Ransomware, data breaches and fraud are unabating, with cyber insecurity as well as misinformation and disinformation being the top and fourth risks, respectively, for the upcoming two years as projected in the World Economic Forum’s Global Risks Report 2024.
The attack surface gets ever more complex with the increased adoption of cloud, AI, thanks to generative AI (genAI) and Internet of Things (IoT) connectivity. Hackers are already attacking concentrations of common software and services to leverage their returns on investment.
Additionally, critical infrastructure continues to be targeted as entire city networks, emergency networks, water treatment plants and power utilities are breached amidst rising geo-political tensions. Hackers are leveraging executives via messaging platforms and targeting enterprises’ social media accounts for disinformation.
While multinational corporations have the resources to at least make an effort to level the playing field with hackers, small and medium enterprises, and individuals, are struggling where resources and expertise are scarce, and with budget and manpower cuts made at every economic downturn.
As the cyber security divide shows signs of widening further with the volatile threat landscape, 2024 will be a year of bridging this divide, both for SMEs as well as individuals. I anticipate that this will take shape across the ecosystem of regulators, enterprises and technology providers in the below areas. (Disclaimer: The opinions expressed in this post are my own and not necessarily those of my organisations:)
REGULATORS: Extending the reach of regulatory muscle and enforcement
1. Defending forward will see greater traction. Regulatory bodies will flex greater muscle in enforcing take-down operations of ransomware gangs, botnets, scam call centres and disinformation sites. Regulators will also consider enforcement with internet service providers to protect national internet fabrics, and to shield machines from being infected or controlled. Both AI harms and quantum risks will be in the cross-hairs as they are being watched closely to protect the public while gaining buy-in from big tech. AI regulations may change in reaction to the impact disinformation and deepfakes could potentially have on election outcomes.
2. Increased oversight over CIIs and reclassifying sectors. Mandated reporting of cyber incidents will be more prevalent across regulatory frameworks. Critical infrastructure information (CIIs) and supporting ecosystems, digital trust, cyber resilience and cybersecurity maturity will go under greater scrutiny. As more non-CIIs that CIIs depend upon are breached, a review of industry sectors not previously categorised as the CII sector will be considered. SBOM and HBOM oversight will be a key area of focus to manage supply chain risk.
3. Supporting SMEs with greater handholding and guidance plus financial aid. Cyber security authorities will elevate the amount of guidance and support to SMEs, providing free or subsidised resources including self-assessment toolkits. SMEs that perform well will be recognised in public ratings.
4. Greater regulatory clout on widely used infrastructure and services. Elevated focus on security-by-default and by-deployment (i.e. professional services) by vendors and service providers will be demanded beyond security-by-design. This will cover CSPs, OEMs and OSS. More regulations will require software vendors to declare their SBOM/HBOM, and licensing schemes for MSSPs will widen. Software/hardware may see greater categorisation to distinguish more secure products from the less secure ones.
ENTERPRISES: Board and CISO accountabilities and responsibilities will be reviewed
1. Board and CISO accountability/responsibility clarified. Increasingly, a focus on board accountability and on cyber security has been highlighted and elaborated through revised SEC rules. Boards, in turn will demand independent assurance and visibility of risk/security metrics as scrutiny on resilience and third-party risks rises with more publicized breaches. Increasingly, the CISO that is given cybersecurity accountability, beyond just responsibility, will demand greater empowerment to make cyber decisions.
2. CISO liability, insurance and unionization generates focus. The cases of Uber and SolarWinds have triggered the question of CISO liability. When the s*** hits the fan, the CISO’s due diligence is brought into question. CISOs will demand better remuneration and/or job security insurance. Furthermore, CISOs caught in structural conflict and security theatrics will have second thoughts about downplaying bad reporting. CISOs will also increasingly seek out peers to rely on their CISO networks as sources of strength, support, insights and intelligence.
3. Securing the enterprise better. CISOs will extend oversight not only into vendor environments but also development/test environments as hackers leverage weaker entry points of the enterprise. Strengthening resilience will increasingly be a core part of the entire enterprise security strategy.
3.1 Increased scrutiny and oversight into TVRA of environments supporting crown jewels will take place. This coverage extends to CSPs, OEMs, OSS as well as social media platforms. Cloud security enhancements previously planned will be implemented.
3.2 Management of third-party risk, tighter remediation timeline on KEVs, especially those flagged with ransomware indicators, adversarial simulation with red/purple teaming engagements and extension of TTXes to suppliers will see greater traction and oversight.
3.3 Greater enforcement of third-party requirements at tendering as well as ongoing monitoring stages will take place. As risk of supply chain breaches increases, there may be consideration to in-source back what’s already outsourced.
3.4 IAM will be strengthened, such as against MFA fatigue attacks. A zero-trust mindset will be more prevalent with more enterprises increasingly incorporating assumed breach as part of their approach. Passwordless authentication will see greater adoption.
3.5 The levelling up of cyber security maturity for OT beyond IT will also be more prevalent. As more cyber insurers use proprietary maturity assessments, there will be discussions on harmonisation and standardisation to allow reports to be ported among insurers and organisations.
3.6 CISOs will have to incorporate controls to counter adversarial AI tactics and foster synergies with data and AI governance teams. Controls to ensure quantum-resistant cryptography in the symmetric space to future-proof encrypted data and transmissions will also be put in place if they are not already.
3.7 Response to the ever-evolving threat landscape will entail greater adaptability and agility. Policies, standards, procedures, risk registers, OKRs, KRAs and KRIs will be updated more frequently. Staffing will also take a more agile approach.
TECHNOLOGY PROVIDERS: Securing emerging technology and emerging security technology
1. Leveraging AI for cyber security increases. Technology providers will increase their pace of integrating generative AI into their cyber security products and services, riding on already keen interest. AI will be leveraged in adversarial simulations as well as countermeasures against deepfakes, quishing/phishing attacks, etc.
2. Quantum resilient cryptography discussions get serious. Vendors will continue watching NIST candidates for PQC closely and as interest in QKD to secure communications grows, claiming first moves in setting infrastructure/application cryptography standards will be a key driver for vendors desiring a competitive advantage.
3. Exploration into possible synergies between AI and quantum. The integration of AI and quantum in the form of QML in MLOps will also be of interest as big security data requires advanced analytics to detect highly sophisticated attacks.
4. Watching the regulatory space closely. As regulators tighten their oversight over technology providers, vendors will increase efforts into undertaking more rigorous technology development process, through security-by-design pipeline, equipped with security-by-default settings and documented with security-by-deployment guidance for consumers. Technologies that defend against deepfakes and disinformation will be sought-after, especially prior to election campaign periods.
In summary, 2024 will be an interesting year to keep a close watch on all these initiatives and drivers, and hopefully our community of regulators, enterprises, technology providers and individuals can level the battlefield as the fight rages on between defenders and attackers in an ever-volatile and complex environment.
Steven Sim Kok Leong is a member of the Information Security Advisory Group at ISACA and chair of the OT-ISAC Executive Committee