We’ve collected comments from more than 40 vendors to give infosec pros an idea of what they might face in the next 12 months. Their predictions cover everything from meeting the talent shortage to quantum computing:
More advanced persistent threat groups (APTs) will become more active — even beyond the 138 identified by MITRE and those that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) outlines with active cycles, says Fortinet in its Cyberthreat Predictions report.
These groups will likely engage in dual cybercrime and cyber-espionage activities, the report says. Fortinet also expects to see a trend in which more APT groups will transition to employing even more stealthy, innovative methods to initiate attacks. Techniques such as HTML smuggling are gaining popularity, and Fortinet foresees additional novel methods emerging in the coming year.
“Alongside what’s sure to be a banner year for new Common Vulnerabilities and Exposures (CVEs), we should expect the growth of TTPs and, therefore, the MITRE ATT&CK framework,” the report says.
Margareta Petrovic, global managing partner for risk and cybersecurity consulting and KPS Sandhu, head of global strategic initiatives for cybersecurity, Tata Consultancy Services:
There are over 700,000 cybersecurity job openings in the U.S., and according to some estimates, there is a need for more than 2.7 million cyber professionals globally. The talent gap in cybersecurity has created a dire need for skilled and qualified people to prevent, detect, and respond to novel and ever-growing cyber threats and incidents.
To combat these rising challenges, companies should consider hiring in-house specialists to bolster internal teams, or outsource this work to large external resource companies (consulting firms, cloud providers) to reduce costs and risks. If hiring is not imminently possible, administrators should opt for a managed services provider. The partner can then implement and operate a unified security platform using automated and streamlining processes to strengthen defences against advanced threats while providing complete visibility into the security posture of the enterprise.
Avishai Sharlin, GM, Amdocs Technology:
2024 will mark the year when quantum computing takes one more step towards center stage in a thrilling race between tech giants IBM and Google. As quantum computing accelerates, so does the need for post-quantum-resistant encryption. Public clouds are already adopting innovative mitigation strategies to protect sensitive data in this quantum era.
Sam Curry, VP and CISO, Zscaler:
The security industry will look beyond ‘Zero Trust’ to ‘Negative Trust’. In 2023, zero trust matured in the eyes of security teams and the C-suite, and is continuing to gain traction. But adversaries are also starting to take greater notice of it too and are searching for ways to exploit it. We therefore predict the next evolution of Zero Trust is going to be Negative Trust as a deception methodology. We expect attacks will become less malware-based, as adversaries will want to leverage IT tools and be under the radar of detection. If an adversary has gained access to a zero trust environment by using a stolen identity, organizations still need to avoid damage, and this can happen by deceiving the intruder. The way to achieve this is to put that adversary in an environment where they can’t be sure what is real or not (e.g. simulating that the space houses thousands of applications, but there is actually only handful of real applications in that environment), then traps and tripwires can be set to catch the bad actors in the act.
Mike Lyborg, CISO of Swimlane:
Third-party risk assessment on vendors will be rewritten, driving a further reduction in the tools/system sprawl. On the heels of major third-party breaches in 2023 like MOVEit, third-party risk assessments will move from a check-the-box assessment of tools to a comprehensive analysis of a vendor’s cybersecurity maturity. These assessments will ask more questions specifically about how companies have dealt with vulnerabilities like Log4j or MOVEit to understand the process in place when incidents arise, rather than just analyzing tools in place. With this mindset, more organizations will require a software bill of materials from vendors before purchasing software to fully understand the elements of the technology before adding it to their software stack.
Steve Cobb, CISO of SecurityScorecard:
Organizations that rely on questionnaires alone to assess their vendors’ security posture will be three times more likely to experience a third-party breach. The recent shockwave caused by the MOVEit vulnerability demonstrated an unsettling truth: cyberattacks spare no one, not even organizations boasting formidable security measures. With 98 per cent of companies having a relationship with at least one breached vendor, the conventional checklist approach won’t be enough to properly vet vendors in the new era of third-party risk. But here’s the kicker: most vendors, swamped by questionnaires, do little more than rush through the process, ticking boxes, without the skills or resources to delve deeper into their security programs. In 2024, security teams and vendors will join forces, not as adversaries, but as allies on a mission to identify and manage risk across the digital ecosystem. The days of superficial questionnaires will be replaced by proactive efforts to build a robust security ecosystem, as organizations recognize that true cybersecurity resilience requires a united front against evolving threats.
From Max Shier, CISO, Optiv:
Zero Trust will be solidified as a valid concept that works. Organizations and vendors have had ample time to develop and implement architectures and products to meet zero trust principles now that they understand it just isn’t an industry buzzword – it’s a valid concept that works. Remote work will continue to be prevalent, and zero trust is instrumental in ensuring those remote workers are accessing services and resources in a secure manner. Zero Trust implementation will continue to pick up across all verticals in 2024.
Jerome Becquart, COO of Axiad:
Cybercriminals will increasingly target account recovery methods. With the uptick in phishing attacks and resulting guidance from the U.S. White House Office of Management and Budget, The Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology in 2024, more organizations will strengthen their authentication method by going passwordless. In fact, we’re already seeing this move in the market, with large enterprises including Google and Amazon now offering consumers the ability to log-in more securely with passkeys. While this is a step in the right direction, it’s only half the journey. As the “front door” of the house gets stronger, cybercriminals will shift from stealing credentials (e.g., passwords) to attacking the “back door,” or account recovery methods. For example, let’s say a cybercriminal enters incorrect information on an account five times. The account recovery process then kicks in. If that process involves calling a help desk to answer security questions or answering them online, there’s a good chance hackers will be able to ascertain the information they need to hack their way in by perusing social media. We’re already seeing this happen, but, in 2024, we’ll see an escalation of cybercriminals targeting account recovery methods to compromise credentials.
Joshua Bartolomie, vice-president of global threat services, Cofense:
Organizations will shift to focusing on what they don’t know about their cybersecurity risks, leaning on threat intelligence more than ever. As threats continue to mount due to global conflict and economic pressure, organizations will pivot to analyzing what they don’t know about their cybersecurity risks rather than making assumptions and move past “check the box” strategies. To do this, organizations will need to lean on threat hunters and threat intelligence to find out what should be a focus in their cybersecurity strategies. Threat hunters are like house inspectors who come in and poke at the walls and the foundation to find things that need to be fixed. Good, actionable threat intelligence will help organizations quantify their risk, give context into how threats are delivered and allow security teams to make informed decisions to stay ahead of threats.
Douglas McKee, executive director, software engineering, SonicWall:
Large and small businesses will see a continued increase in Log4j attacks in 2024. Security professionals prefer to forget about past vulnerabilities such as Log4j, as they are often tied to a traumatic time. However, this is exactly what threat actors prey on. While many patches are in place from big-name vendors, and security vendors have issued a wide range of signatures to cover Log4j, it is still one of the biggest supply chain vulnerabilities discovered to date. Due to its position in the supply chain, its continued discovery in new places and its unfortunate continued implementation in new code, it is well worth an attacker’s time. SonicWall’s threat data is trending to demonstrate a potential 10 per cent year-over-year increase from 2022 to 2023 in Log4j-related attacks. By the end of 2024, we predict there will be an even larger increase.
Amitabh Sinha, CEO, Workspot:
The increasing adoption of cybersecurity tools will exacerbate the end-user experience. Zero-day patches, security tool updates, application updates, driver updates, and more, are compromising the user experience every day. Nearly 75 per cent of CISOs say that employees in their organization are frustrated with current security policies that are taking a toll on their productivity. As companies continue implementing these layered security protocols to safeguard their systems, users will increasingly encounter friction in their daily work interactions. This growing user dissatisfaction could pose a significant risk to organizations’ employee retention, and as we move into 2024, we will see workers be more reluctant to tolerate cumbersome software updates, patches, and security measures that hinder their ability to work efficiently. Organizations will need to take a holistic approach that does not compromise security nor the end-user experience to keep their employees happy. This requires tools that help them monitor end-user satisfaction and productivity, and understand the impact of frequent, disruptive updates on their users.
Martin Hedley, advanced cyber security engineer, ISN
The cybersecurity threat landscape is evolving constantly. We have seen supply chain cybersecurity attacks increase in frequency throughout 2023 and anticipate that trend line to keep increasing in 2024, especially as bad actors are also leveraging AI to create more malicious attacks faster than ever before. There are absolutely cybersecurity concerns companies need to be mindful of. First is to determine what security controls are put in place to protect that company’s data when it’s shared with third parties. Also, organizations need to ensure that contractors and vendors have a strong internal security posture that follows industry best practices.
Darren Williams, CEO and founder, BlackFog:
After a record-breaking 2023, we expect that ransomware will not ease anytime soon. Fundamentally, ransomware is becoming the main threat to all organizations, and insurance is no longer a viable option. Action needs to be taken. In 2024 we predict ransomware gangs will look for new ways to force victims into paying. We have already seen gangs contact the SEC directly, reporting victims immediately to inflict maximum damage, forcing regulatory, reputational and class action liabilities. We expect this is just the beginning of several new tactics to maximize payouts. We also expect to see ransomware disrupt major infrastructure through IoT devices and non-traditional platforms. These diverse systems often have limited security designed in and have significant exposure for organizations, particularly in the manufacturing industry.”
Sabrina Gross, regional director of strategic partners, Veridas:
In 2024, deepfake abuse is going to significantly increase. This will become particularly prevalent on social media, especially with elections in the U.S. and EU as well as potentially one in the U.K.. It will become a popular technique among cyber criminals for financial crime, with voice deepfakes being used for phone fraud. As a result, over the next year, customers will expect organizations to have processes in place to prevent fraud and to ensure they are actively investing resources that combat deepfakes.
Dr. John Pritchard, chief product officer, Radiant Logic:
Although privacy and data protection risks were early concerns for AI adoption, we are now seeing greater privacy options available on the market. The bigger concern for most enterprises leveraging GenAI is inaccurate or fabricated answers, otherwise known as chat hallucination, a phenomenon in which Large Language Models (LLMs) generate text that is coherent but is not based on factual or true information. These models can sometimes produce responses which are creative but misleading or entirely fictional. The challenge in natural language processing is to ensure the AI models provide accurate and reliable information without engaging in chat hallucination. This will put pressure on companies to assess and test the accuracy, appropriateness, and actual usefulness before being accepted.
Maurice Uenuma, VP & GM, Americas at Blancco:
New concerns about AI will gain ground in regard to quantum computing and the future of cybersecurity. Enterprises are becoming more aware of potentially significant future impacts of AI on previously well-established data security strategies. For instance, while only theoretical at this juncture, one of the big concerns about AI combined with quantum computing is that there is a possibility that most of what is encrypted at present could be decrypted in the future. As security strategists continue to think through these possibilities in 2024, more enterprises will begin to plan their post-quantum computing strategies along with new, emerging security capabilities to ensure they have security controls that work not just today, but tomorrow as well.
Steve Leeper, VP product marketing, Datadobi:
We predict that an intensified focus on risk management will become a strategic imperative for companies worldwide. Governance, risk, and compliance (GRC) practices are anticipated to receive heightened attention as companies grapple with the complexities of managing access to data, aging data, orphaned data, and illegal/unwanted data, recognizing these as potential vulnerabilities. Moreover, immutable object storage and offline archival storage will continue to be essential tools in addressing the diverse risk management and data lifecycle needs within the market.
Adam Gavish, CEO and co-founder, DoControl:
In the new year, cloud access security (CASB) solutions provided by secure access service edge (SASE) will lose their flavor. Today, SASE solutions secure remote connections so that employees can browse to corporate applications from any network and any device, making the old proxy mode CASB enforcement irrelevant. More organizations are transitioning to SaaS-only operations than ever before, making it harder to secure complex networks. In 2024, we will see security teams advancing to API mode CASBs that understand how SaaS applications work and how SaaS data is modeled, allowing them to enforce and remediate through robust API integrations.
Rajeev Gupta, co-founder and chief product officer, Cowbell Cyber:
Artificial intelligence and machine learning will likely play a significant role in both cybersecurity and insurance. AI can be used to detect and respond to cyber threats more effectively, and it can also help insurance companies assess and manage risk more accurately. Multifactor authentication (MFA) will likely get universally implemented. There will not be any SaaS or Cloud solution that will accept only a single-factor authentication. Biometric authentication and other forms of advanced identity verification will become more prevalent, enhancing security measures.
