Technology is developing at breakneck speed – the amount of data along with computing power and data communication capacity are enabling greater leaps than ever before. However, there is also unrest and tension in the world. As the world becomes more digital, the importance of cyber security constantly grows alongside it. New issues need to be resolved alongside the existing threats developed in the past. Artificial intelligence and the growing complexity of IT environments are bringing new things for us to worry about. Being able to openly and confidentially share information and experiences between different actors in the cybersecurity sphere is critical in order to ensure the continuity and security of our society. In this annual review, I discuss my observations about the outlook for cyber security and likely events in the near future.
Cyber security builds resilience
Cyber security will continue to be a necessary enabler for continuity among organisations as well as providing the basis of digital trust. It is more important than ever that organisations are resilient to faults in changing circumstances. Nothing and nobody is completely safe anymore – everyone needs to understand how to recover and get back up quickly when an incident occurs. Nobody sensible still believes that they can build an IT environment that is immune to breaches.
The goal of cyber security is to generate real value and continuity for the business instead of just meeting compliance obligations. The cyber dimension has become a playground for criminals and warfare, especially in situations where disorder and insecurity are already present. Building resilience to “polycrisis” situations, where a variety of emergencies arise at the same time, is key.1
Studies show that, for the third year in a row, cybersecurity disruptions are the most significant risk globally.2 According to business decision-makers, cyber anomalies will be the biggest global business risk in 2024. Business interruptions – including outages caused by cyber anomalies – are estimated to be the second most important business risk.3 Up to 94% of business leaders consider cyber security to be critical or necessary.4 According to an IBM study, it took an average of 204 days for an organisation to detect a data breach.5 Early detection of various threats and rapid response are vital if we are to minimise the impact of these attacks.
The average total cost of a data breach is estimated to be USD 4.45 million.6 This includes the costs of investigating the incident, loss of business and recovery. The significance of long-term damage to reputation and trust should not be underestimated.
Preparedness continues to grow in importance. According to Traficom, the threat level will remain high in 2024.7 Organisations have finally woken up to the importance of being able to recover from disruptions – a good example of this is the significant annual growth in the backup and recovery system market, which is estimated to be worth USD 15.28 billion in 2024 and is expected to grow to USD 25.23 billion by 2028.8
Policymakers around the world have responded to the changing threat environment by creating new rules and laws (e.g. NIS2, CER and CSA) as well as by increasing key security requirements for organisations. These regulations aim to ensure a certain level of safety even for those parties that have not fulfilled their obligations until now. The legislation emphasises the role and responsibilities of company management in significant cyber incidents.
Trust in information and society is fragile. Disinformation and our increasingly polarised societies are destabilising communities, and citizens are increasingly required to be media-literate and view online communication with a critical eye.
Cybercrime is organised crime
Cyberattacks are becoming increasingly diverse, and the risk–reward ratio in online-assisted attacks is attractive to criminals. According to a Verizon study, 93% of attacks are financially motivated and carried out by organised crime groups.9 The economic value of cybercrime is equivalent to the third-largest economic market, behind the United States and China.10
Artificial intelligence is lowering the threshold for criminals to enter the market. Almost anyone can either set up or order an attack as a turnkey service. AI tools can create a credible phishing attack in five minutes. A similar attack carried out by a human would take the perpetrator 16 hours.11 Business email compromise (BEC) is still a profitable method of fraud for criminals.12 The number of attacks is expected to increase as the availability and ease of use of the Ransomware-as-a-Service (RaaS) service increases. Criminals look for the best possible efficiency and can scale their operations efficiently and quickly.
Identity-based attacks are continuing to increase. Criminals pay an average of USD 2,470 on the dark web for credentials they can use to access a company’s systems,13 and USD 40 for a ransomware package (ransomware-as-a-service).14 A criminal can buy credentials for the target organisation and focus on activities after initial access. The market for stolen credentials is large, and it is therefore not particularly expensive to carry out a single attack.
Ransomware attacks are still very widespread and financially significant for their victims. Ransomware attacks are increasing in number, already comprising one third of all data breaches.15 Criminals adjust the size of the ransom according to the victim’s ability to pay, researching the financial situation of the target organisation in advance. Even though ransom payments to criminals crossed the record USD 1 billion mark in 2023, the proportion of victims paying ransoms actually decreased compared to the year before.16 Criminals don’t profit from ransoms as often as the used to because companies are refusing to pay. The things that the victim companies fear are insurance terms being triggered, sanctions from the authorities, and possible damage to their reputation. Organisations also have no guarantee that the data will be returned after they pay the ransom. Organisations are paying increasing attention to business continuity, and recovery is also at a better level than before.
What about (zero) trust?
Protecting your own IT environment and your service contracts with partner networks is not enough. The constantly changing business environment and extended supply chains require flexible and proactive protection. Identity-first security is becoming a key security control in protecting your own business.17 In the last year, attacks using stolen credentials have increased by 71%.18 Management of privileged users is more important than ever before.
Phishing attacks, especially against customer service and admin staff, have increased. Abuses of the trust network and attacks made through the supply chain are difficult to detect. Attacks coming through the partner network already account for about 15% of all attacks,19 and it takes longer to detect these attacks coming through a third party.20 Supply chain attacks result in higher costs than other types of breach. Abuses by service providers and supply chains open doors for attackers and cause damage to many different parties.
Software supply chain attacks are expected to dominate threats from third parties. Over the past three years, there has been a 1,300% increase in software supply chain attacks.21 Modern applications consist of numerous different software components, any of which may contain vulnerabilities. It is important to understand what kind of vulnerabilities can end up in the final product through software libraries. Risks related to supply chains have also risen to the surface in recent years, and they are receiving even more attention from hostile operators. We need a better understanding of the software components used in the software that we use, and organisations must be prepared for very different types of attack. In 2023, there was a 180% increase in the exploitation of software vulnerabilities.22 Rapid mitigation of vulnerabilities is of primary importance. According to a report from Verizon, even a fully year after the announcement of a critical vulnerability, some 8% of systems have still not been updated.23 Vulnerable systems open an attractive entry channel for attackers. The attack surface has expanded even further with the increased use of various cloud services. Based on its own research, Crowdstrike is seeing 75% more intrusions into the cloud environment than before.24
Loss of control
IT and security teams are losing control of their organisations’ environments. Some 76% of organisations have been the target of a cyberattack due to unmanaged or unknown devices.25 Around 80–90% of all ransomware attacks originate from unmanaged devices.26 In addition, the number of applications being used in organisations has increased significantly (66%).27 Cloud applications have steadily increased in popularity alongside on-premises options. Some cloud applications can be acquired by bypassing official procurement processes, which increases the number of unmanaged systems in the organisation and expands the attack surface.
By 2025, still less than 50% of companies’ API interfaces will be managed.28 Currently, up to 71.3% of all internet traffic is from API connections. The amount of API traffic already exceeds the normal amount of network traffic.29
As organisations adopt increasing amounts of automation and AI tools, they can lose expertise and know-how. An understanding of how systems work, and their dependencies is still needed, even though the role of automation is increasing, and manual work can be moved up the value chain. Responsibilities have increased and become more complicated. In addition to utilising new technology, it is vital to ensure that background systems and older technologies are still properly managed.
The number of exploited vulnerabilities is growing exponentially. Continuous threat management is essential. Understanding the wide-ranging effects of threats is even more important from the point of view of recovery and continued operational capability. Modern threat management must be integrated with risk management, targeted in a business value-based manner with defined, prioritised exposure mitigation.
In the quantum computing sphere, development is progressing at a rapid pace. Researchers expect a breakthrough in quantum computing within 5–20 years.30 The expected moment when quantum computing advances to the point where it can break the encryption algorithms that protect most of the data stored and transmitted in systems and on the internet is known as “Q-Day”. It is worth beginning preparations for the loss of encryption security, as the increase in computing power is amazing. According to Google’s calculations, a task that would take 10,000 years for the world’s fastest computer would only take 200 seconds with a quantum machine.31
Criminals are using AI-based applications as weapons in their attacks. Good security processes and practices, as well as cyber awareness and skills, help organisations and people defend against ever-evolving attack tactics and techniques. According to research, 68% of all data breaches involved a human element that enabled the success of the attack or would have intervened the attack, if it had been done correctly.32 Prevention of cyber breaches, awareness of threats and skill development are key at all levels of organisations and of society. It is reassuring to note that basic cyber hygiene still protects against 99% of attacks.33 By ensuring that basics are working properly, we build a safer society for everyone.
Sources:
- ISF: Threat Horizon 2026 Forecast
- Allianz: Risk Barometer 2024
- Allianz: Risk Barometer 2024
- FTI Consulting: CISO Refined 2024
- IBM: Cost of a Data Breach Report 2024
- IBM: Cost of a Data Breach Report 2024
- Traficom: Tietoturvan vuosi 2023 report
- The Business Research Company: Data backup and Recovery Global Market Report 2024
- Verizon: Data Breach Investigation report 2024
- Cybersecurity Ventures and eSentire: Cybercrime report 2024
- IBM X-force: Threat Intelligence Index 2024
- FBI: Internet Crime Repot 2024
- Group IB: Hi Tech Crime Trend Report 2023-2024 Global Edition
- Allianz: Global Risk Barometer 2024
- Verizon Data Breach Investigation Report 2024
- Chainanalytics: Crypto Crime Report 2024
- Gartner: Top Trends in Cyber Security 2024
- 18: IBM X-Force: Threat Intelligence Index 2024
- Verizon: Data Breach Investigation Report 2024
- IBM: Cost of a Data Breach 2023
- Reversing Labs: The State of Software Supply Chain Security 2024
- Verizon: Data Breach Investigation Report 2024
- Verizon: Data Breach Investigation Report 2024
- Crowdstrike: Global Threat Report 2024
- RecordedFuture: Proactive Ransomware mitigation 2024 eBook
- Microsoft: Digital Defence Report 2023
- Forrester: Connectivity Cloud Research Report
- Gartner: Innovation Insight for API Protection
- Imperva: The State of API Security in 2024
- Security Boulevard: What Is Q-Day?
- Google: Quantum supremacy using a programmable superconducting processor blog
- Verizon: Data Breach Investigation Report 2024
- Microsoft: Digital Defence Report 2023