RSA Blog | April 2024

As the calendar flipped to April, AT&T seized the spotlight in announcing that it found the Social Security numbers and/or passcodes of 70 million customers and former customers on the dark web. The impacted data breach occurred earlier and apparently compromised full names, addresses, mailing addresses, phone numbers, and dates of birth. 

This is noteworthy in that it may remind us that 2023 was a terrible year for breaches – a record 3,205 in the US alone, and a whopping 78 % higher than the figure in 2022. More troublesome, cybersecurity gurus believe 2024 will be yet worse for a variety of reasons, dismissing any notion of a 2023 anomaly. How many breaches will occur in 2024 is unknown, but a number of cybersecurity pundits believe the cost of cyberattacks on the global economy will swell to roughly $10.5 trillion this year, up from $8 trillion last year. 

If they’re right, this obviously means yet more breaches in 2024. And many cyber pundits believe that breaches will continue to grow still more thereafter.

This is an excellent time to examine the particulars of 2024 cybersecurity prospects. Unlike the usual prognostications made at the end of the previous year, the pundits have an additional quarter to work with and hence more fresh data at their disposal. So here are the challenges and bright spots expected this year. While breach statistics appear destined to deteriorate further, the inclusion of cyber pluses, as well as minuses, underscores that the backdrop is at least better than it would be if cybersecurity weren’t being rigorously improved. 

The negatives:

+ Ransomware payments exceeded $1 billion in 2023, notching a record high after a decline in 2022. This about-face happens periodically. Last year, among other things, law enforcement increased its focus on ransomware, and fewer ransomware victims paid the ransoms demanded by hackers. Even so, the total sum collected by ransomware gangs is growing as more cybercriminals are drawn to a lucrative industry and carry out more attacks. As one intelligence analyst explains it, the highly public nature of ransomware constantly pulls in more opportunistic hackers, “like sharks who smell blood in the water.”

+ Cybercriminals are among the hordes who increasingly embrace artificial intelligence. A security researcher last summer, Johann Rehberger, coaxed OpenAI’s chatbot to do something bad: Read his mail, summarize it, and post that information to the internet. In the hands of a criminal, this technique could have been used to steal sensitive data from someone’s email inbox. “Because you don’t really have to write code,” Rehberger told some reporters, “this lowers the barrier to entry for all sorts of attacks.”  

+ Swelling IoT growth is doing little to improve weak security. IoT devices were never built with security in mind. Many IoT devices aren’t securely configured by default, so it is difficult to install security software on the device. The federal government could outlaw the use of default IoT passwords but has not done so. Hopes for the development of more robust, standardized security protocols for IoT devices have also lingered.

+ Remote work remains widespread and is highly likely to persist. According to the Bureau of Labor Statistics, 27 percent of the U.S. workforce works at least part-time at home. Remote work settings typically lack the same level of security infrastructure, making them more susceptible to various types of cyberattacks.

The positives:

+ Companies are doing more to mitigate third-party vendor risk. A growing surge of companies are seriously vetting vendors and their often-weak security apparatus. Security questionnaires educate companies about vendors’ threat mitigation efforts and then spell out expectations in vendor agreements. Vendors that don’t agree with marching orders are often replaced by others that do. 

+ While companies are slow to improve the security of their IoT devices, they are no longer laggards in making sure the software they produce is amply secure. Specifically, they want to embrace the best security – security built into the earliest stages of new applications, which means using select programming languages. Historically, many applications have been developed using C and C++, which, it turns out, are more at risk of producing security vulnerabilities. Under pressure from various federal government entities, they have started to replace C and C++ programming languages with more secure languages, such as Python, Rust and Java. 

+ At the behest of federal and state governments, companies have begun doing a better job of swiftly reporting cyber incidents to help prevent the spread of malicious threat activity. Last year, the Securities and Exchange Commission began requiring publicly traded companies to report material cybersecurity incidents within four business days of a breach, prodding them to strengthen their threat hunting capabilities. Additional government-sparked efforts to further improve management-level security preparedness are expected to come to fruition this year.

Are these and other new developments enough to soften the cyberattack landscape?  Probably not; however, better protection means somewhat fewer headaches – and, hopefully, bigger rewards further down the road.

See article here.