual. Sophisticated spearphishing email attacks with AI were captured by vendors like Abnormal Security, and these attacks may continue.
To protect against AI as an attack vector, organizations should consider investments in advanced AI-driven security solutions capable of detecting and mitigating AI-based threats, such as Artificial Intelligence Trust, Risk, and Security Management (AI TRiSM) tools. With users at the receiving end of communications, the addition of regular updates and refinements in awareness training campaigns, phishing testing, and security-based AI algorithms are crucial to stay ahead of evolving attack methodologies.
Sprawl of user accounts and connected devices increasing attack surface
In a State of IoT report published in 2023, IoT analytics reported an 18% increase in connections between 2022-2023. Further, Gartner is projecting a continued increase in SaaS spend going through 2024. Businesses are expanding areas that are on the edge and more external to the organization, pushing the limits of security that used to be confined to a defined perimeter. If not protected properly, this may come with additional data lifecycle and user-centric risks.
For example, with the growing number of SaaS applications commonly used in business (e.g., Workday, Salesforce, SharePoint), the security perimeter extends beyond the organization and includes trusting the other organization to protect data and business processes. User identities created on SaaS platforms may be created, but in some cases, review lifecycle is unable to catch these identities and trigger removal of permissions. For higher risk accounts, this presents additional risk.
Extension of the business perimeter requires similar security capabilities to wrap around those new services. User identities created and data that resides on SaaS platforms can be protected through data protection strategies and solutions such as SaaS Security Posture Management (SSPM) and Zero Trust Application Access tools, which provide a layer of oversight over those services. Further, they provide insights into misconfigurations that may lead to exploitation, and potential risks of data loss.
Increased losses from breaches result in additional changes to cybersecurity insurance requirements
According to FBI’s IC3 report, IC3 by the Numbers, the monetary amount of victim losses increased by 49% from $6.9B to $10.3B between 2021 and 2022. Insurers are also taking note, by adapting business models to ensure there are greater protections for the insurer to reduce payout. With larger losses in recent years, insurers have responded by hiking cyber insurance premiums and increasing the minimum baseline requirements for insurance. According to The Betterley Report, premiums increased between 50-100%.
With a higher minimum baseline for insurance and even interesting new exclusions (e.g., cloud outage, major vulnerabilities), some companies were even refused coverage at renewal. Areas such as limits on coverage, cloud outages, major vulnerabilities (e.g., Log4j), widespread cyber events, are also factored into the breach and insurance equation.
Organizations should review their cybersecurity insurance policy documents for required protections and SLAs, and understand that insurance is a supplement in case of an event. Additionally, organizations should bolster their programs through the implementation of baseline requirements (e.g., MFA, password manager) as a form of monitoring and response oversight to further protect business value and boost preparedness in the event of an incident.
Focus on maturity through modernization
Source: Okta “State of Zero Trust Security”
Traditional Virtual Private Networks (VPNs) and firewalls, once standards of infrastructure cybersecurity, are facing obsolescence in the wake of more sophisticated threats. Both legacy models introduce a much wider attack surface as well as outdated security standards. In 2023, there was a paradigm shift toward Zero Trust Cloud Architecture, with the new year gaining momentum as remote work still continues to reign supreme, and an Okta report indicating that 61% of organizations mentioned a “defined Zero Trust initiative in place”.
The Zero Trust approach, as indicated by the name, eliminates the implicit trust placed in networks and requires verification from anyone trying to access resources, regardless of their location. Embracing this model involves a multi-level tier and mesh of solutions and processes across cybersecurity domains, including implementing strict access controls, continuous monitoring, and comprehensive user authentication.
Making the shift to a full Zero Trust architecture takes time, resources, and significant planning to complete correctly. As organizations transition, they should begin with a well-defined and architected strategy, selection of fit-for-purpose solutions, and gradually phase out reliance on outdated VPNs and firewalls. This would allow adoption of a more dynamic, layered, and adaptive security posture.
Increasing regulation in data privacy and emerging technology, along with malicious reporting
As the attack surface adapts and threats evolve, so has compliance to keep up a baseline level of requirements to protect data and information, whether by industry, or mandated by government. In 2023, there were new SEC regulations, which require organizations to improve cyber reporting and resilience.
There may be additional changes in regulations in 2024, with privacy rule changes. The EU and California has plans to review potential adoption of these changes in regulations. Further, the focus on AI may turn from discussions to progressing towards an AI-focused regulation, which may impact its growth and recent prominence in the industry.
With the new SEC Rule requiring public companies to disclose cyber breaches within four days, attackers are also identifying creative ways to use this as a weapon to potentially boost revenue. A recent publicly traded company was a target of a ransomware group in 2023. Following a breach, the ransomware group reported their findings to SEC regulator, following frustrations from lack of acknowledgement. In 2024, we may see further reports of threat actors reporting their breaches, which may impact business valuations.
With adaptations in existing regulations and a push for additional ones, organizations must continue to follow announcements and changes by regulatory bodies, specific to their business. Cybersecurity, legal, technology, and communications teams should work together to identify and adapt the organization to these changes. Having numerous controls to track across regulatory requirements in a centralized compliance framework can be helpful to monitor progress.
Planning for the year ahead
As we dive into the new year, a proactive and multi-faceted security approach is imperative, with collaboration across multiple business lines. The 2024 cybersecurity landscape presents challenges, but also great opportunities. Organizations must stay vigilant, adapt to emerging threats, and foster a cybersecurity culture that prioritizes prevention and response. Additionally, businesses must ensure that their incident response planning is in place should an attack occur. As such, the key takeaways from these trends are to ensure complete visibility into assets and their controls, continue modernization of the cybersecurity program, and pay attention to changes in compliance. Preparedness and awareness are the greatest forms of defense, and the power lies in our collective response to make that happen. Remember that it takes decades to build an empire, but less than ten minutes to destroy one.
If you’d like to explore any of these areas further, please contact the AlixPartners Cybersecurity team.