As our modern society continues to adopt the digital world, cybersecurity is fundamental to the safety and security of individuals and businesses alike.
Cyber-attacks are becoming more frequent and complex, posing serious risks to organisations increasingly targeted by cybercriminals. While these threats are very real, there are reasons for optimism, as we learn from our experiences and adopt new, innovative cybersecurity solutions.
In this blog post, we will examine some of the key cyber-attack trends and emerging threats of the past 18 months and consider the current challenges faced by the industry. We will take a look at the events that we think will define the cybersecurity landscape in the year ahead and explain how you can set your security teams up to succeed.
Attack trends and emerging threats
Over the past 18 months, we have observed several cyber-attack trends that influenced the cybersecurity landscape. While some can be attributed to businesses failing to follow industry guidelines, new threats emerged posing novel risks to all organisations.
Current cyber-attack trends
The most notable cyber-attack trends we have observed include:
- Mass exploitation of unpatched vulnerabilities and zero-day exploits. According to an Automox survey, around 60% of data breaches are attributed to unpatched software. Some of the biggest breaches of 2023 were due to the exploitation of unpatched vulnerabilities and zero-days, including the MOVEit hack that spawned around 600 breaches, affecting more than 2,500 organisations and resulting in the theft of millions of data records.
- Readily available Ransomware-as-a-Service (RaaS) campaigns developed by organised criminal groups such as LockBit. In 2023, LockBit were behind several high-profile ransomware attacks affecting Royal Mail, Boeing, the Industrial and Commercial Bank of China (ICBC) and the UK’s Ministry of Defence (MoD). Ransomware attacks have become more sophisticated and targeted, often involving data exfiltration, extortion and public shaming of victims on social media.
- Targeted e-commerce web-code attacks. Web-code based attacks are attacks that leverage malicious code embedded in web pages or applications to compromise the user’s browser, device or data. One of the most prevalent web-code based attacks we observed involved injecting malicious JavaScript code into e-commerce websites or payment platforms to steal payment card information. The groups behind these attacks, collectively known as Magecart, have updated their tactics to better evade detection and exfiltrate payments information. Other web-code based attacks proliferating last year included form jacking, which hijacks the user’s input on web forms, and targeted attacks against payment plug-in services such as Woocommerce and Ninja forms, which exploited high-severity flaws to compromise WordPress sites.
- Attacks against insecure APIs. On average, organizations maintain 127 third-party API connections, but only 33% feel confident in securing them. There have been several well known cyber-attacks due to misconfigured Docker APIs. In one, cybercriminals used publicly exposed APIs to deploy DDoS malware with crypto-mining capabilities. Elsewhere, T-Mobile was the victim of an attack that resulted in a significant data breach compromising customer information, although they did not disclose the API flaw used by the perpetrators.
- Supply chain attacks resulting from compromised vendors. The largest supply chain compromise to date has occurred within the last 12 months, as cloud-based identity provider Okta was targeted, affecting all customer support users worldwide. More recently, the Snowflake breach has been linked to significant data breaches at Ticketmaster and Santander. By compromising an organisation’s supply chain, attackers can gain access to the organisation’s systems or deliver malicious payloads to a customer or partner. Supply chain attacks are expected to have cost the global economy $46 billion in 2023, increasing to $60 billion by 2025.
AI – An emerging threat trend
Artificial intelligence (AI) went mainstream in 2023, following the launch of ChatGPT in November the previous year. While AI offers myriad opportunities, it also presents a risk as its capabilities are abused and manipulated with malicious intent. We have seen several examples of this emerging threat come to light.
Cybercriminals have been quick to adopt generative AI models, including ChatGPT, Bard and Bing, to craft more convincing phishing content. These realistic and personalised emails can more easily bypass spam filters and deceive recipients, as they lack the tell-tale signs of more traditional phishing attempts. While emails remain the mainstay of phishing attacks, the appearance of highly convincing deep fakes motivating individuals to act – using visual or audio representations of senior leaders and celebrities – is unsettling, particularly as research suggests we are not very good at identifying genuine images or audio files from fakes.
Beyond phishing, we have seen cases in which public AI tools have been manipulated to divulge sensitive and prohibited information. Further, these tools have been used by hackers to obfuscate malware code making it harder for security tools to detect. The first criminal AI tools have emerged, based on ChatGPT, designed to craft malware and other malicious software.
These cyber-attack trends and emerging threats emphasise the need for organisations to adopt a proactive approach to cybersecurity. However, the prevailing economic climate and its consequences present several challenges to businesses planning their cyber strategy for the future.
Taking stock of the cyber industry today
While the threat landscape has continued to evolve, the cyber industry continues to face its own, more mundane but no less severe, challenges.
Cybersecurity budget constraints
Cybersecurity budgets are influenced by wider economic and social factors, such as the pandemic, inflation and cost-of-living crisis, that affect the financial situation of both organisations and their customers. According to a report by IANS Research, cybersecurity budgets were cut or frozen for 33% of businesses during 2023, and the overall growth of cybersecurity spending slowed to just 6%, compared to 10% in 2022. This means that many security teams are tasked with maintaining or improving security capabilities with limited or reduced resources.
Cybersecurity skills gap widens
According to a report by (ISC)2, the cybersecurity skills shortage increased by 12.6% in 2023, reaching four million people worldwide, despite an 8.7% increase in the size of the cybersecurity workforce. In the UK, a government report highlights that 50% of all businesses have a cybersecurity skills gap, which affects their ability to prevent, detect and respond to cyber incidents. This means that many organisations are struggling to recruit and retain cybersecurity talent.
Decreased cyber insurance cover
Fewer companies have successfully secured comprehensive cyber insurance. According to a report by SecurityWeek, cyber insurance prices increased by 32% in 2023, and insurers required businesses to implement and evidence security controls and achieve and maintain compliance with industry standards. At the same time, insurers enforced policies with more exclusions and limitations, making comprehensive and affordable cyber insurance cover much harder to obtain for many businesses.
Supply chain management issues
Supply chain attacks became one of the most prevalent and impactful cyber-attack trends of the last year, affecting thousands of organisations. This places additional pressure on organisations to manage their supply chain and ensure the security of third- and fourth-party providers through adequate due diligence and oversight programmes.
Increased regulatory scrutiny
Over the last few years, industry regulators have become more demanding, and enforcement action against businesses failing to meet their statutory and regulatory obligations – wilfully or otherwise – has increased significantly. According to the ICO, the UK’s data protection authority, 77 enforcement notices were issued between 1 January and 20 December 2023, for various data protection and privacy violations. The largest fine of the year, issued against TikTok for misuse of children’s data, was £12.7 million, with several other million-pound fines issued to other private companies for misuse of data.
Despite these difficulties, the cybersecurity industry remains highly resourceful, capable of achieving against significant odds. Meanwhile, the pace of innovation means that organisations have access to tools and resources that can support their cybersecurity goals amid the prevailing economic outlook.
Looking ahead – What’s next for cybersecurity
As an industry, cybersecurity has not had an easy ride; however, we believe there are many reasons to be optimistic as we look ahead. While there are difficulties to overcome, there are solutions available now that will enable businesses to develop and enhance their cybersecurity capability and protect themselves and their customers against current and novel threats.
Here are our five predictions for what we can expect for the industry over the next 2–3 years:
1. Cyber budgets remain flat
We expect businesses to continue grappling for cybersecurity investment. While some analysts anticipate increasing global spend on security and risk management, we expect budgets to remain fairly flat as businesses aim to balance their cyber needs with their financial constraints. Businesses will make more strategic investments to optimise their cyber programmes for efficiency.
2. New regulations governing the use of AI
The trajectory of AI innovation is anticipated to persist and escalate in 2024. We expect governments to introduce legislation governing the development and use of AI alongside existing privacy laws and security frameworks. The European Parliament reached a deal on its comprehensive rules for trustworthy AI in December 2023, which will apply to all AI systems developed or used in the EU, and sets out requirements, prohibitions and sanctions for AI systems that affect fundamental rights, safety and security. Meanwhile, the development of global guidelines for AI development are in progress.
3. Automation for enhanced cybersecurity
We anticipate businesses to introduce new tooling and automation to provide greater visibility across their environments, improving risk management and security oversight. We expect that tooling using AI-driven predictive analytics will grow, particularly in the areas of vulnerability management, access management and incident response. This will help drive operational efficiency while delivering improved cyber-response capabilities.
4. Continuous assurance for the supply chain
As a consequence of growing supply chain attacks, continuous assurance will become standard for all businesses. Suppliers and vendors need to be prepared for increasing assurance demands from their clients. Certifications such as ISO27001 will no longer be sufficent evidence of good cybersecurity practices. Meanwhile, businesses will look to their incumbent vendors for add-ons to existing solutions, such as demanding their web filtering services include video and audio packet inspection in response to deepfake threats.
5. Updated cybersecurity standards and frameworks
New standards will be introduced to keep pace with the continuing migration to the cloud and adoption of SaaS services by organisations. PCI DSS 4.0 has now come into force as v3.2.1 was retired on 31 March 2024. Organisations certified to ISO27001:2013 will need to migrate to ISO27001:2022 to meet the transition deadline of October 2025, while businesses looking to be certified for the first time will need to be audited against the latest version of the standard. Elsewhere, NIST released its updated Cybersecurity Framework (CSF) 2.0 in February 2024, expanding the scope of the standard to include organisations of all sizes and across all industry sectors.
Moving forward with optimism
As the year continues to unfold, we expect cybersecurity teams to face several challenges, as they grapple with novel threats amid continuing financial and resource pressures. As new regulations emerge, businesses will need to adapt, consolidating compliance efforts where possible, and work with a trusted partner able to provide support across all domains and address in-house skills shortages.
Despite these challenges, we see huge potential for organisations to develop and enhance their cybersecurity capabilities. By adopting automation solutions to streamline operational processes, improve visibility and oversight of risks and vulnerabilities, and enable rapid response to current threats, organisations can boost cyber resilience and provide a greater depth of assurance to stakeholders.
Over the coming months, we will explore some of these challenges and opportunities in more detail. If you found this article interesting, please share it with your colleagues. You can also subscribe and keep up to date with all the latest Blackfoot news.
