As businesses continue to grow online and rely further on digital capabilities, designing your organisation to be ‘secure by default’ is becoming more important than ever.
Almost every credible source will tell you that the volume of cyber attacks is up this year. But this is not a new headline, and as technology and information security professionals we are already primed for it. What is far more interesting is how cyber crime has changed and how we can respond to those changes.
So what did we learn in 2023?
Breaches and attacks
Many of the most high-profile attacks of this year can be traced to simple relatively straightforward attack vectors. The Optus breach, one of the largest in recent history, compromised 10 million records and was, we are told, the result of nothing more than an exposed API. This tells us that basic security controls are not working, and we need to be questioning the validation and efficacy of the designed controls that we have in place. There really is no substitute for testing.
The Police Service of Northern Ireland breach earlier this year, where the details of 10,000 officers and civilians were accidentally published online, has reminded us that people with legitimate access continue to be both the first line of defence and the weakest link. Practical guard rails and good education on the fundamentals is essential to avoid situations like these.
Phishing attacks using messages generated by AI are on the increase, and this is leading to more credible messages being sent. Indeed, Darktrace reported a 135% increase in ‘novel social engineering attacks’ over the month in which ChatGPT went into widespread adoption. This means a proportionate reduction in obvious phishing messages, which leads to higher click-through rates from users.
Knowing where your data is has become a real problem. The combination of cloud and extended supply chains has left security teams with a challenge. Take for example, a project to move from an on-prem CRM platform to Salesforce that is being delivered by a project manager in marketing. In those scenarios it can be hard for information security teams to know what is going on.
Ensuring security is represented in digital engineering processes has always been important but now more than ever we are seeing a split between organisations that have managed to do this successfully and those that have not. Security must be easy for development teams to apply and the relationship must be collaborative in both directions if we are to avoid good security being bypassed.
Board awareness of cyber risk is increasing and that means boards need good quality risk data that is presented in a form that they can understand. This is often a challenge where risks are reported in purely technical terms or based on control maturity rather than business impact. In some sectors, the operational resilience agenda has been able to really help in providing a focus on the key issues and accessible information for senior leaders.
What should we be looking out for in 2024?
Security products and devices
Passwordless authentication is being driven by many of the key names including Apple and Google who have been using it for some time on personal devices. Adoption of the FIDO2 security model is gathering pace, due to its ability to significantly mitigate the risk of password thefts, phishing attempts and replay attacks.
In parallel, we are seeing an increase in the packaging of security products with commodity cloud IT services. This challenges the decades old model of third parties providing security add-ons for otherwise inadequately secured platforms. There are benefits here, particularly in terms of ease of implementation, but there is a risk that unique needs will not be met.
Geopolitical tensions are likely to lead to an increase in attacks by nation states and hacktivists, so reflecting on these in the context of your own organisation is important. Where you are headquartered, who you are funded by and who you might be seen to support are all factors to be taken into consideration.
We also expect to see more attacks on the supply chain, resulting in compromises to suppliers that can subsequently be used to pivot into customer environments. Ensuring that suppliers are committed to good cyber security hygiene and auditing appropriately is an important basic first step, but attention should also be paid to information boundaries and the level of access that is provided.
We believe 2024 will be the year that a consensus on defence against AI-based attacks will start to emerge, particularly as such attacks become more apparent. We see this leading to a spike in demand for experts who can move between the AI and cyber security domains as ‘secure by default’ becomes a necessity.
Increasing awareness of quantum ready thinking is certain. We aren’t yet at the point where quantum computing poses an immediate threat, but we are starting to see more questions being asked about what a roadmap to readiness might look like. Now might be a good time to catalogue the encryption algorithms that you are using across your estate.
So, in planning for 2024 it is worth looking at how you can build security into the systems, processes, and mindset of the organisation. This will enable you to understand the opportunities and impact of new technologies (such as AI and quantum) and to design how you will use them to help your organisation grow in the digital world.
Rasika Somasiri is a cyber security expert at PA Consulting.