Asking the question about how much IT security is enough is about as useful as enquiring about the length of a piece of string. The answer is, “it depends”. What is certain, however, is that the threat landscape is changing. Artificial intelligence (AI) offers risks and opportunities, and the wars in the Middle East and Ukraine have increased the likelihood that critical national infrastructure and major enterprises in the West will be targeted.
Steven Sim Kok Leong, chair of the executive committee at the Operational Technology Cybersecurity Information Sharing and Analysis Center, expects to see the extent of ransomware attacks, data breaches and fraud continue to rise. He points to the World Economic Forum’s Global risks report 2024, which predicts that cyber insecurity, as well as misinformation and disinformation, will be the top and fourth risks, respectively, for the next two years.
Looking at the evolving threat landscape of 2024, Sim Kok Leong says: “The attack surface gets ever more complex with the increased adoption of cloud, AI – thanks to generative AI [GenAI], the IoT [internet of things] and connectivity. Hackers are already attacking concentrations of common software and services to leverage their returns on investment.”
Preparing enterprises for increased risk
In January, the Department for Science, Innovation and Technology (DSIT) published a draft code of conduct to help enterprises manage cyber security. Designed in partnership with industry directors, cyber and governance experts, and the National Cyber Security Centre (NCSC), the code includes measures that ensure companies have detailed plans in place to respond to and recover from any potential cyber incidents. The response plan should be tested regularly to ensure it’s as robust as possible, with a formal system for reporting incidents also in place.
The measures include ensuring software is developed and maintained securely, with risks better managed and communicated throughout supply chains. The government is working with industry to develop these proposals further, from developing a code of practice for software suppliers, which will form the crux of this proposed package, to cyber security training for professionals.
Security skills gap
While multinational corporations have the resources to at least make an effort to level the playing field with hackers, Sim Kok Leong warns that small and medium-sized enterprises (SMEs), and individuals, are struggling where resources and expertise are scarce, and with budget and manpower cuts made at every economic downturn.
Looking at skills, Harshini Carey, senior manager at Turnkey Consulting, notes that the continued shortage of skilled personnel and experts to safeguard companies from cyber threats remains a prevalent global concern. For instance, 50% of businesses have a basic cyber security skills gap in the UK, while 33% have an advanced skills gap.
There are a number of reasons for the ongoing lack of defenders. Carey points out that the highly stressful nature of cyber security roles has caused many professionals to leave the sector. Last year, Gartner reported that stress was behind nearly half of cyber security leaders planning to change jobs by 2025, with half of that number saying they would exit the security industry permanently.
“As well as heightening the skills shortage, stress makes cyber security professionals less effective at their role,” she adds. A 2023 report looking at the implications of stress found that 65% of CISOs in the US and UK felt stress compromised their ability to protect their organisation.
Risk for security chiefs
Sim Kok Leong expects that 2024 will see a greater focus on CISO liability, insurance and unionisation. “The cases of Uber and SolarWinds have triggered the question of CISO liability,” he says.
When there is a major cyber security issue, Sim Kok Leong says the CISO’s due diligence is brought into question. As a consequence, he expects CISOs will demand better remuneration and/or job security insurance.
“CISOs caught in structural conflict and security theatrics will have second thoughts about downplaying bad reporting,” he adds. “CISOs will also increasingly seek out peers to rely on their CISO networks as sources of strength, support, insights and intelligence.”
Sim Kok Leong recommends that company board members and CISOs ensure they clarify accountability and responsibility. “Increasingly, a focus on board accountability and cyber security has been highlighted and elaborated through revised SEC [Securities and Exchange Commission] rules. The boards, in turn, will demand independent assurance and visibility of risk/security metrics as scrutiny on resilience and third-party risks rises with more publicised breaches,” he says.
In his experience, the CISO is increasingly being given cyber security accountability, beyond just responsibility. This means CISOs will need greater empowerment to make cyber decisions.
AI: A new threat for 2024
Beyond the risks IT security chiefs have experienced previously, there are also the growing threats and opportunities posed by artificial intelligence.
Turnkey’s Carey notes that AI is rapidly becoming more sophisticated, so traditional cyber security techniques such as antivirus software, firewalls and anti-malware engines are no longer sufficient to protect against threats produced by machine learning-powered attacks.
The spectrum of AI-enabled threats includes deep fake social engineering attempts orchestrated using malware injections that can be quickly adopted into the IT landscape.
Carey warns that these attacks take many forms. For instance, perpetrators posing as trusted individuals might trick someone into clicking on an email link that reveals sensitive information, installs malware on their network or executes the first stage of an advanced persistent threat (APT). Text messages and voice calls can also be used to generate the attack, as can search engine optimisation (SEO) manipulation that directs people to the hacker’s website and steals sensitive data when they interact with it.
The result will be an escalation of social engineering assaults, manipulating users into granting unauthorised access to organisational systems. She says such attacks are also extremely difficult to detect due to their intelligence and sophistication.
Geopolitical tension drives cyber attacks
AI is both a threat and an opportunity. Cyber criminals are likely to piggyback on geopolitical tension to target major organisations and critical national infrastructure. Analyst firm Forrester has predicted that as a result of the increased focus on GenAI, in 2024 it’s likely that there will be at least three data breaches publicly blamed on AI-generated code.
But IT security providers are ramping up their defences with AI-infused tools. The integration of AI into cyber security tools is growing rapidly. The market for AI in cyber security is projected to grow to $38.2bn by 2026.
Federico Charosky, CEO and founder of Quorum Cyber, believes those tasked with defending these organisations will have an unparalleled opportunity to harness AI for good, faster than attackers harness it for evil.
“Fairly massive compute power is needed to run AI, and that is well controlled by supply chain issues and hyperscalers that should be able to qualify their customers,” he says.