In the ever-evolving landscape of cyber threats anticipated for 2024, the focus is set to shift towards more sophisticated tactics, with cybercriminals honing in on various strategies to exploit vulnerabilities and compromise security. Chester Wisniewski, the Director of Global Field CTO at Sophos, emphasizes several key trends and predictions for the cybersecurity realm in the coming year.
In your perspective, what are the most significant emerging cyber threats that organizations should prepare for in 2024?
It is likely we will see more of the same, which is credential theft and exploiting unpatched flaws in internet-facing equipment. This isn’t new, but will likely still be the top 2 reasons an organization is compromised. As far as things that are on the upswing we are going to continue to see criminals focus on ways to bypass multifactor authentication as it’s adoption continues to increase. This will include a mix of malicious proxy servers, social engineering attacks, cookie theft, and fatigue attacks.
How do you foresee AI influencing cybersecurity strategies and defenses in 2024?
The impact of AI on defense will most likely manifest itself through more efficient execution of existing work security teams are doing today. AI excels at taking large sets of data and helping execute queries to make sense of it. Humans often know what they want, and AI will help them get there faster. It will also enable better anomaly detection in large data sets as the machine can “see” all of the information at once and can assist in drawing human attention to things that differ from normal.
What changes in global cybersecurity regulations do you predict for 2024, and how might these impact businesses?
It is difficult to know what is to come, but I would be very surprised if we didn’t see some countries attempt to outlaw ransom payments as the ransomware epidemic continues to impose a heavy economic cost.
What are your thoughts on the cybersecurity skills gap? How should organizations and educational institutions address this challenge in 2024?
I’m not convinced the gap is as large as many of the studies would have us believe. I think we need to be more open-minded when hiring for security professionals by increasing the diversity of our potential applicants. I know many young people that were software engineers, privacy professionals, IT staff, and people with social sciences backgrounds who are having a difficult time transitioning into IT security roles, despite having experience in other fields and training in security. Experience in the field is important, but it is currently playing a gatekeeping role we cannot afford to play. People with a passion for what we do who can bring their previous experience to the table will help us fill these gaps and likely result in better outcomes in the long term.
How important do you think consumer awareness and education will be in shaping cybersecurity practices in 2024?
Systems need to protect the average person without them needing to be trained or having to think about it. If not, we have failed. The single biggest thing we can do to make this a reality is to retire the password and move toward phishing resistant authentication like pass keys. Pass keys allow a user to simply use the biometric sensor on their mobile device to authenticate to their email, social media or favourite shopping site. As we eliminate complexity and continue to make things like software updates more automatic the general public will finally be able to sit back, relax, and enjoy their online time without fear of being hacked. It is our job as security professionals to accelerate our adoption of these tools to make the world safer for everyone.