Staying up to date with the latest in cyber security has arguably never been more paramount than in 2024. Financial services provider Allianz named cyber attacks this year’s biggest risk for business in the U.K. and a top concern for businesses of all sizes for the first time. However, many professionals are still in the dark about what the events in Q1 tell us about the cyber landscape for the rest of the year that could have significant consequences.
TechRepublic consulted U.K. industry experts to identify the three most significant trends in cyber security — AI, zero days and IoT security — and provide guidance as to how businesses can best hold their fort.
1. Sophisticated cyber attacks with AI
In January 2024, the U.K.’s National Cyber Security Centre warned that the global ransomware threat was expected to rise due to the availability of AI technologies, with attacks increasing in both volume and impact. The risk to U.K. businesses is especially pronounced, with a recent Microsoft report finding that 87% are either “vulnerable” or “at high risk” of cyber attacks. The Minister for AI and Intellectual Property, Viscount Camrose, has specifically highlighted the need for U.K. organizations to “step up their cyber security plans,” as it is the third most targeted country in the world when it comes to cyber attacks, after the U.S. and Ukraine.
James Babbage, the director general for threats at the National Crime Agency, said in the NCSC’s post: “AI services lower barriers to entry, increasing the number of cyber criminals, and will boost their capability by improving the scale, speed and effectiveness of existing attack methods.”
Criminals can use the technology to stage more convincing social engineering attacks and gain initial network access. According to Google Cloud’s global Cybersecurity Forecast report, large language models and generative AI “will be increasingly offered in underground forums as a paid service, and used for various purposes such as phishing campaigns and spreading disinformation.”
SEE: Top AI Predictions for 2024 (Free TechRepublic Premium Download)
Jake Moore, the global cybersecurity advisor for internet security and antivirus company ESET, has been looking into real-time cloning software that uses AI to swap a video caller’s face with someone else’s. He told TechRepublic via email: “This technology, along with impressive AI voice cloning software, is already starting to make the authenticity of a video call questionable which could have a devastating impact on businesses of all sizes.”
OpenAI announced on March 29, 2024 that it was taking a “cautious and informed approach” when it comes to releasing its voice cloning tool to the general public “due to the potential for synthetic voice misuse.” The model called Voice Engine is able to convincingly replicate a user’s voice with just 15 seconds of recorded audio.
“Malicious hackers tend to use a variety of techniques to manipulate their victims but impressive new technology without boundaries or regulations is making it easier for cybercriminals to influence people for financial gain and add yet another tool to their ever-growing toolkit,” said Moore.
“Staff need to be reminded that we are moving into an age where seeing is not always believing, and verification remains the key to security. Policies must never be cut shy in favor of spoken instructions and all staff need to be aware of (real-time cloning software) which is about to explode over the next 12 months.”
2. More successful zero-day exploits
Government statistics found that 32% of U.K. businesses suffered a known data breach or cyber attack in 2023. Raj Samani, senior vice president chief scientist at unified cyber security platform Rapid7, believes that enterprise attacks will remain particularly frequent in the U.K. throughout this year, but added that threat actors are also more sophisticated.
He told TechRepublic in an email: “One of the most emergent trends over 2023 that we are seeing continue into 2024 is the sheer number of exploited Zero Days by threat groups that we ordinarily would not have anticipated having such capabilities.
“What this means for the U.K. cybersecurity sector is the demand for faster triaging of security update prioritization. It is imperative that organizations of all sizes implement an approach to improve the identification of critical advisories that impact their environment, and that they incorporate context into these decisions.
“For example, if a vulnerability is being exploited in the wild and there are no compensating controls — and it is being exploited by, for example, ransomware groups — then the speed with which patches are applied will likely need to be prioritized.”
SEE: Top Cybersecurity Predictions for 2024 (Free TechRepublic Premium Download)
The “Cyber security breaches survey 2023” by the U.K. government found declines in the key cyber hygiene practices of password policies, network firewalls, restricted admin rights and policies to apply software security updates within 14 days. While the data largely reflects shifts in micro, small and medium businesses, the laxness significantly increases the scope of targets available to cyber criminals, and highlights the necessity for improvement in 2024.
“Personal data continues to be a hugely valuable currency,” Moore told TechRepublic. “Once employees let their guard down (attacks) can be extremely successful, so it is vital that staff members are aware of (the) tactics that are used.”
3. Renewed focus on IoT security
By April 29, 2024, all IoT device suppliers in the U.K. will need to comply with the Product Security and Telecommunications Act 2022, meaning that, as a minimum:
- Devices must be password enabled.
- Consumers can clearly report security issues.
- The duration of the device’s security support is disclosed.
While this is a positive step, many organizations continue to rely heavily upon legacy devices that may no longer receive support from their supplier.
Moore told TechRepublic in an email: “IoT devices have far too often been packaged up with weak — if any — built-in security features so (users) are on the back foot from the get go and often do not realize the potential weaknesses. Security updates also tend to be infrequent which put further risks on the owner.”
Organizations relying on legacy devices include those that handle critical national infrastructure in the U.K., like hospitals, utilities and telecommunications. Evidence from Thales submitted for a U.K. government report on the threat of ransomware to national security stated “it is not uncommon within the CNI sector to find aging systems with long operational life that are not routinely updated, monitored or assessed.” Other evidence from NCC Group said that “OT (operational technology) systems are much more likely to include components that are 20 to 30 years old and/or use older software that is less secure and no longer supported.” These older systems put essential services at risk of disruption.
According to IT security company ZScaler, 34 of the 39 most-used IoT exploits have been present in devices for at least three years. Furthermore, Gartner analysts predicted that 75% of organizations will harbor unmanaged or legacy systems that perform mission-critical tasks by 2026 because they have not been included in their zero-trust strategies.
“IoT owners must understand the risks when putting any internet connected device in their business but forcing IoT devices to be more secure from the design phase is vital and could patch up many common attack vectors,” said Moore.