How can an organization prepare to be cyber-resilient in 2024? The major trends to look out for seem to focus mainly on AI. While the rise of generative AI indeed poses challenges, executives should be cautious not to miss other critical trends that will shape the cybersecurity landscape this year.
AI-driven Social Engineering
Since the advent of commercial Large Language Models (LLM), many have criticized the numerous possibilities they offer to malicious cyber actors. That's not all, though. AI also enables cybercriminals to obtain large amounts of data to launch phishing attacks. The rise of deep fakes, which trick unaware users by impersonating trusted sources, is also a real threat.
Currently, there seems to be no definite technological answer to end deepfakes. Instead, most advice focuses on maintaining good cybersecurity practices. AI algorithms are so sophisticated that they evade detection, which makes things much more complicated.
AI is changing the social engineering industry, but if 2023 was a year of taking account of this new threat and catching up with the creativity of threat actors, 2024 looks to create greater problems with more severe consequences.
Cybersecurity AI
Generative AI put a new spin on artificial intelligence and caught everyone by surprise late in 2022. Even before then, threat actors had begun deploying AI to launch new types of attacks. However, the realization is fully dawning that the way to combat these AI-driven attacks is also through AI – Cybersecurity AI. The rapid evolution of LLMs in 2023 caught many executives by surprise, as there was no concrete plan to counteract the negative consequences.
Regardless, in 2024, organizations have no excuse for not prioritizing cybersecurity AI, including for attack surface management. Particularly, one area of concern is the increasing use of commercial AI tools by employees. To avoid data leakage and exfiltration, policies regarding acceptable use must be created.
National US Data Privacy Regulation
Corporations have been complaining about the complicated patchwork of privacy laws under which the United States operates. Various sectors, such as healthcare and financial services, are governed by specific laws. Privacy laws, particularly in the interest of protecting underage users, are also on the rise.
However, the major challenge remains the lack of a federal data privacy regulation that applies in every state. As things stand, trying to adhere to data privacy regulations from all the different states is exhausting for a corporation.
This is completely different from the European Union, where 27 countries are governed by a single data privacy law. So far, the largest attempt towards this goal is the American Data Privacy and Protection Act, and despite gaining bipartisan support, it was never implemented.
More state laws – notably in Florida, Texas, and Montana – are coming into effect soon. However, the call for a federal regulation persists. Considering the increasing threat posed by AI, this year may finally be a landmark year for the US’s national data privacy law.
Ransomware
In the past few years, the corporate world has battled fiercely with ransomware, a particularly lucrative form of cyber attack. While many thought that the “good guys” were finally winning the war, it turned out that, according to the 2024 Ransomware Threat Landscape report, ransomware attacks spiked towards the end of 2023.
Though the policy declaration is not legally binding, there was a glimmer of hope in November as 50 members of the International Counter Ransomware Initiative pledged not to pay ransomware extortion demands.
State-sponsored Cyber Attacks
We were barely two weeks into January when Microsoft detected a Russian state-sponsored attack against its systems. This illustrates another trend that has persisted over the past few years and emphasizes the need to urgently tackle attacks of this nature. State-sponsored attacks are far more dangerous than other attacks because they threaten national security, compromise critical infrastructure, and escalate geopolitical tensions through espionage and other sinister activities.
Major international crises, including the Russian-Ukraine war and the Israel-Palestine conflict, persist in 2024, with no bright signs of any positive change. Large corporations and governments need more concerted efforts to repel these attacks.
Passwords and Passkeys
Authentication has been a major challenge in cybersecurity, and over the years, passwords, despite posing a convenience challenge, have solidified their role as the most secure authentication standard. However, the corporate world may finally be fully ready for a more secure, passwordless approach to security. Through passkey sign-on technology tied to biometrics or hardware keys, users no longer need to remember several passwords while resting assured of a high level of security.
Even though there is still a long way to go before passkey sign-on is fully normalized, its adoption by Google, Apple, Microsoft, X, Amazon, and various password management tools means that enormous strides will be recorded – and are, in fact, already being recorded – in 2024 as passkeys increasingly become the global login standard. However, passwords will not completely disappear any time soon. So, security on that front shouldn't be jettisoned.
Mobile Security
Cyber attacks on mobile devices have become more frequent as these gadgets have become work tools. Google's announcement at the end of last year that Android 14 will enable passkeys was a significant development in mobile security. Yet, there's still a lot to be done. For instance, according to Kaspersky, adware is still a major challenge, making up over half of mobile device risks. Of course, phishing remains a challenge, too. These challenges cut across platforms.
According to Zimperium's mobile security report for 2023, 80% of zero-day mobile exploits targeted iOS devices, while critical Android vulnerabilities detected witnessed a 138% year-over-year increase. Mobile operating system makers continue their commitment to greater security in 2024, and this is an area to keep an eye on.
Conclusion
Cybersecurity challenges are never-ending. However, by staying ahead of the curve, organizations can ensure they are not playing catch-up in a game where threat actors are making massive strides. By addressing these trends, businesses can guarantee that they are staying on top of the cybersecurity situation.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.