The Top 5 Security Threats This Year

The Top 5 Security Threats of 2024

Mere days into the 2024, and the British Libraryⁱ, Beirut International Airportⁱⁱ, and mortgage loan firm loanDepotⁱⁱⁱ were all targets of high-profile cyber attacks.

They haven’t been the only ones.

And what’s worse, the data is suggesting that 2024, following up on 2023, will be another banner year for security threats.

So, what’s likely to come in the rest of the year? Here’s a list of the top five security threats of 2024:

1. Ransomware and cybercrime

The story of the last few years has been ransomware attacks.

Last year, high-profile targets included Royal Mail, the U.S. Marshals Service, TSMC, MOVEit, and others.

The MOVEit breach alone affected more than 2000 organizations^iv and over 62 million people, with data taken from government agencies, school systems, big businesses, even HR and payroll services.

Will things improve? Experts are expecting worsening conditions in 2024, thanks to the rise of ransomware-as-a-service, i.e., the offering of pay-for-use malware.

What’s it all about?

In this cybercrime business model, the author of the ransomware makes that software available to customers dubbed affiliates who often lack technical skill of their own but can use the software to hold data hostage.^v For their part, malware authors can scale earnings from the purchased software while off-loading personal risk to those who perpetrate the final crime.

In fact, it’s this scaling that’s of greatest concern in 2024. Not just from private criminals, either.

Like in previous years, cyberattacks are likely to be conducted by state-backed actors, as well, perpetrating operations to achieve geopolitical objectives.^[vi] And as geopolitical tensions increase, as they have been, so too will the volume of cybercrime.^vii 

How big will cybercrime get? We can only guess; but it’s already a huge business, estimated by the World Economic Forum to be USD 6 trillion.

2. Third-party risk

In 2024, targeted organizations won’t be the only ones to worry about cybercrime. All other entities reliant on that organization for goods and services will have to be on guard, too.

The MOVEit breach already demonstrated the growing third-party threat. And it’s only likely to get worse, as hackers turn their attention to vulnerabilities in vendor’s systems to gain access to the data stored by organizations reliant on the vendor.

How bad has it gotten? Last year, 98% of organizations reported having a relationship with a vendor that experienced a breach within the last two years.^viii

3. Critical infrastructure attacks

These hacker incentives are likely to be most acute when it comes to critical infrastructure entities. Nor will direct hits on key assets, such as last year’s attacks on a U.S. water and wastewater provider and the U.S. State Department, go away, either.

These attacks aren’t isolated incidents, though. They form part of an escalating trend. 2022, for instance, saw a 140% surge in cyberattacks against industrial operations resulting in more than 150 incidents.^ix 

Last year was even worse. Vedere Labs recorded more than 420 million attacks against global critical infrastructure targets between January and December 2023, or 13 attacks per second.^x That staggering figure represented a 30% increase from the year prior.

For its part, the Cybersecurity and Infrastructure Security Agency (CISA) by mid-December 2023 issued guidance to manufacturers to eliminate the use of easy-to-exploit default passwords.

4. Cyber compliance

CISA isn’t the only regulator acting.

The deteriorating cyber risk environment has provoked a predictable backlash from a number of policymakers and regulators who have stepped up efforts to keep sensitive data safe.

From the Digital Operational Resilience Act in the EU to APRA CPS 234 in Australia, regulatory regimes are expanding precipitously. Indeed, if forecasts bear out, we are likely to see two thirds of the world’s population covered by data privacy regulations.^xi

In 2023, for instance, five states rolled out comprehensive consumer privacy laws.^xii The previous year, at least 40 states and Puerto Rico introduced or considered more than 250 bills or resolutions that deal significantly with cybersecurity, according to the National Conference of State Legislatures.^xiii Of those, 24 states enacted at least 41 bills in 2022.

National regulators like the Securities and Exchange Commission (SEC) are increasingly proposing new disclosure requirements on regulated entities, as well, requiring publicly traded companies to report material cybersecurity incidents within four business days of determining materiality. ^[xiv]

By targeting Solar Winds CISO, the SEC is also signaling that it’s ready to impose legal liability on named security leaders within organizations it considers deficient.

Healthcare regulators are also ramping up protections. The U.S. Department of Health and Human Services (HHS) is set to establish voluntary cybersecurity performance goals for the sector.

Meanwhile, the Centers for Medicare and Medicaid Services will propose new cybersecurity requirements for hospitals, and the HHS Office of Civil Rights has announced that it will update the HIPPAA Security Rule to include new cybersecurity requirements.Under the aegis of the cyber security strategy to 2030, the U.K. is also ramping up security protections in the healthcare sector.

5. The capabilities gap

Compounding these challenges for organizations is a yawning skills gap in the industry, as security leaders groan under the effects of a shortage of skilled staff.

This capabilities gap isn’t new – it’s been tracked since the pandemic. However, a recent survey conducted by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA) suggests it’s getting worse.

Now, over half of cyber security professionals believe that the impact of the skills shortage on their organization has worsened over the past two years.

Enhancing security in 2024

The question then becomes what’s there to be done to enhance security management this year?

First thing is to understand that security management isn’t just one thing. As the diversity of threats suggests, security management is increasingly taking on multiple forms.

However, the most relevant types of security management include:

• Information security management. Information security management is an organization’s approach to ensure the confidentiality, availability, and integrity of IT assets and safeguard them from cyberattacks.
• Cybersecurity management. Similarly, cybersecurity management involves the strategic planning, operations, implementation, and monitoring of cybersecurity practices within an organization.
• Operational security management (OpSec). Derived from the United States Military, OpSec is an analytical process that entails assessing potential threats, vulnerabilities, and risks to sensitive information.
• Physical security management. Physical security refers to the protection of building sites and equipment (and all assets held within) from theft, vandalism, natural disaster, manmade catastrophes, and/or accidental damage.
• Critical infrastructure protection (CIP). Every country has key assets that are vital to maintaining a strong economy and high quality of life. Critical infrastructure protection refers to the actions taken and the critical infrastructure protection technologies needed to prevent, remediate, or mitigate risks resulting from vulnerabilities of these critical assets.

Cyber resilience in 2024

Organizations will have to build strategies around these security management types. But as cyber risk tops the list of security threats in our own research, we’ll devote the remainder of this piece to addressing what’s needed to become cyber resilient in 2024.

So, what’s cyber resilience? According to the National Institute of Standards and Technology, cyber resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.ⁱ

A set of capabilities, cyber resiliency enables companies to pursue those business objectives dependent on cyber resources in a contested cyber environment.ⁱⁱ

Of course, the sharp uptick in cyber incidents, as described, will inhibit cyber resilience. But that’s not the only challenge to cyber resilience. Alert fatigue is becoming equally acute.

To quantify: more than half (56 per cent) of large companies handle at least 1,000 data alerts of potential cyber activity per day.ⁱⁱⁱ

As a result, fatigue is setting in as the overwhelming number of alerts is desensitizing responders, already overstretched, to individual alerts – even when those alerts carry valuable information.

How bad has the issue become?

According to the International Data Corporation, well over eight in every ten cyber security professionals say they are struggling to cope with the sheer volume of security alerts.^iv

That’s no surprise. Surveyed staff reported spending more time (32 minutes) on alerts that turned out to be false leads than on actionable alerts.^v

As a result, more than a quarter (27 per cent) of all alerts were ignored or not investigated in mid-sized corporations.^vi Slightly larger organizations (1,500 to 4,999 employees) saw personnel ignore nearly a third of all alerts.

Strategies to increase cyber resilience in 2024

What then can be done to overcome these challenges and establish resilience against the top security threats of 2024? For starters, companies will have to build up their cyber security capability so that it’s commensurate to the security vulnerabilities they face.

How to go about it will necessarily vary by company. But all companies should be looking to minimize the likelihood and impact of information security incidents on the confidentiality, integrity, and/or availability of information assets, including information assets managed by related parties or third parties.

Best-practice strategies to pursue, here, include:

• Clearly defining the information security-related roles and responsibilities
• Maintaining an information security capability commensurate with the size and extent of threats to your information assets, and which enables the continued sound operation of the entity
• Implementing controls to protect information assets commensurate with the criticality and sensitivity of those information assets
• Undertaking systematic testing and assurance regarding the effectiveness of those controls

Digital technology to help build cyber resilience in 2024

Of course, strategies must be implemented expeditiously to help secure cyber resilience. And to that end, we recommend finding a flexible, configurable, digital security management software that helps plan and manage information, operations, and communications.

Such a solution would capture and consume information from multiple sources, including reports, logs, communications, forms, assets, and maps, providing a real-time common operating picture of the task or operation at hand.

Leveraging powerful, yet easy-to-set-up workflows, the user-friendly solution would control and automate management processes and standard operating procedures, keeping the right stakeholders informed across multiple communications mediums.

Analytics and reporting tools would ensure that decision-makers have the correct information in the best available format, when they need it. The solution would also track tasks to ensure that the right actions are taken and followed through, helping you to assign, manage, and track resources.

More specifically, the system would provide a case management framework that orchestrates information flows throughout the organization, providing consistency where multiple systems, sources, and processes are employed, as well as enabling the secure exchange of information and coordination of resources across multiple stakeholders, who themselves might have varying security constraints.

On top of those information and strategic incident management capabilities to help maintain cyber resilience, specialist intelligence application benefits would include:

• Reinforce intelligence tasking and response with an auditable record of changes.
• Powerful workflow builder to automate review, approval, escalations, and interactions across the organization and externally.
• Ability to relate assets, events, contacts to provide a complete picture of requests, incidents, and tasks, including mapping for geospatial information, timelines for understanding changes and progressions in context, as well as alerts to automatically flag issues for further attention.
• Configurable dashboards that provide an executive view of progress, emerging issues, and crises.
• Support for scalable processes to handle routine or commodity threats through to Advanced Persistent Threats (APT).
• Support for intelligence gathering for entities of interest including evidence gathering and multi-party coordination.
• Configurable security model to accommodate low privilege users, such as third-party IT staff to log threats and incidents or receive reports without gaining access to more sensitive information.
• Asset inventory and logging to highlight prioritized assets or other high impact items.

Conclusion

Finally, 2024 is off to a rocky start. And things are likely to get worse. The only recourse organizations will have against the top five security threats of 2024 will be a smart security strategy.

Fortunately, businesses won’t have to go it alone this year. Integrated security management solutions like Noggin help organizations proactively safeguard their people, assets, and reputation with actionable threat intelligence, enhanced situational awareness, and robust incident reporting to restore normal operations quickly and strengthen their resiliency when faced with adverse events.

Sources

i Daniel Cassady, ARTNews: Hundreds of Online Museum Collections Suffer in Cyber Attack. Available at https://www.artnews.com/art-news/news/cyber-attack-museums-gallery-systems-1234692222/.

ii Pierluigi Paganini, Security Affairs: A Cyber Attack Hit the Beirut International Airport. Available at https://securityaffairs.com/157079/hacking/cyber-attack-hit-beirut-international-airport.html.

iii StreetInsider: loanDepot (LDI) Experienced a Cybersecurity Incident. Available at https://www.streetinsider.com/Corporate+News/loanDepot+%28LDI%29+Experienced+a+Cybersecurity+Incident/22604157.html.

iv Wes Davis, The Verge: MOVEit cyberattacks: keeping tabs on the biggest data theft of 2023. Available at https://www.theverge.com/23892245/moveit-cyberattacks-clop-ransomware-government-business.

v Sean Michael Kerner, Tech Target: Definition: ransomware as a service. Available at https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS.

vi Madeline Lauver, Security Magazine: Security budgets may double or triple in 2022. Available at https://www.securitymagazine.com/articles/96802-security-budgets-may-double-or-triple-in-2022.

vii Ibid.

viii Professor Stuart E. Madnick, Ph.D.: The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase. Available at https://www.apple.com/newsroom/pdfs/The-Continued-Threat-to-Personal-Data-Key-Factors-Behind-the-2023-Increase.pdf.

ix Jonathan Reed, Security Intelligence: High-impact attacks on critical infrastructure climb 140%. Available at https://securityintelligence.com/news/high-impact-attacks-on-critical-infrastructure-climb-140/.

x Businesswire: At 13 Attacks Per Second, Critical Infrasturcture is Under Siege. Available at https://www.businesswire.com/news/home/20240123671589/en/At-13-Attacks-Per-Second-Critical-Infrastructure-is-Under-Siege.

xi Gartner: Gartner Says By 2023, 65% of the World’s Population Will Have Its Personal Data Covered Under Modern Privacy Regulations. Available at https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023--65--of-the-world-s-population-w.

xii Gary Kibel, Reuters: New privacy laws in 2023 — considering draft regulations. Available at https://www.reuters.com/legal/legalindustry/new-privacy-laws-2023-considering-draft-regulations-2022-11-16/#:~:text=November%2016%2C%202022%20%2D%20There%20are,%2C%20Colorado%2C%20Utah%20and%20Connecticut.

xiii National Conference of State Legislatures: Cybersecurity Legislation 2022. Available at https://www.ncsl.org/technology-and-communication/cybersecurity-legislation-2022.

xiv U.S. Securities and Exchange Commission, SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. Available at https://www.sec.gov/news/press-release/2022-39.

xv Computer Security Resource Center, National Institute of Standards and Technology. Available at https://csrc.nist.gov/glossary/term/cyber_resiliency#:~:text=Definition(s)%3A,are%20enabled%20by%20cyber%20resources.

xvi Ibid.

xvii Staff, Dark Reading: 56% of Large Companies Handle 1,000+ Security Alerts Each Day. Available at https://www.darkreading.com/risk/56-of-large-companies-handle-1-000-security-alerts-each-day.

xv Paul Kelly, Open Access Government: Cybersecurity strategies: fighting alert fatigue and building resilience. Available at https://www.openaccessgovernment.org/fighting-alert-fatigue-and-building-resilient-cybersecurity-strategies/139904/.

xvi Edward Segal, Deloitte: Impact of COVID-19 on Cybersecurity. Available at

https://www.forbes.com/sites/edwardsegal/2021/11/08/alert-fatigue-can-lead-to-missed-cyber-threats-and-staff-retentionrecruitment-issues-study/?sh=1f2f3c9135c9.

xvii Ibid.