As Cynet’s COO (chief operating officer), my team and I get to work closely with risk management executives at small-to-medium enterprises (SMEs) around the world. In this piece, I’ll distill insights from our collaboration into three salient trends for 2024, supported by stats and studies from across the cybersecurity practice.
These emerging patterns pertain to organizations of all shapes and sizes — but, make no mistake, the greatest effects will be felt by SMEs where lean security teams with shoestring budgets are the norm. For companies with 1,000–5,000 employees, the average cost of a data breach reached $4.87 million in 2023 — a year-over-year increase of nearly 20%, according to IBM.
I highly encourage business leaders to leverage resources like the 2024 Cybersecurity Planning Checklist for a holistic understanding of the security technologies, services and initiatives needed to manage risk in the year ahead. You can also watch an on-demand webinar as we connect our findings to actionable advice you can implement to protect your organization’s most critical operations and valuable assets.
Trend 1: SMEs Will Face Recognizable Risks at Unprecedented Scale
Executives will be challenged to boost security awareness, expertise and capability — without adding costly headcount.
The potential to bolster or bypass cybersecurity measures with artificial intelligence is far from breaking news. But don’t worry: this forecast steers clear of the canned prognostications you’ve been reading since ChatGPT became a household name.
Initially, speculation was abundant that adversaries would weaponize GenAI to invent never-before-seen malware with the click of a button. That didn’t happen. Instead, my team has observed the use of GenAI to proliferate existing threats at unprecedented scale. This trend will continue to typify automated attacks.
A parallel effect of GenAI is that rookie hackers will wreak havoc in 2024.When mainstream platforms implement guardrails to deter illegal activity, alternatives like FraudGPT circumvent those restrictions. Dark web forums where malware and ransomware are sold as services make it easy for script kiddies to procure and deploy automated malware. These dynamics offer inexperienced threat actors an asymmetric advantage against unprepared organizations. This will produce a lot new threat actors trying to breach your environment.
The impact will be especially acute for SMEs. Gartner forecasts cybersecurity spending to increase by 14% in 2024 as the volume of inbound threats increases exponentially. Further underscoring this disparity, PwC estimates that one in five organizations will shrink or freeze their security budget for 2024. Lean security teams must guard against the same threats facing large enterprises — but with a fraction of the personnel, budget or bandwidth.
Company culture can help close this gap. Employee incentives — such as the risk-linked performance bonuses — can boost awareness and reinforce resilience. According to another Gartner survey, 50% of C-suite leaders will have performance requirements related to cybersecurity risk embedded in their contracts by 2026.
For guidance to boost employee awareness, page 5 of the 2024 SME security plan checklist identifies the key components of a holistic security training program. By implementing these initiatives, SME execs can reduce organizational risk by boosting organizational awareness, promoting responsible best practices and empowering employees to respond appropriately if they believe an incident is underway.
Trend 2: Malware is Evolving Maximize Financial Damage
SME execs can mitigate their exposure by prioritizing preventative capabilities to qualify for favorable insurance coverage.
Threat actors are adapting malware to bypass detections and impart maximum financial damage. In 2024, this ongoing evolution will be exemplified by cybercriminals’ widespread embrace of customizable infostealers like Stealc. Based on the Vidar, Raccoon, Mars and Redline stealers,Stealc allows attackers to pick and choose the data they wish to pull from their victims’ machines.
To evade detection, infostealers may hide within seemingly innocuous email attachments, hijack legitimate websites or exploit vulnerabilities in your software. Once they have established a foothold, they may employ keyloggers to capture your every keystroke, steal browser cookies to access your online accounts, or even target specific applications like email clients and instant messaging platforms. The pilfered data can be immensely valuable in the dark web forums where threat actors convene. Buyers can then use it to commit identity theft, drain bank accounts or blackmail organizations.
As the financial stakes of cybersecurity soar in 2024, executives can take the initiative to mitigate organizational risk. Cyber insurance provides an increasingly popular layer of protection. The market is expected to surpass $20 billion in 2024, up from $7 billion in 2020. Most agreements cover damage and recovery costs — but some extend to investigations, forensics, fines, lawsuits and even ransomware payments.
To qualify for optimal coverage, providers typically require organizations to demonstrate certain cybersecurity capabilities. These requirements help ensure that the organization has a baseline level of security to reduce the likelihood and impact of cyber incidents. Pg. 8 of the 2024 Cybersecurity Planning Checklist identifies the most important capabilities to proactively detect and destroy stealthy threats.
Compliance is also key, especially in highly regulated sectors. Executives must prepare to report impact to regulators and minimize reputational damage. Resources like an incident response template can be customized to define a plan with roles and responsibilities, processes and an action item checklist.
Trend 3: Geopolitical Chaos Will Spread Cyber Threats to New Sectors
Ideologically motivated cyberattacks will comprise a larger proportion of threat actor activity.
The world is entering an era of heightened geopolitical tensions, with rising nationalism, ideological clashes and a growing distrust of international institutions. This volatility creates fertile ground for ideologically motivated cyberattacks, introducing new considerations for security leaders.
Traditionally, cybersecurity adversaries could be oversimplified into two categories. First and most common are financially motivated threat actors. They pursue profit, as with a ransomware gang demanding payment or a social engineer soliciting credit card numbers. The second, state-sponsored threat actors, are backed by governments. They aim to advance the national security interests of their state.
In 2024, business leaders can expect to a significant increase in activity from a third flavor of adversary: ideologically motivated threat actors, often referred to as “hacktivists” or “cyberterrorists” depending on one’s opinion of their targets. Ideologically motivated cyberattacks aim to disrupt critical infrastructure and sow discord within target nations. They may target power grids, transportation systems, financial institutions, or even companies that are perceived to take an opposing social stance causing widespread disruption and economic damage. But their goal is not to monetize that damage, like a financially motivated cybercrime; or to collect intelligence for analysis, like state-sponsored espionage. For these ideologically motivated actors, disruption is an objective in and of itself.
As hacktivism surges this year, small businesses in sectors once thought of as “safe” from cybercrime must recognize that ideological adversaries could view them as low hanging fruit. Let’s say, for the sake of example, you run a fashion blog. It is unlikely your site stows the large cash reserves targeted by financial crimes; or the classified IP of the sort sought by the China-backed breach of Boeing. Nothing to worry about, right?
Wrong. A typical tactic of ideologically motivated actors is to spread propaganda and disinformation online. Hackers can hijack media outlets to promote fake news, manipulate social media algorithms and even infiltrate online communities to spread misinformation. When TTPs are optimized to cause confusion, polarize public opinion and undermine trust in institutions, that fashion blog could easily be caught in the crosshairs.
As a result, executives across industries must recognize security as an organizational enabler, not a narrow niche for technical specialists, and build it into the fabric of their operations. Guides like “How to Build a Security Framework” can offer you a helpful head start. For SMEs, newer all-in-one cybersecurity platforms offer an affordable and realistic approach for gaining enterprise-grade defenses without the exorbitant costs and complexities of building and operating an integrated multi-vendor tech stack.
Conclusion
For a growth-focused SME, lapses in cybersecurity can be catastrophic. Protection must be integral to every aspect of decision-making, from product development to supply chain management. By understanding new opportunities to holistically manage risk in collaboration with technology teams, business leaders can prepare to boost organizational resilience in 2024.