6 Cybersecurity Trends That Will Impact Businesses in 2024

If 2023 has taught companies anything, it’s that cyber risks must be treated with the same level of visibility, governance, planning and resources as other significant business risks like financial conditions, legal liabilities, or operational disruptions.

The headlines have been awash with stories of data breaches and cyber attacks caused by poor, unclear or even a complete lack of information and data security management processes. The result? Significant financial losses, reputational damage, and hefty fines from regulatory bodies for the impacted organisation, their suppliers and, in some cases, even individuals.

In response to the increase in cyber threats, regulations governing cybersecurity and information security practices have proliferated quickly. Just this week, the EU announced their political agreement on AI regulation, with other regulations such as the Cyber Resilience Act and Product Security and Telecommunications Infrastructure (PSTI) bill joining established regulations such as GDPR and NIS. The US has seen an Executive Order issued on cybersecurity and SEC regulations introduced on breach disclosure. All of these make it clear organisations must be able to demonstrate information and data security best practices and effective implementation across all aspects of their business.

Given where we are now, what exactly does 2024 have in store for companies? We’ve looked at six key trends we think will dominate the information and cyber security landscape in 2024 and broken them down below.

Trend 1: Increasing Regulation of AI and Machine Learning (ML)

AI and machine learning (ML) have rapidly become essential in business, optimising decision-making, automating tasks, and providing insights surpassing human capabilities. Its prevalence has sparked widespread discussions about its implications for businesses, individuals, privacy, and digital security.

Given these systems’ pervasive and autonomous nature, which significantly impact consumer, employee, and infrastructure welfare, there is a critical need for thoughtful regulation to keep pace with their evolving capabilities. The demand for transparency, accountability, anti-bias measures and error correction mechanisms in AI decision-making has grown throughout 2023. As AI extends into high-risk areas, this trend will only intensify.

Consequently, 2024 will be a landmark year for formalised AI governance, encompassing robust laws, industry frameworks, and corporate policies. Lawmakers in the Americas, Europe, and Asia are drafting proposals that impose moral and legal obligations on AI vendors, developers, and enterprises. The EU announced their political agreement for an AI act just this week. 

Whilst, international groups like IEEE and ISO are already establishing comprehensive, unified standards for securely creating, evaluating, and implementing ML systems across various industries and applications, which will likely be published in the New Year.

We also expect it to become the norm to establish boards to oversee responsible AI practices, audit development processes, and manage model risks within organisations. Alongside other activities, such as; 

• Ethics checklists to aid data scientists in creating representative datasets and unbiased algorithms 
• Transparency clauses for AI model exchanges and service integrations included within partner contracts

The goal of regulating AI is commendable: ensuring AI-influenced decisions are equitable and that companies deploy automation only after fully understanding and mitigating risks is essential. However, these regulations may introduce additional complexities and delays for AI innovators and organisations wishing to use such technology.

As policymakers and industry leaders work to harness AI’s productive potential while preemptively addressing potential drawbacks, businesses must gear up to demonstrate compliance both internally and to their customers. This marks the advent of a new phase in AI development: advancing swiftly yet with a heightened sense of responsibility.

Trend 2: Increasing Complexity of Ransomware

Ransomware attacks are expected to become even more prevalent and sophisticated in 2024. As more businesses digitise their operations and store sensitive data in the cloud, ransomware groups will likely shift their focus to target cloud environments and backup data stores to maximise leverage for extortion.

One trend on the rise is “double extortion” ransomware attacks. In these schemes, the attackers encrypt data and exfiltrate sensitive information from the victim’s systems, which they then threaten to publish or sell online if the ransom is not paid. This additional pressure makes victims more likely to pay. Attackers may even auction off the stolen data to the highest bidder.

In addition, ransomware groups are establishing ransomware-as-a-service (RaaS) operations and malware affiliate programs to scale up their impact. These schemes provide easy-to-use ransomware toolkits for cyber criminals with limited technical skills for a portion of the profits. This further decentralises and spreads the risk across more attacks.

Given the increasing threats, we may see a regulatory push around ransomware resilience in 2024. Regulations could require organisations to: 

• Have incident response plans for ransomware scenarios
• Maintain offline backups of data 
• Conduct cybersecurity awareness training
• Implement cyber insurance policies

Those who fail to meet designated best practices around preventing and preparing for ransomware may face fines or other action. However, such regulation also presents challenges around implementation and enforcement across various sectors.

We will also likely see more focus on international partnerships, such as the International Counter Ransomware Initiative (CRI), to “break the ransomware business model by bringing together policy, law enforcement and operational agencies globally to disrupt ransomware while building resilience against malicious cyber actors”.

Trend 3: Expansion of IoT and Associated Risks

The Internet of Things revolution is firmly underway. Gartner forecasts that over 33 billion enterprise and automotive IoT devices will be actively used by 2024.

Yet this profusion of connected devices, while delivering efficiencies, also hands hackers abundant new attack vectors to exploit. Many IoT systems still lack basic security provisions like data encryption trusting network perimeter defenses to suffice. 

Business-critical operational technology (OT) infrastructure previously isolated within factories is now linked with IT management systems, exposing fragile industrial controls to digital threats. Few firmware updates exist to patch vulnerabilities in distributed IoT devices, from cameras to clinic infusion pumps.

Manufacturing, utilities and healthcare particularly must now reorient IT security around safeguarding an expanding attack surface peppered with insecure devices. Activities such as: 

• Segmenting networks
• Actively monitoring traffic for anomalies
• Requiring access controls
• Implementing secure data transmission protocols 

All help mitigate the risks that interconnection brings.

We expect to see more organisations align with frameworks like ISO 27001 in tackling IoT risk as it mandates a structured assessment of information security risks and protection controls tuned to an organisation’s specific context. This zero-trust approach suits the challenges of IoT.

2023 has already seen attempts to tackle the information security and privacy for IoT devices with legislation such as: 

• The EU Cyber Resilience Act
• US Cybersecurity Maturity Model Certification (CMMC) 
• The US Consolidated Appropriations Act 
• UK Product Security and Telecommunications Infrastructure Bill 

We expect standardised security regulations such as these to increase and enforcement to become more rigorous in 2024, coupled with industry alliances to push stronger IoT protections, especially for national infrastructure. 

Regardless of regulation and enforcement, we expect companies to move rapidly to modernise defences, as smart infrastructure multiplies access points for adversaries and the risk to business operations and success becomes too significant to ignore.

Trend 4: The Importance of Zero Trust Architectures

Industry analysts anticipate zero trust frameworks becoming formal compliance requirements within finance, government and healthcare sectors by 2025 as attacks expose conventional defence weaknesses.

Workforces are decentralising, infrastructure is moving to the cloud, and users require access anywhere, upending assumptions that clear security perimeters even exist anymore. Yet many companies still rely on familiar yet porous defences like VPNs, firewalls and privileged network rights to protect critical data.

Instead, mature cybersecurity programs are already adopting zero-trust architectures that suspend implicit trust while rigorously validating every user and system attempting access, and we expect to see the adoption of the approach increase significantly during 2024. 

This model verifies identity through stringent multi-factor authentication before granting least privilege permissions. Instead of blanket network access, micro-segmentation policies strictly limit connectivity to authorised resources. Crucially, zero trust requires continuous user activity monitoring and system logs with analytics to identify abnormal behaviours indicating threats. 

Drivers pushing zero trust principles from cybersecurity best practices towards essential include hybrid cloud adoption, remote workforce growth, and legacy perimeter protections proven inadequate against sophisticated attackers. Operational efficiency also improves by shifting an organisation’s security posture towards dynamic, contextual access decisions rather than static network privileges.

Early re-architecting of security systems enables organisations to bolster their defences and foster innovation. Implementing frameworks such as ISO 27001 can provide a structured approach to adopting zero-trust principles, offering a comprehensive set of policies and procedures that align with the highest information security management standards. This helps ensure a systematic and consistent implementation of zero-trust architectures, further strengthening an organisation’s security posture against evolving threats.

Trend 5: A More Global Approach to Regulations and Compliance Requirements

As cyberattacks grow in impact and frequency, vulnerable data governance gaps across industries and geographic borders will enter regulators’ crosshairs for stronger guardrails in 2024. 

As cyberattacks with cross-border impacts rise, governments worldwide realise the limitations of fragmented regulations between jurisdictions. While many countries have implemented privacy laws and sector-specific cybersecurity policies locally, divergence causes headaches for multinational organisations. Streamlining requirements through international collaboration will become a priority for aligning cybersecurity oversight globally instead of through disjointed regulations in 2024.

Overlapping regulations breed redundancy around practices like auditing, training or sub-processor assessments. Innovation slows as engineering teams are tasked with interpreting vague legal terminology. And Budgets bloat as technical resources divert towards compliance reports.

In response, we expect to see collaborative groups like the International Organisation for Standardisation (ISO) and Global Privacy Assembly (GPA) work even more closely with businesses and governments in 2024 to harmonise baseline cybersecurity expectations globally around risk management, data ethics and incident response. Streamlining also comes from unified assurance frameworks like ISO 27001 and NIST’s Cybersecurity Framework, which hundreds of enterprises have already leveraged to structure cyber programs.

We’ve already seen moves towards globalisation of regulations in 2023 through data bridges like the EU-US and US-UK agreements, which are integral to the broader trend of developing a more coordinated and harmonised approach to data protection and privacy in a global context. They help align different legal systems, facilitate international data flows, and set standards that can influence global data protection practices.

Joining cross-industry leadership groups, implementing structured frameworks globally, and monitoring legislative proposals will help companies prepare to demonstrate progress. Non-compliance ceases to be an option for stewarding critical assets as information redefines business as usual.

Trend 6: Greater Regulation of Supply Chain Security

Heightened regulations and security standards for third-party suppliers will take centre stage in 2024 as organisations recognise that expanded digital supply chains present one of the most significant cyber risks to organisations.

Artificial intelligence breakthroughs may capture headlines, but less glamorous threats like software supply chain attacks continue eroding enterprises from the inside. The serious damage from incidents like SolarWinds and Log4j catalysed executive awareness of third-party risks – but comprehensive visibility and control across supplier environments remain elusive for most.

Heading into 2024, vendors will prioritise tools and standards that help manage provider risk across partnerships. Comprehensive software bill of materials (SBOMs) that catalogue component ingredients in purchased platforms will become mandated for federal contractors as part of President Biden’s cyber executive order. SBOMs increase transparency for purchasers around known vulnerabilities or maintenance gaps across their tech stack.

More industries will emulate automotive sector initiatives that certify secure supplier development standards based on testing processes like OWASP benchmarks. Rigorous code reviews, least privileged access, and runtime application self-protection (RASP) are other vendor reliability measures gaining adoption.

As partnerships between retailers, healthcare systems, and financial services evolve, shared accountability for cyber risk management will get codified into more contracts. Terms will address visibility requirements into partners’ attack surfaces, breach notifications and access policies. Organisations lacking cybersecurity readiness may see provider prospects dwindle in a climate focused on resilience.

Ultimately, suppliers and buyers must align that while partnerships enable digital transformation and efficiencies, they also expand attack frontiers. Proactively securing these intersections via standards, diligence and contractual assurances becomes imperative as third parties grow embedded across operations. There is no perimeter when your network is everyone’s network.

Plotting Cyber Resilience For An Uncertain Future

As 2023 has proven, the scale and impact of cyberattacks make proactive security a non-negotiable investment for organisations rather than an isolated IT expense. 

At the minimum, cyber readiness in 2024 demands a renewed focus on governance of high-risk AI systems, resilience plans for inevitable intrusions, and visibility into supplier controls. It requires securing exponentially larger attack surfaces as computing leaves traditional perimeters. It necessitates monitoring early policy moves from regulators who won’t tolerate avoidable negligence anymore regarding data protection or incident response.

But most crucially, corporate boards must spearhead a culture committed to data integrity, ethical technology practices and collective responsibility. Cyber risk containment relies on business leaders setting an example through dedicating personnel, budget and the attention security deserves when entrusted with customer welfare and livelihoods.

The threats are complex but surmountable for those realising cyber resilience relies on coordination rather than isolation. Savvy businesses will prepare for turbulent times by proactively building partnerships, internal capacity, and trustworthy systems poised to securely reap the dividends of digital innovation.