As 2023 draws to a close, experts from My1Login, i-confidential and OSP Cyber Academy gaze into their crystal balls and give their cybersecurity predictions for the year ahead.
Mike Newman, CEO of My1Login: Cloud migration will expand the attack surface
“In the last year organisations have continued to transform by moving more of their applications and data into the cloud. While this has improved the efficiency and availability of services, it has also expanded the enterprise attack surface.
“In parallel, we are also seeing organisations migrate their entire corporate directory to the cloud, typically with platforms like Microsoft Entra ID. Many of the applications that historically integrated with the on-premise corporate directory for Single Sign-On will now require manual, password-based authentication, increasing the burden on users and also further extending the attack surface for malicious actors.
“Despite its widespread adoption, Microsoft Entra ID only provides a Single Sign On experience for a subset of enterprise applications. This means employees will have a continued, and potentially increasing, reliance on multiple passwords to access cloud applications that can’t natively integrate with Microsoft Entra ID. But this leaves login credentials in the hands of employees, where they are least safe, and it also leaves worrying gaps in enterprise security.
“Malicious actors will continue to exploit these gaps in the year ahead, but their attacks will be super charged with the power of Generative AI.
“They will use AI to spoof the login pages of legitimate applications, and create sophisticated phishing emails to trick employees into handing over corporate login credentials. Once stolen, these login details will be used to access a wide range of corporate resources to steal sensitive data or execute ransomware.
“With the global migration to the cloud leaving gaps in enterprise security, and tools like ChatGPT landing in the hands of criminals, it’s safe to say the stars are set to align for malicious actors in the year ahead.”
i-confidential: People will be the solution
Defending Against Attacks
Ransomware attacks will continue to dominate the threat environment in the next year, and organisations must increasingly look to their people to help them survive in this digital battlefield.
To achieve this, investment in awareness programmes and phishing simulation exercises is essential. These shouldn’t be one-off initiatives. They need to be continuous and updated regularly to ensure they remain relevant as attacks evolve.
When organisations view employees as their first line of defence, and arm them appropriately, it doesn’t matter how phishing or ransomware attacks are executed. Whether they use the latest advancements in Generative AI or go back to their historic roots with Nigerian princes emailing out of the blue with an offer you can’t refuse, people will know to think hard before they click.
Maintaining Strong Foundations
Foundational security isn’t a hot new topic, but its importance will continue to increase in the year ahead, especially in the face of Generative AI.
People are still at the heart of maintaining security. Organisations must focus on getting the basic principles right to help block attackers from getting into their networks. Foundational controls must also take into account complex supply chains, which have the ability to impact data. Some key areas to focus on include:
Having an up-to-date asset inventory and an understanding of critical assets.
Having an up-to-date third-party inventory.
Ensuring policies and standards are current, regularly reviewed, and tested.
The payback is that organisations will be in control of their security. They’ll be able to make sound decisions about priorities, investments, and future strategy. They will also be able to investigate incidents more quickly and effectively.
Organisations struggling with weaknesses in their foundational security will invariably need to turn to experienced security practitioners for help, not AI.
Again, it is people who can make the biggest difference, helping to build foundational controls based on specific business needs.
The Gap is People, Not Tools
Organisations still struggle to find people with the skills needed to fix their security problems. In the year ahead, closing these gaps will become more important than ever because AI is set to change the threat landscape in the favour of adversaries.
No one can afford to overlook these security challenges. Relying on ‘gig economy’ workers and savvy recruiters will become more important than ever, while innovative university courses, such as ethical hacking, and college apprenticeships will spawn a new generation of cyber talent.
Organisations need to look to these initiatives to address their control weaknesses and bolster their inhouse teams with new talent.
Thomas McCarthy, CEO of OSP Cyber Academy: AI will be weaponised by attackers and defenders
“If 2023 was the year that tech companies revolutionised AI, 2024 will be the year attackers weaponise it.
“AI has the potential to be weaponised by both attackers and defenders, leading to a “cyber arms race” in what will be an unregulated and unharmonised fight.
“In the year ahead, AI will be used as a mass-cyberattack tool, with criminals using the technology to launch sophisticated phishing scams at scale. These scams will be highly convincing, down to the spelling, font, and tone of a legitimate brand, so internet users will fall victim at scale.
“AI is currently dominating C-level conversations, with CEOs and CTOs wanting to understand how threats will evolve and where they are most vulnerable.
“The entire technology stack is at risk. AI will be used to scan and exploit vulnerabilities across all IT systems and supply chains, and it will target people with social engineering and phishing.
“To tackle the threat, we will see more defenders using AI to detect attacks quicker and learn about AI-generated phishing scams, so they can be blocked before they reach user inboxes.
“AI will dominate the cyber landscape in 2024 in ways few people can imagine. If they thought this year was bad, they ain’t seen nothing yet.”
For more cybersecurity news, click here
