Cybersecurity professionals usually hate being asked to get their crystal ball out and predict the future of cyber. Indeed, with cyber threat actors constantly evolving, cyber defenders regularly need to change their posture, which makes the cybersecurity landscape highly unpredictable.
However, we can make some educated guesses as to what will impact the cybersecurity world in the year ahead.
At Infosecurity, we invited a panel of seasoned cybersecurity experts to make some predictions and highlight some of the trends they think will emerge in cyber over the next few months.
Here is our selection of the top ten predictions they made during our Autumn Online Summit 2023.
1. Identity and Access Threats Will Drive Demand for Robust MFA
According to Jason Rebholz, CISO of Corvus Insurance, organizations' first cyber priority in 2024 will be to adopt robust, phishing-resistant multifactor authentication (MFA).
CrowdStrike’s August 2023 Threat Hunting Report showed that identity theft has established itself as the primary initial access method for threat actors in 2023, with 80% of breaches now involving the use of compromised identities.
Rebholz argued that this new trend has boosted MFA adoption.
“We’ve reached a point now where we know that MFA is important to protect our identity and access management (IAM) processes. It’s true, but this high level of protection also comes down to the type of MFA you have. When you’re adopting one of the weakest MFA options, such as SMS-base MFA or authenticator apps, attackers have now developed ways to bypass those,” he explained.
Among the many phishing-resistant MFA options that exist today, Rebholz said he was particularly eager to see passkeys be more widely adopted.
“Organizations shouldn’t even start adopting these methods in 2024, but today,” he insisted.
2. Elevated Focus on OT Security Amid Critical Infrastructure Targeting
One thing that worries Rockya Fofana, CEO of Elite CI Consulting and former director of cybersecurity of the government of Cote d’Ivoire, is the increased targeting of industrial systems and operational technology (OT), both in the public and private sectors.
“In Africa, most critical infrastructure is operated by governments, so their increased targeting by threat actors was in my remit,” she said during Infosecurity’s Online Summit.
Margareta Petrovic, a global managing partner at Tata Consultancy Services, agreed.
“We keep talking about emerging threats that are coming up, but most of our organizations are still running very old pieces of infrastructure. Keeping OT up and running while not introducing additional risks in the IT environment should certainly be a priority for the coming months. Attackers are well aware of the deficiencies in those OT systems,” she said.
In November 2023, an unprecedented attack on Danish critical infrastructure was attributed to the Russian hacking group Sandworm. A few weeks later, the US confirmed that Iran’s Islamic Revolutionary Guard Corps was behind a series of recent strikes against water plants across multiple states.
“These are only the attacks you hear about. It’s true that cyber-attacks targeting OT systems are not reported very frequently yet, but there are certainly many more happening that never get reported,” Petrovic insisted.
Furthermore, we’re looking at the best-case scenarios right now, Rebholz added. “These cases, as well as the 2021 attack on Colonial Pipeline, are usually manoeuvrers to try to shut down IT systems – imagine when attackers will manage to actually shut down the OT systems, just like with Stuxnet in 2010.”
"I don't think AI will greatly impact cyber defenses, at least for next year."Jason Rebholz, CISO, Corvus Insurance
3. Accelerated Law Enforcement Collaboration, but Challenges Endure
Cyberlaw enforcement officers have been particularly busy in 2023, with several international operations succeeding in the arrest of individuals involved in cybercrime or the takedown of threat actors’ IT infrastructure.
One of the most recent examples is Operation Duck Hunt, which resulted in the shutdown of some of the Qakbot botnet infrastructure in August.
Read more: FBI's QakBot Takedown Raises Questions: 'Dismantled' or Just a Temporary Setback?
Rebholz said he hopes to see more such coordinated actions across the globe.
However, Mike Morris, a former FBI agent and current director of the Center for Cyber Education at Western Governors University, explained these collaborative efforts are very challenging.
“When the FBI is investigating a cell in the US and wants to crack them to the next country over, they have to sign a mutual legal assistance treaty (MLAT) with the other nation to share information. That’s a diplomatic document that requires a diplomatic exchange – which takes time.”
That’s why, the former FBI officer insisted, governments should build these diplomatic relationships before starting any investigations.
Fofana argued that another institution that could help build these collaborative efforts is the UN. The organization is currently working on an international treaty on countering cybercrime.
However, with all the current kinetic – and cyber – conflicts, Petrovic said she was pessimistic about seeing even broader anti-cybercrime coalitions emerge in 2024.
4. AI to Have Limited Transformative Impact on Cyber Defenses
Our cybersecurity experts argued that threat actors will continue to weaponize AI in 2024 and beyond, but AI-powered attacks will probably not have a transformative effect on cyber defenses.
Rebholz commented: “I don’t think AI will greatly impact cyber defenses, at least for next year. Yes, the threat is growing, and threat actors will leverage AI-powered tools, but the way to mitigate this risk is mainly by implementing traditional security measures.”
5. Deepfakes and Misinformation Will Be More Pressing AI-Related Threats
According to Rebholz, where generative AI really is a game-changer is in enabling disinformation at scale using deepfakes.
“Imagine the impact that deepfakes, which are easier to develop than ever, yet still very difficult to detect, will have on disinformation campaigns around elections,” he warned.
In 2024 there are set to be 40 national votes occurring worldwide, making it the biggest election year in history.
“I also think these disinformation campaigns around political events will be an open door to cybercrime-oriented campaigns using similar tools,” Rebholz added.
Watch all our Online Summit sessions on-demand
6. Cyber and AI Regulations Set to Reshape the Global Security Landscape
A flurry of regulations will impact the cybersecurity industry in 2024.
In the EU only, organizations across sectors must prepare for the NIS2 directive to be translated into national law. At the same time, financial businesses will need to start exploring future security requirements introduced by the Digital Operational Resilience Act (DORA).
The Cyber Resilience Act and the AI Act have also been adopted and will soon introduce new security mandates for manufacturers and AI providers.
During Infosecurity’s Online Summit session, Petrovic predicted that some of these regulations will become the blueprint for similar ones in other jurisdictions. She believes that organizations from all industries should stay ahead of the curve and explore these laws, even when operating in countries that are not yet impacted by said laws.
"Organizations have many more pressing issues to deal with for next year than preparing for quantum threats."Rockya Fofana, CEO, Elite CI Consulting
7. Increased Pressure on CISOs
In an end-of-year blog post on the Tata Consultancy Services website, Petrovic wrote that the pressure on CISOs will increase in 2024.
During our Online Summit, she explained the reason behind her prediction: “With cybersecurity getting an increasing level of attention from regulators, there are more and more requirements for the boards to demonstrate that they’re implementing appropriate security measures and that they’re allowing the right resources to meet those requirements. Who are they going to turn to? CISOs.”
She added that although CISOs traditionally come from technical roles, organizations will increasingly ask them, or some intermediary, to collaborate more with the board and “talk business as well as technical security issues.”
She said this will make “CISOs’ lives even more exciting.”
Morris added that CISOs could also be increasingly offered a seat at the C-suite table because boards will need to have someone with a technical background among them more than ever.
Fofana, who left her job as director of cybersecurity of the Ivorian government in October 2022, is living proof of that trend as she was asked in 2023 to join the board of an organization “because of my background in cybersecurity.”
Rebholz commented: “I hope we can use Rockya’s case as a success case study, but I would stay cautious. Yes, it’s great to have people with a cybersecurity background joining boards, but is it really going to be enough to influence boards significantly? I’m not sure.”
8. Quantum Readiness Shouldn’t Be a Priority for 2024
All four panelists agreed that, while important to keep in mind for the future, quantum readiness should not be one of organizations’ top priorities for 2024.
Morris developed: “Will quantum-proof cryptography eventually come? Certainly. Is it going to roll out next year? Probably not. And if it does, it will be at state-level, and we’re not going to hear about it for the private sector before three more years.”
Watch our webinar: 7 Steps to Building Quantum Resilience
Rebholtz added: “If this is something that you’re prioritizing for next year, I would encourage you to re-evaluate your risk profile. You need to figure out the risks that are specific to your organization and are most likely to impact it – and the quantum risk is probably not on top of your list for 2024.”
Fofana nodded: “We have many more pressing issues to deal with for next year,” she said.
9. Insurance Firms Will Set a Bar of Minimum Cyber Requirements
Rebholtz said cyber insurance is “a requirement for any company with a computer.”
However, he believes that cyber insurance firms will need to establish a clearer definition of the minimum requirements a company needs to fulfill in order to get insured before falling victim to a cyber-attack.
10. Innovative Hiring Strategies Well be Needed to Close the Skills Gap
In 2023, the global cybersecurity workforce gap reached four million people, a 12.6% increase compared to 2022, according to the ISC2 2023 Cybersecurity Workforce Study.
To stop this gap from getting larger every year, Petrovic said that organizations should try new, innovative hiring strategies.
“There must be a lot of investment in cross-training people and focus those training programs, not on technologies, but on solving problems. This will help them get more efficient in the cyber defensive posture while opening the doors for people with different backgrounds to get into cybersecurity,” she said.
Fofana added: “Organizations should also think of re-training its workforce. With the increasing targeting of OT and the IT-OT convergence and the adoption of AI practices in IT systems, most of the cyber training manuals have become obsolete.”
Morris, who is director of the Center for Cyber Education at Western Governors University, said the average age of his students is 35 and that most of them are pivoting to cybersecurity after a career in another domain.
“What’s important, whatever background people have, is to make them face hands-on situations early on. To do that, we have a cyber club with 8000 students doing weekly defensive and offensive security exercises. Now, we have about 23000 trained people with actionable skills looking for a job in cybersecurity,” he concluded.