The trends that lived rent free in the minds of cybersecurity professionals in 2023 are certain to continue and reshape the landscape in 2024.
Long-trumpeted measures for prevention remain woefully unmet, the scourge of ransomware is as bad as its ever been, and a wave of new incident reporting and compliance regulations are taking hold.
These are the five trends Cybersecurity Dive identified as the most prominent and perplexing heading into 2024.
Is there a trend or prediction you think we should highlight? Email us at [email protected].
1. In security, prevention is the best medicine
One of the best ways to make products more secure is to eliminate risk at the design phase.
The technology industry is beginning to embrace simple changes at the development stage that could signal a willingness to build security into the earliest stage of new applications.
Among the most basic elements of developing secure software is to ensure the code is safe. A large number of applications have been developed using C and C++ — these languages have been around for decades and are built for speed.
However, these languages are also considered more at risk to memory safety issues. Two-thirds of software vulnerabilities have been linked to memory safe coding concerns, according to CISA.
The White House In August issued a request for information on open-source security and memory safety. In December, CISA, the FBI and key foreign partner agencies released a road map for manufacturers to embrace the use of memory-safe languages as a way to reduce software vulnerabilities.
The open source community is also taking steps to boost security during the development phase.
“The biggest shift we’ve seen is an emphasis on prevention, not just remediation, both in the open source community and with our enterprise customers,” said Eric Tooley, senior product marketing manager at GitHub.
For example, GitHub provides tools like Dependabot to help developers keep outdated and vulnerable dependencies out of their software. In 2023, developers pulled 60% more automated Dependabot pull requests for vulnerable packages, compared with 2022.
In November, GitHub launched an AI-based code scanning autofix feature, which allows developers to keep secrets and vulnerabilities from creeping into code.
2. Ransomware attacks target big whales with high impact
Ransomware attacks against large, high-profile targets were abundant in 2023, resulting in operationally visible impacts.
Attacks against multiple real estate firms disrupted closings, and the Clorox Company is expected to report a financial loss due to order processing delays and product shortages following an attack. MGM Resorts and Caesars Entertainment, the second- and third-largest casino companies in Las Vegas, suffered financial losses and business operation impacts from ransomware attacks.
“Hackers target whatever creates the most pain for an organization,” said Kris Lovejoy, global practice leader of security and resiliency at Kyndryl.
In 2024, cybersecurity experts expect ransomware groups to continue targeting high-value targets, particularly organizations that are more likely to pay ransom demands in a bid to mitigate serious operational disruptions.
“There are advantages to whale hunting with extortion. Bigger companies have the potential to pay larger ransom demands versus small and midsize businesses. Criminals can go the low-volume, high-payout route with their targeting,” said Rick Holland, VP and CISO at Reliaquest.
Attacks on high-profile targets are a validation and continuation of what security leaders at large enterprises already know, according to Allie Mellen, principal analyst at Forrester.
“They need to be prepared to face ransomware attacks and subsequent business disruption as much as possible, from having proper backups, prevention, to detection and response,” Mellen said.
The definitions of high-value targets and impacts are evolving to include software vendors and third-party service providers as well, according to Dave Burg, EY America’s cybersecurity leader.
“A small provider of outsourced help desk services may not have much budget for security, but if their customers are some of the biggest companies in the world, they are going to be a target,” Burg said.
3. 2024 awaits more incident reporting and compliance
Federal agencies and various state authorities are placing new pressure on corporations and critical infrastructure providers to share intelligence and report incidents in order to prevent the spread of malicious threat activity.
Among the most important developments following the SolarWinds and Colonial Pipeline cyberattacks, federal authorities launched efforts to share intelligence and collect information about data breaches and attacks so organizations can better prepare for threat activity before data is stolen or critical operations are disrupted.
Companies should expect to see an increased amount of regulatory scrutiny at the federal and state level over the coming year, as government authorities seek to encourage prompt, accurate and complete disclosure of security threats and management-level preparedness, according to legal experts.
2023 already brought significant changes to corporate reporting mandates. The Securities and Exchange Commission now requires publicly traded companies to report material cybersecurity incidents within four business days of determining materiality. These include U.S. companies and foreign issuers that trade on U.S. exchanges.
The disclosure is designed to increase transparency for investors, but also serves as an incentive for companies to tighten up their threat hunting capabilities and incident response procedures.
The changes are placing enormous pressure on companies to have the technical expertise in place to quickly assess cybersecurity threats, have a team in place to respond to those threats and accurately assess how a breach or attack will impact investors and customers.
A lot of companies have viewed this risk as an investment risk, so “if you don’t have good policies and procedures in place, they’re losing money,” said Keith Billotti, a partner at Seward & Kissel’ s Capital Markets & Corporate Securities group.
For companies to be efficient and profitable, they need to have robust policies and procedures in place to stop, identify and respond to an attack.
The SEC has investigated companies that failed to properly disclose or made misleading statements about cyber incidents. Companies have also faced investigations for misleading investors about their data security capabilities.
The Federal Trade Commission increased scrutiny on companies regarding their efforts to protect customer data. In November, the agency said non-bank financial institutions, including mortgage brokers, payday lenders and motor vehicle dealers, need to report data breaches and other security incidents within 30 days.
State regulators like the New York State Department of Financial Services in November unveiled enhancements that require banks, insurance firms and other regulated entities to report ransomware payments, conduct risk assessments and offer enhanced cybersecurity training.
4. Threat actors target third-party vendors to amplify impact
Attacks against third-party vendors, including file-transfer services, continued to ensnare downstream victims last year. These supply-chain attacks will carry on, resulting in some of the most potent cyberattacks in 2024, according to cybersecurity experts.
“Third-party vendors are not the only victims of their cyber incidents — all of their customers become second-degree victims due to any operational disruption and data theft that occurs,” Burg said.
The rippling effect can spread even further, he added.
“Many organizations are looking outside their own IT departments to expand their digital footprint and power business processes, but a complex IT partner ecosystem also creates several potential risks,” Lovejoy said. “Bad actors may try a third-party entry point to get into an organization’s systems and either infect them, steal data or disrupt business operations.”
While enterprises can defend against attacks on their own infrastructure, they don’t have direct control of the third-party infrastructure they work with, and this leaves a defensive gap, according to Mellen.
“Supply chain attacks are unique because they take advantage of something we have come to rely heavily on in the internet age: interconnectivity,” Mellen said.
It’s the open-source vendors that most people have never heard about that cause the most concern for Burg heading into 2024.
“The ones that create software libraries for encryption, logging and system management that underpin all the business applications we use are the ones I believe are most susceptible,” Burg said. “Because these are free and open source, they’re often maintained by a volunteer skeleton crew that doesn’t have the time or resources to conduct the robust security we’d hope for.”
5. Secure out of the box
An age-old debate in the security industry is who should bear the responsibility for making sure products are secure. Customers have long complained about insecure products, but software developers and manufacturers have tempered that debate by saying users are failing to properly configure devices and applications.
The debate may have come full circle in 2023 and play a huge role in security as 2024 unfolds.
Two of the biggest information security crises of 2023 involved critical infrastructure providers and government agencies, respectively, threatened by products that lacked basic configuration elements.
The Iran-linked hacks of U.S. water and wastewater providers and the hack of U.S. State Department emails linked to the People’s Republic of China, both exposed flaws in the nation’s security infrastructure.
A threat group linked to the Islamic Revolutionary Guard Corps was suspected of exploiting potential weaknesses in logic controllers used by water treatment facilities, including devices visible on the open internet and weak default passwords.
The Cybersecurity and Infrastructure Security Agency by mid-December issued guidance to manufacturers to eliminate the use of default passwords, which are easy for malicious threat groups to exploit.
The State Department hacks, linked to the theft of an inactive Microsoft consumer signing key by Storm-0558, exposed the company’s policy of forcing customers to pay additional money for security logs, which can help network defenders hunt for malicious activity.
In the case of the Microsoft Exchange hacks, it was government officials that notified Microsoft that outside threat groups had compromised their operating environments. Microsoft was forced to change its security log policy and by November overhauled its security policy to finally embrace secure by default design practices.
Spurred on by these major security threats and extensive government pressure, the tech industry is taking numerous steps to embed security as a core feature of the development lifecycle.
AWS will mandate multifactor authentication for most privileged users by mid-2024. AWS Management Console customers signing in with the root user of an AWS Organizations management account will be required to set up MFA. AWS will expand the requirements further to standalone accounts, too.
“Enabling MFA is one of the simplest and most effective mechanisms to enhance account security, offering an additional layer of protection to help prevent unauthorized individuals from gaining access to data,” Mark Ryland, director of Amazon Security, said via email.
IT-ISAC in December published a white paper calling on SaaS and other cloud companies to embrace secure by default principles.
The debate has long centered around the conflict between increasing security risk, while reducing speed to market for the manufacturer and a slowdown in productivity for the user.
“Of course there are trade-offs, in the same way that there are trade-offs when the more general user experience is prioritized,” James Dolph, CISO at Guidewire Security and co-author of the white paper, said via email.
As outlined in the white paper, Dolph said “the user experience of security should be on par with other goals in software if we’re going to elevate the security of the software industry and avoid negative outcomes like we all see in the news.”