Get in touch

Fight or flight: The power of people and technology in cybersecurity

To mark the 20th year of cybersecurity awareness month in October, America’s Cybersecurity and Infrastructure Security Agency (CISA) announced a new program that they’re coining “Secure Our World” which is focused on four “easy” ways to stay safe online:

  • Use strong passwords
  • Turn on multifactor authentication (MFA)
  • Recognise and report phishing
  • Update software

In principle at least, these do all sound easy, but when dealing with human behaviour – as at least two of these areas do – it’s rarely quite so simple. A cynic might say that this helps to feed the narrative that security breaches are more often than not down to human error (which is, of course, a factor).

But when a breach does occur, it always feels similar to when there is an incident involving an aircraft – if you’re a user of commercial airlines, would you rather hear that it was pilot error, or a fault with the aircraft?

Regardless of conspiracy theories or your answer, this is crucial to cybersecurity. Tech and its operators must be in harmony, or issues will arise.

With major 2023 security conferences over, it’s time to review the year’s cybersecurity trends and look ahead to 2024.

Breaches, breaches, breaches…

Amid the generative AI buzz, significant breaches quickly vanished from mainstream media attention.

The UK public sector in particular seemed to take something of a pummelling during 2023, with the Police Service of Northern Ireland (PSNI)Greater Manchester Police (GMP), and the UK’s Electoral Commission all suffering a breach of some description, due to a mixed bag of human error and technology failings.

This supports our view that both people and technology are crucial, highlighting another key factor: budgets. Without delving deeply into public sector funding, it’s crucial to emphasize spending in key areas, such as cybersecurity.

If organisations are not directing significant portions of their budget towards cybersecurity then the voices of those shouting “it’s only a matter of time before you get breached” will continue to get louder. Despite that always sounding a little defeatist, it has proven time and again to be true – there’s only downside to throwing money at the problem after the event; a sentiment shared by a Vanson Bourne CommunITy member in a recent in-depth interview (IDI).

That’s not to say that money is the sole answer, but it can help to level the playing field. Nation state actors, cyber criminal gangs, and hacktivists, among others, will be spending much of their “hard earned” cash on trying to add to their hitlist. Defenders must invest robustly to protect data, finances, and reputation—once breached, recovery is nearly impossible.

It’s also worth making the point, that private sector firms have been far from immune to breaches this year – despite their budget ceiling typically being higher. To continue the aviation theme from earlier, take Boeing, for example – a huge global brand, falling foul of the LockBit 3.0 ransomware gang, due to a vulnerability in their software supply chain.

LockBit – who operate on a Ransomware-as-a-Service (RaaS) model – have been prolific in recent years. And this breach of Boeing along with others such as that on the US arm of the Industrial and Commercial Bank of China (ICBC) feels like their way of reminding the world that while we’re all looking at gen AI, they’ll be going about their business of taking names and cashing cheques.

Say what you like about threat actors, but there is a certain brilliance in the way they execute their missions and continuously evolve their tactics, techniques and procedures (TTPs). Take this approach for example:

  1. BlackCat ransomware gang exfiltrate data from MeridianLink
  2. MeridianLink decides not to fully engage in negotiations with BlackCat
  3. BlackCat gets annoyed and reports MeridianLink to the US Securities and Exchange Commission (SEC)

“Good guy ransomware gang” – this term isn’t designed to glorify these hacker groups, but it does highlight what organisations and the authorities are dealing with. Highly aggressive and innovative approaches, driven, in general, by greed. A dangerous combination.

So, what does this mean for organisations, how can they combat these threats, and, ultimately, how do they go about increasing the efficacy of their security stack?

Expansion or consolidation?

The attack surface that organisations are trying to monitor and mitigate against is growing – no great epiphanies there.

Given concerns about cloud sprawl, increasing zero-day vulnerabilities, and the rise of shadow AI, IT security teams must strengthen their cyber defenses with a technology stack tailored to their organization’s needs.

And this leads us nicely into one of the main topics of discussion from security events such as RSA and BlackHat USA this year: Should companies be pursuing a “best of breed” / point solution strategy, or a “consolidation” / platform-based approach?

Organizations have increasingly sought and implemented the best security solutions for specific needs, regardless of the vendor. While sensible, this approach increases security stack complexity and potential failure points, creating more opportunities for hackers to exploit.

Additionally, it creates an integration headache for even the most seasoned IT security professionals. Disparate tools often fail to work cohesively together, creating gaps because they were never designed to do so.

As we head into 2024, attitudes seem to be shifting. Security leaders now appreciate that a comprehensive cybersecurity platform with fewer tools and vendors offers the best protection. This approach helps guard against both external threats and insider risk.

We posed the question of point solutions vs. consolidation to our community of IT and IT security decision makers with a third (33%) saying that in 2024 they believe that their organisation will utilise/invest in a consolidation approach, so that they use as many (or as few) tools from the same vendor as possible. While the majority (59%) say they will utilise/invest in point solutions that solve specific problems, regardless of vendor.

This may not fully endorse a consolidation approach, but it shows change takes time, especially with ingrained strategies. Migrating to a new cybersecurity approach requires careful planning and execution, but the pros outweigh the cons.

Given industry discussions, vendors of extended detection and response (XDR) platforms may experience growth in 2024. We’re certainly not here to plug any particular vendor or platform, but this XDR based approach seems to be about as close to a “silver bullet” for cybersecurity as you’re likely to find.

Ingesting data, analysing threats, and responding within a unified platform will simplify life for typically under-resourced security teams. These are the same teams who are monitoring significant numbers of alerts, across a host of security solutions, many of which have been compared to essentially playing a highly sophisticated game of “whack-a-mole”.

While it’s an entertaining analogy, the whack-a-mole approach cannot be sustainable with the evolving threat landscape in mind. XDR ultimately feels like a notable step in the right direction.

Generative AI – risk or opportunity?

So, here we are…gen AI and large language models (LLMs). What hasn’t already been said multiple times this year? Well, in all honesty, probably not an awful lot…

  • …has it been fear-inducing? Yes
  • …has it been disruptive? Absolutely
  • …will it transform how we live and work? Without a doubt

We live and breathe B2B tech. Despite recent turmoil at OpenAI, we believe the rapid evolution of ChatGPT technology will benefit all industries and the global economy.

Businesses need an adjustment period to learn how to maximize value while minimizing risk from this technology.

We’ve already referenced the phenomenon of shadow AI. This seems inevitable, given the wide-ranging uses in software development, marketing, data modeling, and many other fields. Long-term, businesses rushing to adopt gen AI to avoid falling behind will likely view it as a necessary growing pain.

IT security teams should be considered during this phase since they will be accountable for breaches from unapproved Gen AI tools. It’s crucial for all business areas to leverage Gen AI effectively to support their objectives. Additionally, they should work with the IT/IT security department to embed the tools they need in a responsible way.

Most worthwhile endeavors are challenging or risky, and generative AI fits this category. But the expanding attack surface is real, and this technology evolution will perpetuate that, at least in the short-medium term.

Emphasising this is the fact that when we asked 81 of our community members what they believed would be the biggest challenge and/or transformation in cybersecurity during 2024 (in a verbatim format), just under 60% mentioned AI in some way, shape, or form – with many of them highlighting the potential associated risks, or benefits for cyber criminals.

Nonetheless, this technology can be used for good as well as evil. The aforementioned XDR solutions already leverage AI to expedite data ingestion, threat analysis, and decision-making phases. Eliminating these time-consuming tasks will ease IT security teams’ burdens and improve organizations’ security posture.

However, cyber criminals are as innovative, if not more so, than the organizations they target. And, while the jury is still out gen AI effectiveness for coding, or when malware arrives carrying baked-in gen AI capabilities (as this post-RSA article mentions). The security community understands that it can often be the simplest attacks that are the most effective.

Attackers will likely use gen AI to enhance the effectiveness and scale of their social engineering attacks, mainly through phishing scams. These can now be executed more effectively and on a larger scale.

Which brings us full circle to one of CISA’s core themes – recognise and report phishing. Of course, we cannot disregard the other themes, but this one in particular stands out. Cyber criminals having gen AI at their disposal makes this seemingly straightforward task even more difficult.

Organizations must invest in proper employee training to reduce the risk of falling for increasingly convincing messages. In tandem with choosing a suitable security approach and technology stack will give them the best chance against rapidly evolving threats in 2024.

This is one of those odd occasions where the problem and the solution are the same – people and technology.

Cybersecurity for 2024: people, technology…and dogs?!

A year is a long time in cybersecurity, and with 2023’s cybersecurity developments, what will 2024 bring? The probable answer…more of the same, but on steroids.

Gen AI will be central – either deployed by organisations to defend themselves, or by cyber criminals to breach those defences. As we enter the new year, the interplay between people and technology, especially AI, will be more important than ever.

Returning to our aviation subtext, with a pilot joke saying the ideal flight crew is a computer, a pilot and a dog. The computer’s job is to fly the plane. The pilot is there to feed the dog. And the dog’s job is to bite the pilot if he tries to touch the computer.

We don’t just bring this up for comic effect, as there is a serious underlying point. In 2024, pilots must not let technology outpace them, as it would in this scenario if the dog did its job. People must be central to technology and security transformation to ensure we can fix any issues that arise.

The dog’s role changes from preventing human interaction with technology to encouraging it and helping everyone understand its importance.

Tackling cybersecurity requires a wider effort beyond just the IT/security team and technology. And this is why CISA set out their guidelines in the way that they did. For successful threat mitigation, everyone must be accountable, keeping each other vigilant like “dogs biting the hand.”

Everyone in the organization must know the latest threats from teenage hackers, nation-state attackers, or RaaS gangs. They must understand rising trends like gen AI and their impact on daily roles.

Technology drives our world, regardless of industry or organization size. Sharing knowledge in 2024 will help organizations tackle their people and technology problems.

Methodology

82 UK IT decision makers from the Vanson Bourne Community were interviewed in November 2023. All came from organisations with 500+ employees, from across various sectors.