In 2023 we predicted that supply chain, data breaches and ransomware will continue to grow. We also predicted that the Critical Infrastructure (CI) sectors will continue to be targeted. Our predictions, sadly, became a reality: one of the biggest supply chain attacks in history unfolded in the summer of 2023, the M0VEit attack (check CYEN’s June Month-in-Review), leading to major data breaches worldwide. Victims included the BBC, Aer Lingus, BBC, Ernst & Young, Schneider Electric, Siemens Energy, banks, investment firms, pharma technology providers and many more. In fact, the global average cost of data breaches reached $4.45 million in 2023, showing a 15% increase over the last three years (IBM).
Ransomware, too, confirms the worrying tendency of growth: as of 2023, over 72% of businesses globally have been affected by a ransomware attack (Statista). After the slowing-down period in 2022, which brought hope for change, ransomware shot to the spotlight again and only in Q1 & Q2 of 2023 $449.1 million have been paid to ransomware groups (compared to around $500 million for the whole 2022) (Wired).
The CI sectors also kept being targeted, with major attacks on the energy sector such as the attacks on the Ukrainian power grid, and across many EU member states. The health sector kept being targeted too: cyberattacks have doubled in Q1 of 2023 compared to Q1 of 2022 and 2021 (ENISA), with ransomware amounting to 54% of all attacks on the sector (ENISA).
2024 will likely see some of these tendencies continuing. We predict that these five types of threats will dominate the cybersecurity news in 2024:
- Disinformation campaigns – in view of the EU Parliament elections in the summer and the US Presidential elections in the autumn;
- AI abuse – such as deep fakes and vishing (also meaning identity theft!) in view of the two key elections;
- Ransomware – considering the colossal profits and ease of attacks (ransomware-as-a-service, insufficient SME’s cybersecurity measures);
- Supply chain attacks – considering the increasing complexities and dependencies on suppliers/sub-contractors with inadequate cybersecurity measures in place;
- Data breaches – while not all data breaches are due to a cyberattack, most attacks lead to a data breach.
2024 topics to pay attention to
Disinformation campaigns and AI abuse could significantly jeopardise the credibility and trustworthiness of the election campaigns and actual voting process in Europe and North America. The very rapid rise of Generative AI in 2023 grabbed the attention of policy-makers and its regulation was thoroughly debated during the negotiations on the EU AI Act. The soon-to-be-adopted AI Act is the very first AI-related piece of legislation worldwide and policy-makers hope that it will manage to deter the rise of Generative AI for malicious use. Whilst compliance with the law is not expected in 2024, hopes are that social media platforms will pay particular attention to AI-enabled content aimed at spreading disinformation (in light of compliance requirements with the EU Digital Services Act). These particular types of attacks will not target companies per se, but individuals, as their aim will be influencing the outcome of the elections.
Critical infrastructure trends
The CI sectors will continue to be a prime target for malicious actors, especially those who are politically motivated and state-sponsored. However, many European companies operating in these sectors fall within the scope of the NIS2 Directive (check CYEN’s analysis here: article, video, infographic) and will be expected to adhere to the cybersecurity requirements set in the Directive, thereby reducing the risk of cybersecurity incidents.
Policy & Regulation
2024 will be a year of preparation for compliance with EU cybersecurity laws. The deadline for transposition of the NIS2 Directive by the Member states is 17 October and companies within the scope will need to have implemented the cybersecurity requirements by that date (or, alternatively, the date set in then national transposition laws). DORA, the Digital Operational Resilience Act, will become applicable in January 2025 therefore financial entities will need to use 2024 to meet this compliance deadline (check CYEN’s analysis here). The Cyber Resilience Act will be published in the Official Journal of the EU soon, with a compliance deadline for the manufacturers, importers and distributors of hardware and software products around Q1 2027 and incident and vulnerabilities’ notification required from end 2025 / early 2026. It is time for manufacturers of ICT products to adapt business, product, production, maintenance and compliance processes accordingly. Same timeframe applies for the AI Act: producers of high-risk AI systems need to take appropriate technical and organisational measures to ensure the relevant and appropriate robustness, and that cybersecurity measures are regularly monitored for effectiveness are regularly adjusted or updated.
First and foremost, in 2024 companies could carefully evaluate their cybersecurity preparedness, including their suppliers/contractors/sub-contractors’ cybersecurity risks. Attackers target the weakest link, which very often can be outside the company itself, but the collateral damage can be devastating for the leading company too.
Second, with all new EU cybersecurity regulations on the table, the change of processes, measures and agreements need to take place now to meet the compliance deadlines. Proactively considering the requirements and how to evidence compliance will save companies time and budget, gaining a competitive advantage on the EU market.
Third, we strongly advise against paying the ransom if targeted by a ransomware attack. Paying never guarantees that all the data and the information will be recovered. It also does not guarantee they have not already been leaked on the dark web.
Last but not least, we encourage companies to invest in cybersecurity awareness trainings. 91% of all company cyber incidents begin with a phishing email (Deloitte). Falling victims to these types of emails can be significantly reduced if employees are trained how to recognise and report them. We encourage managers to praise employees who reported such attacks – spreading the positive message can be as impactful as sharing the scary statistics.
If you need support with the assessing the cybersecurity level of your company get in touch!