Trending Oversight Topics
Governance Surveys
Center for Inclusive Governance
Three Cybersecurity Predictions to Help Boards Prepare for 2024
12/12/2023
High-profile cyberattacks over the past few years have given us a first-hand look at how detrimental a security incident can be for any company, from financial loss and reputational damage to system downtime and a loss of customers. Consequently, security has evolved from being an information technology (IT) risk—and the sole problem of IT and security teams—to a business risk that involves the entirety of an organization, including its board of directors.
Security needs to start at the top, from the boardroom to the mailroom. In fact, over the past 18 months there has been increased emphasis on elevating the role of all leadership in security and risk management, most notably from the US Securities and Exchange Commission and its recently adopted rules for publicly traded companies.
Greater involvement in cybersecurity from boards and other leaders will help companies build a security culture that is better prepared to defend against today’s threat actors. But to realize these benefits, boards must go about their newfound oversight and responsibility in the right way. One of the first things directors can do to make a positive impact going into 2024 is to prepare their organizations for what’s to come. Here are three predictions to be aware of:
1. We’ll see the resurgence of historic attack methods. Though they’ve been around for decades, phishing and other social engineering attacks are still the biggest threats to companies. As organizations implement zero-trust architectures and more effective security tools to shore up security gaps in their infrastructure, cybercriminals are increasingly targeting end users to bypass account credentials and multifactor authentication to find their way in.
On top of this, generative artificial intelligence (AI) has made it fast, easy, and cost-effective for cybercriminals to craft perfect native-language emails and text messages with context as well as to create believable audio and video impersonations, making it harder than ever for recipients to distinguish between legitimate and fake material.
Cybercriminals want maximum reward for minimal work, and generative AI-powered phishing and social engineering attacks provide them with this combination. Because of this, not only are attack volumes increasing, but success rates are as well—and this will continue in 2024.
How to prepare: The best way to prepare an organization to battle advanced phishing and other social engineering threats is to ensure leaders prioritize cybersecurity awareness, education, and training. The most effective programs are conducted frequently (e.g., monthly) and consist of short, engaging content that keeps employees’ attention while providing them with key takeaways on threat vectors, ways to spot them, and best practices for responding if they suspect something is malicious.
The threat landscape evolves rapidly, and so too must our defense strategies. Keeping security top of mind for employees can transform them from a weak link to a first line of defense in the cyber battle.
2. Ransomware will continue because companies continue to pay. Research reveals ransomware victims are on track to pay cybercriminals approximately $900 million by the end of the year. Ransomware groups have been very successful in compromising organizations and getting them to pay handsomely for their efforts. The continued success and payouts are emboldening these groups.
How to prepare: The first step in preparing for a ransomware attack is shifting the board’s and company leaders’ mind-set to plan for when, not if, it happens. The worst thing a company can do is be caught off guard when ransomware takes down business systems. Prior to an attack occurring, a well-prepared company will know how many days they can be down without incurring a major business impact; they will have already addressed the tough questions—including whether to pay or not pay—and they will have put processes and technology in place to remain resilient in the face of an attack.
Here are a few best practices to bring to company leaders:
- Develop, document, and practice an incident response plan that specifically deals with ransomware.
- Segment systems to isolate the damage inflicted during an attack, so that portions of the ecosystem are still available to operate the business.
- Implement dedicated backup and recovery systems that are not susceptible to an attack.
- Conduct ongoing vulnerability management and patching programs.
- Understand normal traffic patterns and user behaviors, so that the company can quickly detect anomalies and suspicious activity.
3. Supply chain attacks will escalate. Supply chain attacks, such as those that occurred at SolarWinds Corp. and against MOVEit, are big wins for attackers, especially as exploiting vulnerabilities outside of organizational control can pay dividends. In fact, aside from social engineering threats, supply chain attacks are one of the most prevalent avenues for bad actors to compromise organizations.
High-profile attacks have raised public awareness around securing the supply chain, and vendors and regulatory bodies have responded in kind. For example, several vendors have increased their supply chain security capabilities this year and the adoption of tools to help manage the software supply chain will continue to increase. Additionally, the White House’s National Cybersecurity Strategy holds software developers accountable for vulnerabilities, which will help push further adoption of security tools focused on the software supply chain.
How to prepare: Supply chain risks are two-fold. A company could fall victim to a third-party breach because it is using software from a vendor that has been attacked, or the company’s own software supply chain could be compromised.
To prevent both incidents from happening, organizations need to combine supply chain security tools on the market with strong processes, including the following:
- Gaining visibility into the corporate environment to understand which software, code, data, technologies, and other assets are coming from third parties
- Prioritizing asset protection based on the level of risk a breach of the asset would pose to the business
- Assessing third-party suppliers and holding them to high security standards
- Ensuring developers are using open-source, third-party code securely (open-source software supply chain attacks are skyrocketing)
- Securing the software development process from beginning to end
Strengthening Security on a Budget
You may be wondering how you can help your company prepare for all these cyber threats at a time when many are struggling to obtain cybersecurity budgets. However, rather than hindering businesses, today’s economic climate gives companies a unique opportunity to focus on technology rationalization.
Technology rationalization focuses on rationalizing the security tools already in your technology stack to buy down systemic risk and build resilience. With security technology rationalization, organizations can improve visibility into the security stack, detect security gaps, identify tool redundancies and opportunities to integrate, ensure all tool capabilities are being used, save money over time, and raise overall security hygiene.
Getting more involved in cybersecurity requires an understanding of the threat landscape, the most effective strategies for defending against these threats, and figuring out how to do more with less.
Optiv is a NACD partner, providing directors with critical and timely information, and perspectives. Optiv is a financial supporter of the NACD.
Randy Lariar is a practice director for Optiv, the cyber advisory and solutions leader. He specializes in AI, machine learning, big data, and analytics.