To mark the 20th year of cybersecurity awareness month in October, America’s Cybersecurity and Infrastructure Security Agency (CISA) announced a new program that they’re coining “Secure Our World” which is focused on four “easy” ways to stay safe online:
- Use strong passwords
- Turn on multifactor authentication (MFA)
- Recognise and report phishing
- Update software
In principle at least, these do all sound easy, but when dealing with human behaviour – as at least two of these areas do – it’s rarely quite so simple. A cynic might say that this helps to feed the narrative that security breaches are more often than not down to human error (which is, of course, a factor)
If the tech and the people interacting with/operating the tech are not in perfect harmony, then something can and will go wrong.
So, with that overarching theme in mind, and some of the main security conferences of the year now firmly in the rear view, we felt it was time we took stock of what 2023 held for cybersecurity, as well as what might be in store during 2024.
Breaches, breaches, breaches…
In amongst all of the noise surrounding generative AI (gen AI) – which we’ll get into later – it did feel as though some significant breaches were gone from mainstream media as quickly as they arrived.
The UK public sector in particular seemed to take something of a pummelling during 2023, with the Police Service of Northern Ireland (PSNI), Greater Manchester Police (GMP), and the UK’s Electoral Commission all suffering a breach of some description
And while that supports our opening gambit of people and technology being crucial, rather than one or the other, it perhaps points to another key factor…and it’s an old favourite – budgets. Without going too far down the rabbit hole of public sector funding, it does highlight the importance of spending in the right areas, and cybersecurity should certainly be considered among those.
A common view is that there’s only downside to throwing money at the problem after the event; a sentiment shared by a Vanson Bourne CommunITy member in a recent in-depth interview (IDI).
That’s not to say that money is the sole answer, but it can help to level the playing field. Nation state actors, cyber criminal gangs, and hacktivists, among others, will be spending much of their “hard earned” cash on trying to add to their hitlist.
It’s also worth making the point, that private sector firms have been far from immune to breaches this year – despite their budget ceiling typically being higher. Take Boeing, for example – a huge global brand, falling foul of the LockBit 3.0 ransomware gang, due to a vulnerability in their software supply chain.
LockBit – who operate on a Ransomware-as-a-Service (RaaS) model – have been prolific in recent years. And this breach of Boeing along with others such as that on the US arm of the Industrial and Commercial Bank of China (ICBC) feels like their way of reminding the world that while we’re all looking at gen AI, they’ll be going about their business of taking names and cashing cheques.
Say what you like about threat actors, but there is a certain brilliance in the way they execute their missions and continuously evolve their tactics, techniques and procedures (TTPs). Take this approach for example:
- BlackCat ransomware gang exfiltrate data from MeridianLink
- MeridianLink decides not to fully engage in negotiations with BlackCat
- BlackCat gets annoyed and reports MeridianLink to the US Securities and Exchange Commission (SEC)
“Good guy ransomware gang” – this, of course, isn’t designed to glorify these hacker groups in any way, but it does highlight what organisations and the authorities are dealing with. Highly aggressive and innovative approaches, driven, in general, by greed. A dangerous combination.
So, what does this mean for organisations, how can they combat these threats, and, ultimately, how do they go about increasing the efficacy of their security stack?
Expansion or consolidation?
The attack surface that organisations are trying to monitor and mitigate against is growing – no great epiphanies there.
But with cloud sprawl being a genuine concern, incidents resulting from zero-day vulnerabilities seemingly increasing in prevalence, and the potential rise of shadow AI, among many other factors, it’s apparent that IT security teams must find a way to bolster their cyber defences through the utilisation of a technology stack that suits the specific requirements of their organisation.
And this leads us nicely into one of the main topics of discussion from security events such as RSA and BlackHat USA this year: Should companies be pursuing a “best of breed” / point solution strategy, or a “consolidation” / platform-based approach?
Over the years, it seems as though organisations have gravitated towards the former – searching out and implementing the best solutions for specific security needs, regardless of vendor. While this sounds sensible, the approach does have its drawbacks – more tools equates to a more complex security stack, and more potential points of failure that hackers could exploit.
Not only that, but it creates an integration headache for even the most seasoned of IT security professionals.
And for that reason, it would appear that attitudes are showing signs of shifting as we head into 2024, with security leaders appreciating that a comprehensive cybersecurity platform – meaning fewer tools and vendors in their stack – is likely to give them the best chance of protecting their organisation, from both external threats and insider risk.
We posed the question of point solutions vs. consolidation to our community of IT and IT security decision makers with a third (33%) saying that in 2024 they believe that their organisation will utilise/invest in a consolidation approach, so that they use as many (or as few) tools from the same vendor as possible. While the majority (59%) say they will utilise/invest in point solutions that solve specific problems, regardless of vendor.
It won’t be as simple as ripping off the band aid when it comes to migrating towards a new look cybersecurity approach, and it will take careful planning and execution to do it properly (and securely), but the pros do seem to outweigh the cons.
The ability to ingest data from a range of different sources, investigate and analyse threat levels, and then prioritise and respond to those threats/events, all within a unified platform, is surely going to simplify the lives of (typically) under-resourced security teams. These are the same teams who are monitoring significant numbers of alerts, across a host of security solutions.
Generative AI – risk or opportunity?
So, here we are…gen AI and large language models (LLMs). What can we say that hasn’t already been said this year…on multiple occasions? Well, in all honesty, probably not an awful lot…
- …has it been fear-inducing? Yes
- …has it been disruptive? Absolutely
- …will it transform how we live and work? Without a doubt
We live and breathe B2B tech, so despite the recent carnage at OpenAI, in our minds, it is indisputable that this rapidly evolving technology – the explosion of which has been driven by ChatGPT – will provide significant benefits across all industries, and the world economy.
We’ve already referenced the phenomenon of shadow AI. This feels like something of an inevitability considering the wide-ranging use cases across software development, marketing, data modelling and many others. But, in the long-term, it will probably be viewed as a growing pain – “a necessary evil” – as functions from across the business rush towards gen AI, to ensure that they aren’t seen as the department causing their company to be left behind.
It is though worth sparing a thought for IT security teams during this settling in phase, as, ultimately, they will still be held accountable if a breach occurs due to a gen AI tool that they might not have approved or had visibility over. To that end, it’s crucial that all areas of the business not only consider how they can best utilise gen AI to support their own objectives, but also how they can work with the IT / IT security department to embed the tools they need in a responsible way.
When we asked 81 of our community members what they believed would be the biggest challenge and/or transformation in cybersecurity during 2024 (in a verbatim format), just under 60% mentioned AI in some way, shape, or form – with many of them highlighting the potential associated risks, or benefits for cyber criminals.
Nonetheless, we’re talking about a technology that can be used for good as well as evil. The aforementioned XDR solutions already lean upon AI, so that the data ingestion, threat analysis, and decisioning phases can be expedited. The reduction/removal of these hugely time-consuming tasks will help to ease the burden on IT security teams, as well as benefit the IT security posture of organisations able to implement such a platform.
We’ve already noted that cyber criminals are just as innovative, if not more so, than the organisations that they’re targeting. And the security community understands that it can often be the simplest attacks that are the most effective.
Therefore, at this stage, it’s most likely that gen AI will be used by attackers to improve the success levels of their social engineering attacks, primarily through phishing scams, which can now be executed more effectively and on a larger scale.
Which brings us full circle to one of CISA’s core themes – recognise and report phishing. The other themes, of course, cannot be disregarded, but it feels like this one in particular stands out. This seemingly straightforward task will be made all the more difficult now that cyber criminals have gen AI at their disposal.
As such, organisations must invest in proper training for their employees to reduce the risk of them succumbing to increasingly convincing messages. That, in tandem with settling on a security approach and technology stack that suits their business requirements will give them as good a chance as they can hope for against the flood of rapidly evolving threats coming their way during 2024.
Cybersecurity for 2024: people, technology, and…?!
A year is a long time in cybersecurity, and with the developments witnessed in 2023, it begs the question of what on earth will 2024 have in store? The probable answer…more of the same, but on steroids.
In 2024, we as the pilots of technology cannot afford to let the technology outpace our ability to keep up. People must be at the heart of technology and security transformation to ensure that if something does go wrong, we are able to fix it. It is not just down to the IT / IT security team and the technology when it comes to tackling cybersecurity; it has to be a wider effort. And this is why CISA set out their guidelines in the way that they did. In order for a company’s threat mitigation efforts to be a success, everyone in the workforce must hold themselves accountable as well.
From the ground level up, it’s incumbent upon everyone within the organisation to know what the latest threats are – whether it be teenage hackers, nation state attackers or RaaS gangs – as well as the key trends that are on the rise, such as gen AI, and what this means for them in their day-to-day roles.
We live in a world that’s driven by technology, regardless of industry or organisation size. Sharing knowledge as we all head into 2024 will enable organisations to tackle their people and technology problems, with their people and technology.
The survey findings are based on quantitative interviews conducted in November 2023. As a member of the Vanson Bourne Community you’ll gain access exclusive to a variety of insights reports just like this one, based on research with our members.