As a supermassive data breach brings security once again to the center of attention, we identify the cybersecurity trends that will help you navigate the digital landscape in 2024.
If cybersecurity wasn’t that high on your list of priorities, the year 2024 seems to be gearing up to adapt your perspective. Before we even got through its first month, the tech media headlines were ablaze with the story of MOAB – the mother of all breaches.
The only things we used to call supermassive were black holes. Today, this adjective is used to describe data leaks. At the center of MOAB is a never-before-seen volume of 26 billion records of leaked user data that can be leveraged by malicious actors for a wide range of attacks.
The numbers alone rightfully send chills down the spine of both company leaders and end users. However, they should also serve as motivation for both to turn a fresh leaf and define new cybersecurity goals and strategies.
To give you an idea of what you might expect, we present cybersecurity trends likely to shape the digital landscape in 2024.
Cybercrime will be a booming business
What are the dangers of the aforementioned MOAB? The leaked data contains user credentials, but also other sensitive information, all valuable to bad actors.
There’s so much data circulating online that anyone who doesn’t practice ample amounts of cyber hygiene almost automatically becomes a target. For instance, that’s exactly what happened to senior Microsoft execs.
With the current conflicts going on in the world and the ensuing charity frauds, the upcoming US elections, and the Summer Olympics, the threat landscape of 2024 is shaping up to be very dynamic.
Cybersecurity Ventures predicts that cybercrime will cost the world $9.5 trillion in 2024. If this were a country’s GDP, you’d be looking at the world’s third-largest economy after the U.S. and China.
All of the aforementioned in the context of a 3,4 million person global shortage of cybersecurity professionals seems to be brewing a perfect storm for making cybercrime an ever more lucrative business.
Artificial intelligence will be weaponized for phishing attacks
It almost feels like there’s no realm of human endeavor left untouched by the AI revolution we’re witnessing, and it’s impossible to have a conversation about cybersecurity trends without mentioning it.
We could wax lyrical about the different ways in which the technology will improve cybersecurity both on the defensive and the offensive side of things, but let’s focus on just one type of social engineering attacks, and that is phishing.
In the days of yore, one had to at least spend some time preparing a series of semi-coherent texts that would lure their victims into clicking on the “Get your green card now!” button. Nowadays, getting a nice proofread email is a matter of entering a simple prompt into your large language model of choice.
You might be using ChatGPT to draft an email to your landlord, but to someone else, generative AI tools are probably the best shortcut to scamming unassuming victims since the invention of AOHell.
And this is just one way bad actors might be using artificial intelligence. What about deep fakes? Getting an audio recording of your parents asking you for an urgent wire transfer because their belongings got stolen in transit is far from a science-fiction scenario. It’s a particularly vile example of vishing combined with spear phishing (yes, these are actual words) that will only become more prevalent as technology advances.
While the danger there is you getting eked out of a few hundred bucks, similarly placed attacks on a somewhat gullible business executive (think Business Email Compromise 2.0) could have catastrophic consequences for both organizations and their end-users. BEC is already one of the most costly scams for organizations, amounting to more than 50 billion dollars in losses as per the FBI’s 2023 public service announcement. No one is safe, not even high-tech companies like Meta and Google.
Today, it’s an email or a WhatsApp message, but it could also be voice, video, or a combination of those. It’s a brave new world. WEF’s Global Cybersecurity Outlook 2024 mentions that fewer than one in 10 respondents* believe that in the next two years, generative AI will give the advantage to defenders over attackers. (*out of 120 executives surveyed at World Economic Forum’s Annual Meeting on Cybersecurity)
So what’s the lesson here? Keep your eyes open and trust no one, not even your deepfake parents and business partners. One thing you can do is run continuous phishing simulation campaigns and security awareness training.
Since the security landscape is changing along with all other advancements in technology, educating employees and hardening your infrastructure and security policies are crucial for minimizing risk, year in and year out.
IoT systems will be under attack
We’ve talked about securing IoT connectivity on your home or office network before, but this topic is by no means done and dusted.
Taking just a simple look around, you could surely name at least five things connected to the internet right now. Your car is probably one of them. And even if it isn’t, the next one will be.
Your gut feeling might point in the direction of a car’s infotainment system as a potential point of breach. You trust that Android Auto or Apple CarPlay use state-of-the-art protection and think nothing of the potential threats.
Unfortunately, that’s not where the story ends. Most of the code running on your car’s plentiful hardware has nothing to do with the infotainment system. Think about vulnerable EV stations, OTA updates, 24/7 connectivity, keyless car theft… and you’ll quickly figure out that cars have an enormous attack surface that will only get bigger with time.
The car is just one of your many gadgets connected to the internet. What about wearables, smart appliances, voice assistants, smart doorbells, security cameras…? How often do you update all of these devices? How often does anyone? Is anyone making us do so?
And personal devices are only the beginning. It’s IoT all the way down to industrial manufacturing and smart cities.
IoT systems harness massive potential for improving our quality of life. However, with an estimated 16.7 billion connected endpoints in 2023, the attack surface is becoming increasingly large and risky for both companies and end users.
The class action lawsuit filed against Amazon’s Ring last year is just one of the examples in recent memory that proves the point that IoT security is not an endeavor to be taken lightly.
DevSecOps will evolve from buzzword to standard practice
Cybersecurity (cybersec) seems to have a penchant for weird acronyms. One of those is DevSecOps, and we’d say you’ll either be hearing about it a lot or we’re all collectively moving in the wrong direction.
We realized long ago that a collaborative culture, agile principles, continuous integration/development, and built-in quality are the norm when it comes to digital products. That’s all fine and dandy but also somewhat half-baked if not permeated by a security-first mindset.
Enter “Sec” in “DevSecOps” – creating a way of working wherein development, security, and operations are all intertwined every step of the way to accommodate for the rapid deployment so necessary in modern software development.
Security can no longer be treated as an afterthought. In practice, this means it’s prime time to shift left and move towards a zero-trust mindset, from the smallest start-up to the biggest long-running corporation.
We could assemble a list of security breaches that could have been harder to accomplish by baking security into the software development lifecycle, but our editor frowns at blog posts more than 50 pages long.
Running SAST, DAST SCA and other scanners in the pipeline is a commendable starting point but it still only scratches the surface. A proper secure software development lifecycle starts with strategy and ends with production observability. Doing a “let’s just tick the checkbox” pre-production penetration test won’t cut it in the future. Going beyond mere cybersecurity trends, DevSecOps will be the way to go, and DevSecOps means thinking about security early, seriously, and making it a group effort.
Regulations will drive change
In our selection of cybersecurity trends, there are a couple more acronyms that you will probably be hearing about in 2024. In the EU especially, those are NIS2 and DORA. Let’s break them down:
The NIS2 (Network and Information Security Directive 2) aims to enhance the security of network and information systems within the EU by requiring operators of critical infrastructure and essential services to implement appropriate security measures and report any incidents to the relevant authorities.
EU member states have until October 17th, 2024 to transpose this directive into law. Complying with it is a complex topic but boils down to the following (as per the NIS2 requirements):
- Risk assessments and security policies for information systems
- Policies and procedures for evaluating the effectiveness of security measures
- Policies and procedures for the use of cryptography and, when relevant, encryption
- A plan for handling security incidents
- Security around the procurement of systems and the development and operation of systems
- Cybersecurity training and practice for basic computer hygiene
- Security procedures for employees with access to sensitive or important data, including policies for data access
- A plan for managing business operations during and after a security incident
- The use of multi-factor authentication
- Security around supply chains and the relationship between the company and direct suppliers
DORA, or the Digital Operational Resilience Act, is a regulation that comes on top of NIS2, focuses on the financial sector, and will apply in all EU member states starting January 17th, 2025.
It focuses on the following:
ICT risk management
ICT third-party risk management
Digital operational resilience testing
ICT-related incident management, classification, and reporting
Additionally, March 31, 2024 marks the retirement date for PCI DSS v3.2.1. With future-dated requirements becoming effective a year after that, organizations complying with that standard will have to do some house cleaning in their security systems this year.
On top of all that, the U.S. Securities and Exchange Commission (SEC) adopted new rules on disclosing cybersecurity incidents that came into full effect at the end of 2023. This is another example of the increasing cybersecurity scrutiny placed on companies by agencies, lawmakers, and regulators.
All of the above further cements the argument that focusing on cybersecurity is not an optional requirement for companies in the US and EU. It is becoming part and parcel of our legal systems and plays a critical role in running viable, large-scale businesses.
Look into cybersecurity trends for a security-first future
One of the biggest clichés in our ever-changing tech industry is the relegation of cybersecurity issues to an idyllic future when we’ll have the time and budget to devote proper attention to it. Unfortunately, this perspective is no longer viable as cyber threats are multiplying year after year.
Some of the cybersecurity trends we discussed might present quite a bleak outlook. Data breaches, a serious lack of cybersecurity measures and professionals, a booming cybercrime industry, AI in the service of threat actors, billions of connected devices… It almost seems like we’re on the brink of a dystopian future.
However, there are two sides to each story, and wherever there is risk, there is also a great opportunity for learning, improvement, and growth. This is the mindset that successful businesses have always taken to overcome challenges. By knowing what to expect, both organizations and individuals can prioritize security and find a strategic way of keeping what’s important safe and secure.
If you are looking for a security partner to help you assess and improve your security posture, our cybersecurity team specializes in penetration testing, phishing simulation campaigns, and DevSecOps practices. Contact us for a quick chat any time.