2024 Cybersecurity Predictions

[5-10 Minute Read]

As 2023 closes, and we enter into 2024, I thought I would deviate from the usual commentary around cybersecurity trends, which have been the usual suspects over the last few years -- from more phishing, more ransomware attacks, more supply chain attacks, more awareness training needed, deepfake risks and so on, and provide a brief commentary on some newer and broader topics, and some 2024 predictions for some complex cybersecurity challenges being faced worldwide.

So without further delay, let’s get started with the “Known Unknowns” and maybe some, “Unknown Unknowns” for 2024 and beyond, aided with some AI graphics I generated with the assistance of Midjourney v6 to add some flavour.

1) Global Geopolitical Instability and Cyber Warfare: The escalation of geopolitical tensions is increasingly mirrored in the cyber domain, with state-sponsored cyber activities focusing on destabilising critical infrastructures globally. This trend extends beyond traditional cyberattacks, now with added focus targeting energy, healthcare, infrastructure and financial systems. PREDICTION: Expect new forms of Cyber-Economic-Warfare to be more prominent where maximum impact would often be achieved by minimal effort and often through compromising core supply chains.

2) AI, AGI and Cybersecurity Risks (including "Dark AI"): AI and Artificial General Intelligence (AGI)'s up-coming emergence heralds a new era in cyber threats, capable of complex, adaptive, and hard-to-detect attacks. With time, advanced "Dark AI" could adeptly handle vast, disparate data sets, linking information from various mutually exclusive data breaches. This capability will enable more intricate profiling of individuals, behaviours, and companies. Consequently, it will pave the way for cyberattacks that are not only more targeted but also highly personalised, payloads strategically timed, adapting specifically to the characteristics of their intended targets. PREDICTION: Spike in Double-Extortion Ransomware cases and a new wave of sophisticated attack methods which we have never seen before powered by AI in some way will make headlines. Could it be new forms of AI-powered malware?

3) CISO Burnout and InfoSec Leaders Leaving: The cybersecurity sector faces a crisis of burnout and high turnover, especially among CISOs. Gartner's data predicts that 50% of cybersecurity leaders are looking to change jobs by 2025, and at least 25% will look to leave the field completely by 2025 due to the constant pressure and stress. PREDICTION: Indeed more global CISO’s will look to exit the operational cybersecurity field, especially if they feel there is insufficient support from the Board / C-Suite. Without some level of indemnity, D&O coverage and protection, seasoned security leaders will exit if their risk-reward balance is not ideal, putting greater burden on organisations to fill the gap.

4) Rise in Zero-Day Exploits: The significant increase in zero-day exploits poses immense patch management challenges, especially in organisations with legacy systems; and for different purposes, may have legitimate business reasons to maintain these legacy systems. PREDICTION: Patching is easier said than done. Vendors large and small are finding it hard to keep up with the pace at which vulnerabilities are found, resulting in an extended frictional period of time from the actual vulnerability being discovered/reported, to when the vendor can patch, to when the consumer patches; giving attackers greater opportunity to exploit. Companies will find it increasingly more difficult to keep up with the pace to patch as well, as I predict the number of Zero-Days will increase significantly from 2023. Be prepared to update your browsers, apps through to your laptop operating systems and Android / iPhones many many many times in 2024…

5) Quantum Computing, AGI, and Cryptography: The intersection of quantum computing and AI poses significant challenges and opportunities for cryptography. Quantum computing's rapid advancements, bring the potential to crack current cryptographic algorithms, making existing encryption vulnerable. Similarly, AGI presents another dimension to the cybersecurity landscape in a different way than mentioned earlier. The full potential of AGI's ability to solve different types of math problems is a hot debate right now. With complex math being inherently difficult for AGI to crack because of the way LLM's operate, could 2024 be the black swan moment many did not predict? Could this lay the ground for new methods of bypassing cryptographic defences in the future? What if (one day) there were ways with AGI to find a short-cut to crack current day cryptography without the need of quantum computing??PREDICTION: Unlikely AGI is going to solve advanced cryptographic problems / encryption anytime soon, but in 2024 we could be surprised where AGI may solve some elementary math problems we didn’t expect. The AGI x cryptography developments in 2024 are going to scare the naysayers.

6) EU NIS 1/2 Directive: While I am sure many in EU may have heard about this, those outside of EU may not have. Those who work at critical service providers in multi-national organisations, or have key suppliers based in EU should expect to hear more about this very soon from your security/compliance/legal teams in early 2024. As a quick backgrounder, the Network and Information Systems (NIS) Directive and its successor, NIS2, are EU legislations enhancing cybersecurity. NIS1 targeted critical sectors like energy and banking, while NIS2, with the deadline of October 17, 2024, broadens the scope to more sectors, including key digital services. The European Commission underscores the importance of these directives for maintaining cybersecurity across the EU in the face of evolving digital threats. PREDICTION: Like the GDPR, the biggest misconception is that some organisations which rely on key digital service providers, and key service providers outside the EU (but supplying to the EU) may think that this does not apply to them, and are still unaware of the responsibilities, deadlines and implications and there will be a rush to catch up in 2024-2025. Better start early and do a risk assessment.

7) Space; Cybersecurity’s New Frontier: Cybersecurity risks in space technology, particularly satellites, are a growing concern. As satellites become integral to global communications, they face threats like signal jamming and control hijacking. The interconnectivity between satellites and ground infrastructure adds to these vulnerabilities, highlighting the need for new and evolved standards and frameworks for cybersecurity measures in both space-based technologies and ground systems. PREDICTION: The growth in 2024 of the use of commercial satellites to support distributed product / services / IoT / cloud offerings will expose many organisations to new risks. Organisations utilising space technology need to ensure they do comprehensive risk assessments to fully understand the cybersecurity risks they face as this is uncharted territory for many.

8) Kids. The unexpected Trojan Horse into your home (and work): From gaming to Googling, children are inadvertently turning themselves into agents for cyber threats. Alarmingly, two-thirds of popular pop-culture search terms are infected with malware. For instance, searches for "The Boss Baby" show a 58% chance of encountering viruses, and "Pokemon" is notably risky with 47% of results leading to potentially harmful sites according to data from CyberGuy. These deceptively friendly websites and downloads often contain malware in disguise, posing risks not just to personal devices but also to shared family and work gadgets. Kaspersky research shows that criminals masquerading as young users to exploit the inexperienced through phishing and social engineering, with popular games like Minecraft and Roblox being primary targets. PREDICTION: The emerging Web3 and Metaverse landscapes (as well as the increased usage of AI tools at schools and at home) will pose significant threats into your home and will get worse in 2024. Education and awareness will be critical at schools and with parents. It's time that you treat your home Internet and devices as if you were in a corporate environment. Don't use default router passwords, don't use kid-friendly simple weak passwords for apps, rotate passwords, install virus scanning tools, parental controls, isolate kid's account / device from adults, keep up to date with patches etc. etc.)

9) EU Cyber Resilience Act (CRA): Effective July 1, 2024, the CRA introduces a legal framework that applies to all products with digital elements sold in the EU market. It mandates that these products are secure from the point of design and throughout their lifecycle. This approach ensures that digital products, including software, are not only secure at the time of purchase but remain resilient to cyber threats as technology and threats evolve. The Act emphasises the responsibility of manufacturers to continuously manage cybersecurity risks and provide regular updates to address vulnerabilities, thereby enhancing consumer protection against cyber threats and incidents.

When comparing the CRA with the NIS1 and NIS2 Directives which was previously covered, the key difference lies in their scope and focus. While the NIS directives primarily focus on operators of essential services and key digital service providers, (setting standards for network and information system security across the EU), the CRA extends its reach to a broader range of products with digital elements. It shifts the focus to ensuring that these products are designed and maintained with cybersecurity in mind (i.e. throughout the software development lifecycle and post launch). The CRA complements the objectives of the NIS directives by addressing the security of products that could be used within critical infrastructures; thereby closing a gap in the EU's cybersecurity framework. PREDICTION: The complexity and timeline of this could result in companies simply opting for risk avoidance and proactively stopping certain services in the EU in the short term. We are already starting to see this, with Porsche to terminate ICE-Powered Macan’s due to these strict cybersecurity requirements, and I expect more companies to do the same in 2024.

10) The Unknown Unknowns. The above are scary enough, but it is inevitable that unpredictable and unforeseen threats will emerge as technological advances will result in some new form of risk -- especially with the rapid implementation of AI, expansion of IoT, Quantum computing and advent of Web 3, new vulnerabilities are expected to arise, challenging even the most sophisticated security measures.

As we step into this new year, it's clear that the landscape of cyber threats is evolving at an unprecedented pace. The predictions only touch upon just some of the broader issues, but without a doubt there are other concerning areas from sophisticated decentralised finance hacks (DeFi), through to remote autonomous vehicle hijacking and much more. These risks are not just in our workplaces, but clearly also impacting us all more at home and in our everyday lives.

Stay vigilant and stay safe and wishing everyone best wishes for 2024.

Jason Lau

Disclaimer: The opinions and insights expressed here are solely my own and do not reflect the views of any affiliated organisations.

Professor Jason Lau, CISO sits on the global ISACA Board of Directors, and Chief Information Security Officer at Crypto.com, Forbes Technology Council and contributor to World Economic Forum.

With over 23 years of global experience in cybersecurity and data privacy, Jason strives to demystify the complexities of cybersecurity, and explore the intersection of cybersecurity and artificial intelligence.

Subscribe to Jason's Newsletter to follow emerging industry updates.