em360tech image

Robin Campbell-Burt, CEO at Code Red

Cybersecurity has now become a global problem. With the global average cost of a data breach in 2023 being $4.45 million (a 15% increase over 3 years), stakeholders and senior executives are all concerned about how they can protect themselves from a devasting attack.

Research by IDC highlighted that European IT security spending will surpass $66 billion in 2026, which shows that there is greater attention on how to improve security posture. But is that money being put to good use?

It’s fair to say that cybersecurity is a noisy industry, and it can be hard for CISOs and security teams to find the right solution to address their specific organisational problem. As we approach 2024, it’s good time to reflect over the past year on what has happened, the lessons for next year, and what businesses will prioritise when it comes to increasing their cyber resilience.

Over the last year, we have seen plenty of vulnerability exploitations from 3CX in April to MOVEit in May. Darren Williams, Founder and CEO at BlackFog, believes that major infrastructure applications will continue to be exploited.

We expect to see major infrastructure applications become threat vectors for cyber gangs, similar to the way the MOVEit exploit was developed. Hiding in plain sight is going to be the new mantra for cyber gangs as they continue to avoid detection.”

Such attacks also put reflection on the need to secure third-party vendors. “A breach in a single link of the chain can have adverse effects, impacting multiple organisations,” said Neeraj Singh, Senior Security Researcher at WithSecure. “The interconnections within supply chains introduce a layer of complexity, raising the probability of undiscovered vulnerabilities that attackers can exploit – as seen in 3CX supply chain attack.

This emphasises the importance of securing not only internal systems but also those of third-party vendors. In future, supply chain attacks will continue to pose challenges.

Yaniv Vardi, CEO at Claroty, argues that traditional vulnerability management is now associated with significant inefficiencies.

“The widening gap between disclosed vulnerabilities and actual exploits, especially in critical systems, is adding pressure to more traditional set-ups,” said Vardi.

“In 2024, vulnerability management will evolve as critical infrastructure organisations adopt predictive security and zero-trust approaches. Organisations will finally realise that patching vulnerabilities in clinical CPS is the most significant gap in an organisation’s cyber defences.”

Patrick Ragaru, CEO at Hackuity, also agrees with Vardi that the vulnerability management will be updated.

The future hinges on the adoption of Risk-Based Vulnerability Management (RBVM), enabling the prioritisation of vulnerabilities based on actual threats and their impact on an organisation's critical assets and data,” said Ragaru. “As a natural evolution, an increasing number of VM providers are embracing this concept.”

Cyber risk, as a whole, is becoming more and more important to boardrooms. “Boards know that cyber risk equals operational risk and will demand that cybersecurity leaders demonstrate tangible cybersecurity gains,” said Raghu Nandakumara, Head of Industry Solutions at Illumio.

Nandakumara argues that businesses will move away from qualitative reporting to more quantitative value-based measures to demonstrate the impact of cybersecurity. 

“Data-driven cybersecurity will become the norm, with security leaders expected to provide regular updates on how cyber initiatives and tools have reduced or mitigated risk and boosted resiliency. Boards will want to know how security initiatives are supporting business outcomes.”

It’s not just the board who will be expected to become cyber risk aware, but the entire business. As said by Aaron Kiemele, CISO at Jamf: “End user awareness and training will expand to encompass a broader knowledge of cyber security risks. Expanding on our shared security responsibilities by building ‘human firewalls’ - teaching and training employees how to identify and report potential security issues.

When it comes to cybersecurity is essential, everybody needs to be on board. With an ever-growing cybersecurity skills gap, security teams can’t do it on their own.

“With their legacy technologies, a lack of skilled staff, and AI in the hands of cybercriminals, unprepared IT teams relying on average solutions to protect their business are likely to be hit hard by the emerging wave of intelligent persistent threats,” said Jesus Cordero, Director, Systems Engineering, SASE and Cloud at Barracuda.

Kelly Ahuja, CEO at Versa Networks, argues that there will be a consolidation in organisation’s security stacks to ease the burden. “The toil of too many point products and tools has created cost, complexity and reduced IT agility,” said Ahuja.

On the other hand, Ori Bendet, VP Product Management at Checkmarx, thinks that generative AI coding will be used to secure systems such as cloud.

“As software becomes more integrated in the cloud, it also opens up new security risks. With the pace of development increasing together with GenAI-generated code, organisations will now look to code-to-cloud approaches to mitigate risk,” said Bendet. “While fixing everything is no longer an option, development teams will look into finding better ways to prioritise and focus on what matters most in order to reduce risk.”

Ultimately, the cloud will continue to be a key battleground when it comes to cybercrime. “And in the coming year, an emerging concern will likely be the misuse of commercial cloud service providers (CSPs),” said Raj Samani, SVP Chief Scientist at Rapid7.

“That’s because cybercriminals are no longer relying on known command-and-control servers; instead, they're turning to commercial CSPs for cover to host malicious content,” he continues. “Combatting this threat requires more innovative solutions, such as those leveraging AI and advanced automation techniques — as well as heightened vigilance — in the cloud.”