Toro-Blog-listing

Risks facing Businesses in 2024

Written by HQ | Jan 2, 2024 9:00:00 AM

As January 2024 unfolds, the security and risk community finds itself grappling with a pivotal question: What lies ahead for businesses, clients, and security professionals?

Fortunately, significant groundwork has been laid, with reputable bodies like the Institute of Internal Auditors unveiling their multinational reports for the upcoming year.

At Toro, we recognise the interconnected nature of threats to businesses, and the prevailing risk projections for 2024 suggest a trajectory of increasing complexity.

This blog delves into the key takeaways from these reports, particularly emphasizing the emergence of an 'omni-crisis' as a central theme.

Throughout this blog we will explore the ranked security risks and the actionable insights crucial for businesses as they navigate the challenges on the horizon.

Below is the ranked list of the prevailing security risks to businesses in 2024, provided by the IIA.[1]

  1. Cybersecurity and data security (84 %)
  2. Human capital, diversity, talent management and retention (57 %)
  3. Macroeconomic and geopolitical uncertainty (43 %)
  4. Change in laws and regulations (43 %)
  5. Business continuity, operational resilience, crisis management and disasters response (35 %)
  6. Digital disruption, new technology and AI (33 %)
  7. Climate change, biodiversity, and environmental sustainability (32 %)
  8. Supply chain, outsourcing and ‘nth’ party risk (30 %)
  9. Market changes, competition and changing consumer behaviour (30 %)
  10. Financial, liquidity and insolvency risks (26 %)

With 2024 here, it is time to build on these insights and translate them into actionable business information.

This list by the IIA is deserving of an extensive risk-by-risk breakdown, however for the scope of this report, insights will be translated from risks one and six; Cybersecurity and AI.

Using Toro’s integrated methodology, these prevailing risks will be understood across the business areas of Cyber (IT system security), Physical (personal and site security), and People (talent and recruitment diligence). Risks four and nine will also be considered as legal and market changes are affect all areas of business; from manufacturing to hospitality; and from IT to supply chains.

Cyber

The internet is now full of emerging AI powered technologies such as WormGPT and FraudGPT. Alongside the use of tools like ‘Spiderfoot,’ the AI powered methods attackers use are highly likely to become more advanced and accessible creating more realistic and effective phishing attacks.[2] [3]

The above diagram shows the network interactions of a business accessed via the free-to-access open-source tool ‘Spiderfoot.’ This is the type of tool used by those with very little technical experience to launch cyberattacks. These people have been termed “Script Kiddies.” [4] If a connection directly linked to you or your organisation is breached you may receive compromised emails from trusted clients and suppliers.

Many analysts now think that it is only a matter of time until cybercriminals have unrestricted access to generative AI that can write malicious code, create deepfakes, and assist with social engineering attacks.

There are countermeasures:

  • AI network security solutions learn normal network interactions and identify anomalies, but the success of these solutions are dependent on your business having a security policy that is already in place.
  • Conducting a health check on your business will ensure that the network security solution, network security software can learn what safe network activity looks like, therefore doing its job effectively for you.

An organisation only needs to be slightly susceptible to fall victim to these kinds of attacks. With the tech giants like Microsoft and Google now competing for the small business market it is probable that entering 2024 businesses will need to maintain multiple licences across several service providers to maintain a competitive edge.[5]

  • Manage this additional complexity by understanding your network’s interactions, monitoring the administration of access rights and maintaining data security policies.

It may be the case that an organisation has adequate vetting procedures, but your client or service provider in the sectors with the greatest talent deficiencies such as insurance and ecommerce may not have the same level of diligence.[6] 2023 has shown that IT solutions are not a fix-all.

  • Human error is measured to be the cause of 80-95% of security breaches.[7] Developments in deepfake technology, 5G network vulnerabilities, and social engineering attack methods are only going to maintain the high level of this threat.[8] The ‘people factor’ needs to be addressed.

People

When asked in 2023, two thirds of business executives identified that the greatest cyber threats originate from an employee’s failure to comply with data security policies.[9]

With the global talent crisis that is affecting a substantial number of industries, the need for people focused security is becoming increasingly apparent. The large number of social engineering attacks and vulnerabilities made possible by human error reveal that the ‘people factor’ is not something that can be viewed as separate from IT threats.

With the use of generative AI such as FraudGPT methods of attack are projected to become more prevalent. PWC’s 26th annual Global Digital Trust Insights report is dominated by this very issue.

For the longest time now, businesses have been overwhelmed by the sheer volume and complexity of human launched attacks.[10]

  • The now 135% uptake in novel social engineering attacks in 2023 has put notable pressure on executives to find AI powered solutions.[11] 69% of senior executives are reported by PWC to be seeking AI cybersecurity solutions going into 2024.

This increase in the adoption of AI solutions is reflected in the fourth greatest concern on the Institute of Internal Auditors’ report; changes in laws and regulations. Emerging legislation is already setting the tone for 2024.

The Government of the United Kingdom has recently published information on data centre security regulations. Additionally on the eighth of December 2023 the EU finalised negotiations on the European Union’s “AI Act”. [12] [13]

  • Conducting thorough security reviews is already best practice, but these laws will likely introduce industry wide requirements for cybersecurity risk assessments, especially for industries and services exposed to AI.

Working from home has caused a notable uptick in stress and mental health concerns among staff who have subsequently become more susceptible to fraud, deception, and even participation in insider attacks.[15]

The 7000 business insolvencies projected in every quarter of 2024 by the Centre for Economics and Business Research (Cebr) will increase this strain as restructuring and increased demand for specific skills put teams under stress.[16]

The opportunities this could present to an attacker are numerous and can change dramatically depending on the nature of an organisation’s operations and its connections.

  • Fixing the vulnerabilities that staff have is a priority, be they; relaxed out-of-office device handling; use of business domains for personal use; or more traditional cost of living financial pressures.[17]

Physical

The threats posed by new emerging technologies are further connected to physical security threats. 2023 has seen the rise in smart devices being hacked, threatening your data, your privacy, and your business operations. [18]

The ‘Internet of Things’ (“IOT”) is an emerging technology that links many Wi-Fi enabled devices to one cloud-based network.

These network device risks can affect anything in your business or home:

  • GPS enabled devices can track your and your colleague’s locations.
  • Smart TVs can allow an attacker to access your Wi-Fi network.
  • Smart speakers using Alexa and Google technologies can be breached and attackers can check through your voice search history.

IOT is expanding rapidly into construction, healthcare, manufacturing, small/medium sized enterprises, and everything in between. With the roll-out of smart meters and smart homes this now reaches into to the private home.

Vulnerabilities in passcode and biometric access systems now pose one of the greatest threats to physical security. Paired with broader trends such as inflation and the cost-of-living crisis, the nature of physical attacks are likely to expand.

In 2023 single factor (proximity access) cards have become easily replicable. AI is increasingly able to create fake ID documents. Biometric security measures are now being undermined by desktop computer software that can copy mobile phones to fake their way into the networks. [19]

Mirai Botnet malware attacks can take over smart devices and turn them into ‘zombies’ that attackers can use to launch massive attacks from your system. Attacks like this can cause irreparable reputational damage.

  • Gaining a bespoke understanding of these potential attack vectors going into 2024 is strongly recommended over seeking generalised mitigations.

In conclusion, as we stand on the brink of 2024, the landscape of security risks for businesses is marked by a complex interplay of factors. The concept of an 'omni-crisis' emerges as a central theme, with cybersecurity, human capital, macroeconomic uncertainties, and evolving technologies taking the forefront. The ranked list of prevailing security risks provided by the Institute of Internal Auditors serves as a roadmap for businesses to navigate the challenges ahead.

The integration of AI into cyber threats poses a formidable challenge, with tools like WormGPT and FraudGPT escalating the sophistication of attacks. Countermeasures such as AI network security solutions exist, but their effectiveness relies on established security policies.

Crucially, the human factor emerges as a pivotal element in cybersecurity. The rise of social engineering attacks and the vulnerability introduced by human error underscore the need for a people-focused security approach. As legislative frameworks evolve, businesses must prioritise cybersecurity risk assessments, especially in sectors exposed to AI.

New UK government papers indicate that minimum cybersecurity requirements are fast approaching for data centres. In the European Union, the EU’s “AI Act” is also set to make risk assessments a requirement for businesses using AI to work in sensitive areas such as healthcare, banking, and education. These legislative and regulatory changes are looking to transform the landscape of cybersecurity and place further obligations on businesses. To prevent disruption a proactive approach will be essential.

The intertwining of physical and digital threats further complicates the security landscape, with IoT vulnerabilities and emerging technologies exposing businesses to increased risks.

In the face of these challenges, the year ahead demands a holistic approach that integrates technological advancements with a keen awareness of the human element, ensuring resilience in the face of an ever-evolving threat landscape.

Throughout the year we will be exploring the rest of these risks and sharing new risks as they arise.

If you would like to start 2024 by reviewing your Security and creating a clear roadmap for resilience, then please contact Toro.

-----------------------------------------------------------------------------------------------------------------------

[1] https://iia.no/risk-in-focus-2024-hot-topics-for-internal-auditors/

[2] https://slashnext.com/blog/wormgpt-the-generative-ai-tool-cybercriminals-are-using-to-launch-business-email-compromise-attacks/

[3] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wormgpt-and-fraudgpt-the-rise-of-malicious-llms/

[4] https://www.trellix.com/about/newsroom/stories/research/trellix-2024-threat-predictions/#threat-ai

[5] https://www.computerworld.com/article/3690590/chromeos-2023-google-has-eye-on-enterprise.html

[6] https://www.ecisolutions.com/en-gb/blog/the-skills-shortages-report-which-industries-are-struggling-to-bridge-the-gap/

[7] https://www.infosecurity-magazine.com/news/90-data-breaches-human-error/

[8] https://www.marcumllp.com/insights/top-6-enterprise-cybersecurity-challenges-for-2024#:~:text=One%20significant%20issue%20is%20the,may%20contain%20malware%20or%20vulnerabilities.

[9] https://www.marshmclennan.com/insights/publications/2020/july/hr-s-increasingly-important-role-in-cyber-risk-management.html#:~:text=Almost%20two%20thirds%20(62%25),2020%20Global%20Talent%20Trends%20Study.

[10] https://www.pwc.com/gx/en/issues/cybersecurity/global-digital-trust-insights.html

[11] https://ir.darktrace.com/press-releases/2023/4/3/8b2d6ba25d9d54a1895956a985fe4a7d08d9f42607a112fb17964e4b57fad7d6

[12] https://www.csoonline.com/article/1258597/how-the-eu-ai-act-regulates-artificial-intelligence-and-what-it-means-for-cybersecurity.html

[13] https://www.datacenterdynamics.com/en/news/uk-government-proposes-new-data-center-security-regulations/

[15] https://www.strategic-risk-europe.com/home/risk-guide-how-to-create-the-right-culture-to-tackle-people-related-risks/1445024.article

[16] https://startups.co.uk/news/business-insolvencies-per-quarter/#:~:text=As%20high%20interest%20rates%20continue,and%20Business%20Research%20(Cebr).

[17] https://www.mercer.com/insights/people-strategy/people-risks-and-business-resilience/#:~:text=The%20top%20people%20risk%20that,globally%20is%20administration%20and%20fiduciary.

[18] https://www.avira.com/en/blog/these-are-the-two-most-hacked-devices-in-smart-homes

[19] https://www.biometricupdate.com/202301/exponential-hacking-of-biometric-authentication-reveals-some-defenses-already-overwhelmed