December 14, 2023
The cybersecurity field evolves constantly as technology advances, global events create uncertainty, and threat actors refine and improve their malicious tactics. While preparedness remains one of the most important facets of effective organizational cybersecurity, it can be difficult to plan for the year ahead with so many unknowns.
Global leaders and experts at FTI Consulting share their predictions for the most impactful cybersecurity trends to look out for in 2024.
Anthony J. Ferrante, Global Head of Cybersecurity
The confirmed election meddling in 2020 will put increased scrutiny on cybersecurity protections in this election cycle.¹ The threat is increasing not only in the United States, but around the world and will continue as more of the electoral process occurs digitally, creating new vulnerabilities and access points for threat actors to exploit.
David Dunn, Head of Cybersecurity, EMEA & APAC
Artificial Intelligence (AI) can analyze vast datasets, identify anomalies, and respond to threats to help defend against cyber attacks.² AI-driven security solutions (AIOps), are used to automate threat detection and incident response.³ However, AI can also pose a threat to businesses. Cyber criminals use AI to create deepfakes and execute other sophisticated attacks.⁴ When AI models are integrated into business operations, they are vulnerable to poisoning attacks that disrupt the output of models, and unauthorized employee use of AI runs the risk of data leakage.⁵
Thomas Hutin, Head of Cybersecurity, France
Zero-trust architecture refers to the security practice where all internal and external parties must be verified before accessing resources.⁶ It replaces traditional cybersecurity strategies that threat actors are increasingly able to surpass, like network security.⁷ The sophistication of threat actors will encourage more organizations to prioritize investments in enhanced cybersecurity models.
Eva Kwok, Head of Cybersecurity, Hong Kong
Integrating Internet of Things (IoT) into critical infrastructure is a reflection of the ongoing global trend towards creating smart cities to enhance efficiency, sustainability, and overall quality of life. While IoT integration into critical infrastructure offers many benefits, the interconnected nature of IoT systems can make them vulnerable to cyber attacks.⁸ As cities continue implementing IoT devices into their infrastructures, it will become more important than ever for municipalities to prepare for nation-state and financially-motivated threat actors targeting their infrastructures.⁹
Peter Fischer, Head of Cybersecurity, Germany
When organizations rely on Original Equipment Manufacturers (OEMs) for components of their products, they are also depending on the OEM to ensure the part is free from cybersecurity vulnerabilities. Recent incidents in 2023 will encourage organizations to more carefully scrutinize the cybersecurity practices of their suppliers to ensure their final products are not impacted by unknown supply chain cybersecurity issues.¹⁰
Collin Miller, Managing Director, Technology
Two-thirds of senior compliance professionals ranked third party risk as an area of heightened compliance concern for 2023, and this will stay consistent through 2024 as organizations continue to outsource services.¹¹ As threat actors find new and creative ways to access organizational data and systems through their external vendors, organizations will need to prioritize properly vetting third parties for cybersecurity controls.
Wouter Veugelen, Head of Cybersecurity, Australia
Organizations in Australia have thus far largely managed to avoid significant fines despite inadequate proactive cybersecurity measures, but recent changes to legislation and associated fines will soon have Australia following suit with Europe and the United States. The Privacy Legislation Amendment approved at the end of 2022 paved the way for the Australian government to start issuing fines up to $50 million for failing to protect customer data.¹² This has led to further warnings of impending fines from governmental agencies such as the Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investment Commission (ASIC), while the Security of Critical Infrastructure (SOCI) Act requires entities in scope to comply with cybersecurity protections by August 2024 to avoid monetary penalties.^{13, 14, 15, 16}
Jordan Rae Kelly, Head of Cybersecurity, Americas
Individuals, especially Chief Information Security Officer (CISO) and Chief Executive Officer (CEO) roles, have faced heightened scrutiny and even fraud charges in high-profile cybersecurity attacks in recent years.^{17, 18} As regulatory agencies continue to enhance cybersecurity requirements, including the Security and Exchange Commission (SEC)’s new disclosure rules and the CISO annual board reporting requirement in the New York Department of Financial Services (NYDFS) updated cybersecurity rules, more executives will find themselves facing legal trouble for insufficient cybersecurity protection for their company and clients.^{19, 20}
Sara Sendek, Managing Director, Cybersecurity & Data Privacy Communications
Since the SEC cybersecurity reporting rule was announced in July 2023, organizations are increasingly taking quick action to file disclosures around ongoing cybersecurity incidents – often in the early stages of discovery and containment.²¹ Once CISA’s rules take effect, more companies will feel increased pressure to rush out quickly with disclosures to stay compliant with all requirements.²² Organizations need to have communications and incident response plans in place now, as required in the updated NYDFS cybersecurity rules, prior to regulators forcing their hand.²³
Anthony J. Ferrante, Global Head of Cybersecurity
When the White House released its National Cybersecurity Strategy in March of 2023, it touched on a long term plan to realign incentives for cybersecurity collaboration and resiliency.²⁴ In June of 2023, Iowa became the fourth state in the U.S. to adopt an incentive-based approach to encourage businesses to implement cybersecurity best practices, following the efforts of Ohio, Utah, and Connecticut.²⁵ These small steps forward in 2023 pave the way for a bigger push towards cybersecurity incentive programs in 2024.
2024 promises to be a year filled with challenges and opportunities in the realm of cybersecurity. As technology continues to evolve, so do the tactics of cyber criminals, making it crucial for individuals and organizations to stay informed and proactive in defending against cyber threats. By staying vigilant and adapting to these emerging trends, we can better protect our digital assets and information in an ever-changing and increasingly connected world.
Footnotes:
1: The Associated Press, “Putin-linked businessman admits to US election meddling,” AP News (November 7, 2022)
2: Kinza Yasar and Stephen J. Bigelow, “AIOps (artificial intelligence for IT operations),” TechTarget (June 2023)
3: Id
4: Yuen Pin Yeap, “Generative AI Is The Next Tactical Cyber Weapon For Threat Actors,” Forbes (October 16, 2023)
5: Tracy Wilkison, Eric Vandevelde, and Erin Burke, “Mitigating AI Cybersecurity Risks from the Top Down,” Law360 (August 4, 2023)
6: Computer Security Resource Center, “Zero-Trust Architecture,” National Institute of Standards and Technology
7: Id
8: Elizabeth Montalbano, “Severe RCE Bugs Open Thousands of Industrial IoT Devices to Cyberattack,” Dark Reading (May 16, 2023)
9: Todd Renner, “Protecting Smart Cities Through Cybersecurity,” FTI Consulting (October 25, 2023)
10: Elias Groll, “‘Downfall’ vulnerability leaves billions of Intel CPUs at risk,” Cyberscoop (August 8, 2023)
11: “Compliance Tech Priorities in 2023,” FTI Consulting (2023)
12: “Parliament approves Government’s privacy penalty bill”, Australia Attorney-General’s Portfolio (November 28, 2022)
13: David Ross, “APRA puts financial sector on notice to lift standards over its cyber security,” Cairns Post (November 4, 2023),
14: Nick Bonyhady, “The tougher regime for cyber threats that directors must heed,” The Australian Financial Review (September 19, 2023)
15: Wouter Veugelen, “Breaking Down the Security of Critical Infrastructure Act,” FTI Consulting (April 12, 2023)
16: Alec Christie, “Critical Infrastructure Update: Risk management program obligations under the SOCI Act now ‘turned on’,” Lexology (February 27, 2023)
17: Christian Vasquez, “SEC sues SolarWinds and CISO for fraud,” Cyberscoop (October 31, 2023)
18: Tim Starks and David DiMolfetta, “SEC notices spark alarm for cyber executives,” The Washington Post (June 29, 2023)
19: “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” U.S. Securities and Exchange Commission (July 26, 2023)
20: “Governor Hochul Announces Updates To New York’s Nation-Leading Cybersecurity Regulations As Part Of Sweeping Effort To Protect Businesses And Consumers From Cyber Threats,” New York Department of Financial Services (November 1, 2023)
21: “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” U.S. Securities and Exchange Commission (July 26, 2023)
22: “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA),” Cybersecurity & Infrastructure Security Agency (March 2022)
23: “Governor Hochul Announces Updates To New York’s Nation-Leading Cybersecurity Regulations As Part Of Sweeping Effort To Protect Businesses And Consumers From Cyber Threats,” New York Department of Financial Services (November 1, 2023)
24: “National Cybersecurity Strategy,” The White House (March 1, 2023)
25: “Iowa Becomes Fourth State to Incentivize Cybersecurity Best Practices for Businesses,” Center for Internet Security (June 29, 2023)
December 14, 2023
Anthony J. Ferrante
Senior Managing Director, Global Head of Cybersecurity

© 2023 FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm. All Rights Reserved.

source