9 cybersecurity trends to watch in 2024 – TechTarget

peach_fotolia – stock.adobe.com
As 2023 wraps up and 2024 kicks off, it’s time to look at the cybersecurity trends and predictions analysts and industry thought leaders have top of mind.
The past year saw a continued barrage of ransomware attacks, with many evolving into double and triple extortion efforts. AI and machine learning also took center stage with the unveiling of generative AI — as did attackers’ potential to use them maliciously.
Following are nine cybersecurity predictions and trends for 2024 to be aware of, even if they don’t all come to pass.
Attackers could more often use zero-day vulnerabilities to target multiple organizations, said Dick O’Brien, principal intelligence analyst at Symantec, part of Broadcom, an enterprise tech vendor. As evidenced in the MoveIt Transfer attacks, malware groups can use a single vulnerability to target multiple organizations that use the affected tool or technology.
“This is quite effective in that you get multiple victims for a single attack or campaign,” O’Brien said. “The damage is done before awareness of the TTPs [tactics, techniques and procedures] become common knowledge.”
Finding zero-day vulnerabilities isn’t easy, however. O’Brien said malicious actors need deep pockets or specialist skills to pull these attacks off, which could limit how widespread they are. Malware groups might opt to watch and observe the success of others before conducting their own campaigns.
The release of generative AI dominated the tech industry in 2023, so no trend list would be complete without looking at how it could affect organizations from a threat perspective. While attackers already use generative AI to improve phishing emails and reduce the likelihood of spelling and grammar mistakes, they will further integrate generative AI into their social engineering campaigns by using large language models to impersonate high-level decision-makers and publicly visible executives.
“People are super active on LinkedIn or Twitter where they produce lots of information and posts. It’s easy to take all this data and dump it into something like ChatGPT and tell it to write something using this specific person’s style,” said Oliver Tavakoli, CTO at Vectra AI, a cybersecurity vendor. “The attacker can send an email claiming to be from the CEO, CFO or similar role to an employee. Receiving an email that sounds like it’s coming from your boss certainly feels far more real than a general email asking for Amazon gift cards.”
To combat this social engineering attack, Tavakoli recommended organizations conduct employee awareness training, regularly determine their overall security posture and ensure their downstream security measures can handle an employee falling for a phishing attack.
“You don’t want to be overly reliant on any one particular defense mechanism,” he said.
It’s been said for many years, but 2024 could finally be the year passwordless takes off in the enterprise.
“This coming year we’re going to truly go passwordless, with biometrics being the winning modality,” said Blair Cohen, founder and president of AuthenticID, an identity and access management (IAM) vendor. “It’s finally going to happen.”
Biometrics makes sense as the common authentication option since people have used fingerprint and facial scanning on consumer devices for years, he said. It can also stand up to attack and fraud better than SMS or email one-time passcodes or other methods.
What industry standard wins out, however, is up for debate. FIDO2 is a contender, but not the winner, Cohen said. “I applaud it and think it’s great for everyday consumer use, but don’t think FIDO2 will be the choice of enterprises, large-scale banks, etc. There are just too many vulnerabilities,” he said,  specifically highlighting its vulnerability to first-party fraud.
Jack Poller, analyst at TechTarget’s Enterprise Strategy Group (ESG) disagreed. FIDO2 is going to win in the consumer marketplace since many enterprise organizations, such as Google, Amazon and Apple, currently support it, Poller said, and because it’s phishing-resistant.
Continued economic uncertainty has led to tightened budgets. In 2024, CEOs will likely be working more closely with CSOs and CISOs to determine where to best spend budget security-wise, said Chuck Randolph, CSO, and Marisa Randazzo, executive director of threat management, at security vendor Ontic. This requires CSOs and CISOs to determine where their organizations’ risk exists and how to keep data and employees safe, both in-office and remote, they added.
“If I’m a C-suite individual, I’m thinking about risk prioritization, budget optimization and proactive investment in security, whether physical or digital,” Randolph said. Organizations should conduct a risk assessment and ensure stakeholders have a say in the security budget, he advised.
Randolph and Randazzo said there could be a convergence of IT security with physical or corporate security, such as identifying and monitoring potential insider threats and disgruntled employees. CISOs can offer input on IT security, they added, while CSOs consider workplace violence issues.
Expect to see more organizations embrace identity verification in 2024 to ensure employees, partners and customers are who they say they are during account onboarding, especially as AI improves.
“If I’ve never met you before, even if you’re appearing on Zoom, how do I know it’s really you and not an imposter with access to your computer?” ESG’s Poller said. “From an enterprise perspective, how do I authenticate you correctly against a government document?”
Organizations will increasingly use identity verification to onboard and secure account access or reset requests. The technology can also compare employee photographs and information to government documents, as well as provide liveness detection to ensure someone isn’t using an AI-generated image or video.
Organizations should invest more in proactive security tools and technology in 2024 to better detect vulnerabilities and security gaps, said Maxine Holt, senior director of research and content at analyst firm Omdia. With proactive security, she said, organizations can learn where to best spend their budget for their specific use cases.
Holt recommended organizations research proactive security technologies to decide which could most help them. She said to consider the following:
IoT adoption continues strong, and so does the lack of appropriate security measures on embedded devices. In 2024, we could see more regulatory scrutiny, especially as the threat of AI grows and malicious actors look for additional attack vectors.
“The regulatory outlook for connected devices will continue to evolve as governments and regulatory bodies develop more comprehensive frameworks to address the increased use and development of connected devices and the increased sophistication of attackers,” said Veronica Lim, U.S. product security leader at consulting firm Deloitte. “We’ll see organizations adhere more closely to cybersecurity-by-design standards.”
How organizations will handle increased regulations remains to be seen. Lim explained that organizations already struggle with patch management, which opens opportunities for attackers to exploit. “Connected devices are a frequent target for attackers because they often contain outdated and vulnerable software,” she said.
Breaching a third party, such as a vendor or partner organization, can net attackers more lucrative outcomes. Third parties have their own security strategies and infrastructure, which might not stack up to those of their customers, opening further vectors for attackers.
“The bad guys have gotten really good at identifying these third parties that help them get past the big security apparatus of bigger organizations, such as a bank,” said Alex Cox, director of threat intel at LastPass, a password manager vendor. “A big bank spends a ton of money on security, but the vendors they use don’t. If you get access to that vendor, it gets you access to a bunch of other companies.”
There’s no easy answer for organizations worried about third-party security, either. Cox said while it’s difficult to enforce a certain level of security with third parties, organizations should consider creating a security checklist their vendors must follow or require third-party security evaluations before doing business with any vendor.
Organizations obtain cyber insurance policies to ease the aftermath of ransomware attacks. At the same time, cyber insurance carriers are tweaking underwriting procedures. Certain vendors could be identified as red flags and affecting an organization’s ability to get a policy in 2024. For example, if an organization uses a vendor the insurance carrier deems risky, such as Progress Software, which supplied the MoveIt Transfer application, the carrier could increase premiums or deny coverage.
“There is going to be more scrutiny under your hood when it comes to security posture and technology vendors,” said Jess Burn, analyst at advisory firm Forrester. “Product security is going to become something insurance carriers get more involved in. They’re going to ask organizations who provides the product and not just if you have it.”
Organizations might have to spend time vetting their current and potential vendor partners if cyber insurance providers want more say in their clients’ security posture, she said.
Some infosec professionals already think cyber insurance carriers have too much influence when it comes to incident response decisions. Forrester predicted this will continue in the coming year.
Kyle Johnson is a technology editor for TechTarget Security.
Despite early discussions about the potential of Wi-Fi 7, many enterprises are still catching up with the rapid pace of Wi-Fi …
While 5G has advanced in recent years, the fifth generation of cellular technology still presents some challenges, such as …
Quantum networks require efficient architectures to optimize communication and enable large-scale quantum information processing….
The White House wants to divide regulatory authority for new commercial space industry activities between the DOC and DOT, a move…
U.S.-China relations will affect U.S. businesses in 2024, whether it’s through more export controls or building alliances with …
BPMS is becoming a business transformation engine as vendors infuse their tools with powerful AI and hyperautomation capabilities…
The simplest way to fix a broken Windows 11 registry is to restore a backup, but that isn’t always possible. Find out different …
Intel’s Core Ultra CPUs now contain embedded AI neural processing, which adds options for device manufacturers to divide demand …
UEM software is vital for helping IT manage every type of endpoint an organization uses. Explore some of the top vendors and how …
Outages might be rare, but they are rarely cheap — any amount of downtime can cost you money. Learn how to minimize the risks …
When things go right, Azure Spot VMs are a good investment to save money. However, users need a greater understanding of how …
As businesses digitally transform across increasingly distributed environments, know the benefits, challenges, similarities and …
As 2023 draws to a close, it is time to look ahead at what enterprise leaders should be focusing their IT sustainability efforts …
The increasing costs associated with replacing the Post Office’s controversial IT system have forced the government to hand it …
Remote working has enabled people to work from almost anywhere but has piled pressure on cyber pros. Three years after Covid, how…
All Rights Reserved, Copyright 2000 – 2023, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *