2023 was a record-breaking year for data theft.
By the end of the third quarter in 2023, 2,116 reported data breaches had been reported to the Identity Theft Resource Center (ITRC). While the total number of data breaches for 2023 still hasn’t been reported, one thing is certain: the number of breaches in 2023 has already surpassed 2021’s previous record of 1,862 reported breaches.
With so many cyberattacks and data breaches, it’s prudent to look at the trends likely to affect the cybersecurity industry in 2024.
Emerging trends in the IT security industry
What can we expect in 2024? This year’s list contains a little of everything, including some new attack vectors as well as some old favorites.
1. AI has entered the chat
If 2023 was the year that ChatGPT brought Artificial Intelligence (AI) to the general public 2024 is likely to see more criminals putting the technology to work for their own ends. ITRC predicts that criminals will use generative AI for misinformation and of course, for theft. One possible attack: using generative AI and stolen personal information to create convincing “medical records” that can be submitted to insurance companies for reimbursement.
2. Ransomware isn’t going anywhere
Ransomware is malware — or malicious software — that holds an organization’s information, systems, data or networks for ransom. It does this by blocking access to data, either by encrypting the data or by locking a system. The attackers then demand a ransom for the encryption key. If the ransom isn’t paid, you don’t get your data back, and some attackers will threaten to publish proprietary information on the public internet.
Ransomware attacks are unlikely to stop; unfortunately criminals have found that this sort of crime pays. That said, more and more ransoms are not being paid; less than half of victims are paying ransoms. SANS expects to see more ransomware attacks on operational technology in the next year.
3. Data privacy regulations are changing
In 2023, the number of U.S. states with data privacy regulations more than doubled. There are now 12 states with data privacy laws on the books. That is a trend ITRC expects to see continue in 2024, although the group does not expect to see Congress enact any federal data privacy laws.
Data protection laws are good news for consumers, but compliance may be tricky for businesses — especially those not in highly-regulated industries. Businesses who haven’t had to worry about data protection previously will need to upgrade their processes and privacy to stay in compliance.
4. All suppliers should be vetted
You do background checks on your new hires. You should also complete background checks on vendors, because they are often an attractive target for hackers, who can potentially gain access to many companies by breaching one.
Vendor hacks are common. According to Verizon, 62% of attacks last year involved a supply chain partner. SANS found that attacks on technology companies more than doubled in the early months 2023 meaning criminals are focused on compromising service providers in technology in hopes of getting to their clients.
5. Nation-states will be behind more attacks
SANS expects to see more state-backed, targeted intrusions and attacks against critical infrastructure, while the ITRC expects to see nation-states getting involved with identity crimes in 2024, especially impersonation and synthetic identity fraud. This may advance the adoption of biometric-based identity verification tools to prove people are who they claim to be.
6. People will always be the weakest link
Social engineering continues to be prevalent in breaches; 74% of all breaches involve a human element. This can mean a variety of things: employees who made a mistake that allows a cyberattack, malicious insiders, or a company falling victim to a social engineering attack like phishing. Given that phishing is a popular attack vector, social engineering attacks – essentially, tricking employees into responding to messages from criminals pretending to be someone else — are probably here to stay.
That said, there are ways you can prevent your people from being scammed into giving up credentials, access, or clicking a link that will compromise your company. Training is the first line of defense against recognizing a phishing scam or making a server configuration error that might expose sensitive data. The second line of defense is testing your people — an IT team that periodically sends out test phishing emails will be able to see which of your employees are most likely to click on a bad link and who needs more training. Another line of defense against phishing scams is a good email filter. It won’t catch the most sophisticated scams, but it will weed out common phishing attacks before an employee can see or click on them.
Why should physical security pros worry about cyber risk?
Many companies consider IT security to be separate from physical security. They are often handled by different departments and those departments may not report to the same leaders in the organization.
That’s a mistake; physical security and cyber security are deeply and intrinsically related — especially now that technology is a part of almost every aspect of our lives. As long as we continue to see physical risk and IT risk as different, companies leave themselves vulnerable to the places where those risks intersect. Even if physical security and cyber security are handled by different teams at your organization, they should see each other as partners when planning to handle risk.
Ready to create a plan for IT security? Talk to us now about assessing your security.
About the Author
