After a few decades of analysis, these are my thoughts about the emerging security risks that are likely to dominate in 2024.
I'm kidding about the decades of analysis - who could have predicted ChatGPT even a couple of years prior?
As I write this, I am reminded of the adage that if you are going to make predictions, you should do so frequently. A wiser man than I would also restrict himself to predictions far enough into the future that he would no longer be around to face the music.
For better or worse, here are my thoughts about the year ahead.
Key Emerging Security Risks in 2024
AI-Assisted Cyber Threats: Artificial intelligence (AI) and machine learning (ML) are playing increasingly significant roles in cybersecurity. However, they will be increasingly exploited by attackers for sophisticated cyberattacks, including highly convincing phishing emails and deepfake scams.
Rise in Amateur Hackers: The number of amateur hackers will grow with an increase in resources and forums teaching hacking techniques on the dark web.
Valuable Stolen Customer Data: The theft and sale of personal data (social media credentials, driver’s licenses, addresses, etc.) on the dark web will become more prevalent, increasing the risk of identity theft and account hijacking.
Biometric Authentication Vulnerabilities: Despite advancements in biometric authentication, hackers are finding ways to bypass these security measures, indicating that biometrics should be part of a broader security strategy rather than a standalone solution.
Misconfiguration and Unpatched Vulnerabilities: These remain persistent issues and are a common cause of data breaches. Regular patch management, security audits, and the use of automated tools are essential to address these vulnerabilities. Expect to see the frequency of phone and computer patches increasing. This will also apply to routers, programmable logic controllers (PLCs), and basically everything that is connected to the internet.
IoT Device Security Risks: The rapid growth of IoT devices, which often lack robust built-in security, poses significant risks, and following on from the point above, expect to see updates happening more regularly with your cars, televisions, and coffee machines.
SMEs as Exploitation Channels: Small and mid-sized enterprises, often with less sophisticated security measures, are increasingly targeted as entry points to larger organizations. SMEs are the weak spot in our critical infrastructure and supply chains. And the bad guys have figured this out already, so I'm not giving away national secrets with this, er, amazing insight.
Phishing and Social Engineering: Despite efforts in training and awareness, phishing will only increase as a significant threat. Expect to see large organizations reevaluating strategies and investing in technologies like remote browser isolation to mitigate risks.
Escalation of Narrative Weaponization: Artificial Intelligence is set to broaden the scope and enhance the effectiveness of deepfake technologies and social media campaigns, impacting various sectors positively and negatively. This advancement is likely to lead to tangible outcomes, including public demonstrations, civil unrest, more capable terrorist recruitment, and isolated lone-wolf attacks.
Trending Security Measures and Strategies
Adoption of Zero Trust Architecture: This approach, which assumes no trust is given to devices or users by default, is gaining prominence as a means to enhance security.
Integrating AI and ML in Defense: While AI is being used by attackers, its integration into cybersecurity defense mechanisms is also on the rise, albeit at a slower pace.
Adapting to Quantum-Safe Cryptography: In anticipation of quantum computing, adapting cryptographic methods to be quantum-safe is becoming a priority.
The Changing Context
AI as a Double-Edged Sword: AI's role in both advancing cybersecurity threats and defenses is a critical theme for 2024. It's essential (as in, no longer optional) for organizations to stay updated with AI's evolving role in the cybersecurity landscape.
Increasing Role of Amateurs in Cybercrime: The growth of amateur hackers indicates a democratization of cyber threats, making cybersecurity a concern for a broader range of businesses and individuals.
Emphasis on Proactive Measures: The continued issues with misconfigurations and vulnerabilities in IoT devices underscore the need for proactive security measures rather than reactive approaches.
The Complexity of Security Solutions: As security threats become more sophisticated, the solutions are also becoming more complex, resulting in the integration of various technologies and strategies. Which, in turn, could be a death spiral with ever more complex security solutions - at least until we get a handle on how to manage this new complexity.
Need for Comprehensive Strategies: The vulnerabilities in biometric authentication and the persistent threat of phishing attacks highlight the need for multi-faceted security strategies that go beyond singular solutions. More buzzwords I'm afraid, but you can expect to see 'enterprise' turning up more often in security strategies.
Avoiding Base-Rate Fallacy
Base rate fallacy is a type of fallacy in which people tend to ignore the base rate (e.g., general prevalence) of risk events in favor of individuating information (i.e., information pertaining only to a specific case).
In plain English, we either focus on disaster stories or are irrationally optimistic about our ability to manage security better than our peers.
Prioritization Based on Likelihood and Impact: It's crucial to prioritize threats based on both their likelihood and potential impact. For instance, while AI-assisted attacks are alarming, their actual prevalence and impact should guide resource allocation.
Avoiding Overemphasis on Novel Threats: While emerging threats, especially those involving advanced technologies like AI, may capture attention, it's vital not to overlook more mundane but widespread risks such as misconfigurations and phishing.
In conclusion, there are no real surprises in store - until the next surprise comes along.
The security landscape in 2024 will be characterized by a mix of advanced technological threats and persistent traditional risks. The trick will be to adopt a balanced and proactive approach, integrating advanced technologies like AI and ML in their defense strategies while also addressing more common vulnerabilities through robust management practices.
We call it... security risk management.
"You've had your whole life to prepare for this moment. Why aren't you ready?" - Scott, from the movie Spartan (2004)
Preparation is everything, and forewarned is forearmed. My objective with this article can be summed up in this quote from Abe Lincoln.
“Give me six hours to chop down a tree, and I will spend the first four sharpening the axe.”