Once again we reflect on the end of another year and look forward to the coming year. The end of the year (EOY) is a time when people all over the world shift priorities to spend time with family, friends and loved ones. It is also the time of year when organizations tend to wind down business operations in observance of the holidays while looking forward to what the new year will bring.
“Money never sleeps” — Gordon Gekko
Neither do security threats. And while on the topic of cybersecurity, risk doesn’t take ‘time off’ and bad actors don’t pause attacks for us to ‘enjoy the holidays’ nor wind back up to full speed after we return from holiday either.
If anything, this new year brings with it a threat landscape that has evolved to target devices, data and users in novel ways, while potentially including a few new tricks up its sleeve to keep IT/Security professionals and law enforcement agencies on their toes in 2024.
With that, we give you: Jamf’s security predictions for 2024
1. Expect a greater emphasis on CEO Fraud attacks
Phishing threats see no end in sight. This isn’t clairvoyance, just the reality that phishing attacks continue to be a growing trend. However, CEO Fraud-based attacks, a branch of phishing that has its roots in spear phishing but subverts the expectation when attackers impersonate an executive in order to convince an employee to perform a task for the attacker’s financial gain. We will see a surge in attacks targeting the upper echelons of an organization since the potential for financial gain per attack is significantly higher than several other phishing attack types combined while requiring the same level of effort from threat actors to carry out campaigns.
Often referred to as Business Email Compromise, BEC for short, also carries a much higher than average success rate where “90% of the attempts succeeded. This compares to a success rate of 30% for phishing attacks.”, according to Ken Bagnall’s CEO Fraud: Protecting Businesses session at (ISC)² EMEA Congress, making this attack type far more difficult to stop than most since executives only appear to be the main target but actually requires that everyone play their part in the organization’s cybersecurity plan to prevent bad actors from being successful in this type of attack.
2. Bad actors evolve attacks to include generative AI to supercharge threats
Artificial Intelligence and Machine Learning (ML) continue to make headlines regarding how these advanced technologies benefit multiple industries by simplifying and automating manually-intensive tasks.
In a case of “what’s good for the geese is good for the gander”, AI/ML — like any other tool — doesn’t distinguish between “good” or “bad”, with threat actors relying on these tools for greater sophistication in the creation of threats while also making them much more difficult to discover, verify their authenticity and ultimately protect against.
As seen in 2023 by the case of an AI-enabled ransom scam involving the manipulation and impersonation of a woman’s voice believed to be kidnapped, it shouldn’t come as a surprise when generative AI tools lacking ethical guardrails or any moral limitations are used to develop realistic-looking deep fake content that is used to extort targets by threatening to release the “footage” at the risk of ruining their reputation. Or leveraging ML technology to develop dynamic malicious code that is so adaptable as to evade detection by evolving its codebase while continuing to gather data as it attacks infrastructures from within.
3. Nation-state-backed attacks continue but with an emphasis on compromising global elections
2024 serves as the 60th quadrennial presidential election and, all political commentary aside, it represents a big year for the United States which will see its citizens exercising their right to vote for their candidate of choice.
And as we noted in last year’s predictions, “It’s no secret that the election process has long been a hot-button topic for nation-state actors and hacktivists.” The coming elections are poised to keep the threat momentum going with continued attacks “by and against governments and enterprises.”
And while cyberattacks against the electoral infrastructure are far from a declaration of omniscience, other more indirect forms of attacks are expected to be put into place, such as false-information campaigns that will spread through social media platforms like wildfire in an effort to reach the hearts and minds of users that are registered to vote — even if the information they may be spreading stems from covert operations led by nation-states looking for opportunities to influence politics in the U.S. among other regions throughout the global economy and/or reap gains from any civil unrest misinformation campaigns might lead to.
4. AI and ML adoption within existing security stacks to increase exponentially
As mentioned above in prediction number two, AI/ML benefits a number of industries and services. One of these that has been seeing great success is none other than cybersecurity. Specifically, solutions and services used to enhance the protection of endpoints and mobile devices.
While the relatively nascent technologies show a great deal of efficacy thus far by automating the gathering and analysis of threat intelligence data, aiding Security teams with guidance on how to best mitigate identified risk factors, the promise (or nightmare) of an AI-infused threat landscape is a call to action as developers integrate ML technology into endpoint security solutions and threat defense services for use within organizational security stacks.
Threat actors utilizing AI to develop greater, more sophisticated threats is its own prediction of the future, but if administrators are to have any hope of keeping their networks, endpoints, data and users safe from advanced threats, well, they’ll need to fight fire with fire. Or in this case, incorporate AI/ML technologies at the forefront of the battle between AI-backed threat actors vs. AI-powered defenses.
5. Attackers focus on targeting alternative technology sources to disrupt service delivery
Targeting computers and users to gain access to critical data or financial gain is just one reason for attacks occurring. For others, they are tactical in nature, serving as a means to an end. Though we may not always understand an attacker’s rationale, what is known is that compromises of any kind — regardless of reasoning — are never a good thing.
“Because some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn.” — Alfred, The Dark Knight
2024 will see a focal shift that includes the targeting of alternative technologies. Those that not only serve as entry points into a network but serve as a diversion, a red herring to keep defense teams busy while the true attack gets carried out clandestinely or, as the quote above stoically points out, to inflict pain and suffering just because they can. For example, a recent BlackHat presentation explained how security researchers jailbreak a popular fleet of EV cars with self-driving capabilities to:
- unlock features protected behind a paywall
- access user data, including contact details
- modify vehicle configurations that affect usability
Utilizing threat models that target the hardware itself makes it so that, in some cases, the vulnerability cannot be patched through a future software-based update. In fact, some researchers theorize that, given ample time, controlling the car remotely is something fully within the realm of possibility.
Another example exists with IoT (Internet of Things) devices used in healthcare to deliver critical care to patients. Despite being known for converting standalone devices into smart-enabled ones with access to the internet, in cybersecurity circles, IoT has a reputation for relaxed security settings that often introduce security vulnerabilities, impacting the organizational security posture. As a component of healthcare, being used to monitor and deliver potentially life-saving care to patients, the spectre of IoT’s long-known security issues could very well be manipulated into serving as a repository for data mining patient health. Worse still, devices that deliver medication or smart beds used for therapy could be compromised to deliver too little/too much medication in the former use case or may be reconfigured to worsen patient outcomes instead of providing optimal support in the latter.
“The global IoT Market size is expected to grow from USD 300.3 billion in 2021 to USD 650.5 billion by 2026.” — Markets and Markets Research
6. Organizations double down on established frameworks to achieve and maintain compliance
It’s of no coincidence that highly regulated industries continue to be a critical target for threat actors and that member organizations have a legal obligation to comply with any local, state, federal and/or regional requirements that apply to them.
As laws evolve to catch up to technological advances, regulated and unregulated businesses alike will lean more aggressively toward implementing cybersecurity frameworks to ease the burden of achieving compliance while maintaining a high level of security within their organization. This isn’t to say that it’s a hard requirement for businesses to adopt frameworks but rather that organizations will more actively choose them moving forward in light of the evolving threat landscape, which includes:
- Adoption of AI-based tooling to supercharge threats and attacks
- Increasing regulatory oversight, including changes to mandates
- Lack of standardization across managed and unmanaged device fleets
- Insecure configurations
- Unsupported apps
- Patches not up to date
- Decentralized management
- Inability to monitor endpoint health
Implementing management and endpoint security solutions are excellent steps on your enterprise’s compliance journey, but these tools alone will not a compliant organization make. While the tools will drive the proper configuration of your endpoints, you must first have a roadmap to map out your destination. This is where integration between compliance frameworks and management/security solutions shine by providing the exact device settings and hardening configurations needed to achieve and enforce your compliance goals while ongoing monitoring, gathering and analysis of telemetry data helps maintain compliance (including automated remediation workflows to bring endpoints back to compliance should they fall out of scope).
7. Mobile devices will be the Achille's heel of data security for businesses of all sizes
Mobile devices are defined as smartphones, tablets and wearables. When considering these alongside computers it’s a no-brainer that every remote/hybrid employee uses at least one. Fun fact, according to a Statista finding, in 2023 the average number of devices per person rose to 3.6 devices, up from 2.4 just five years prior.
“A 2021 survey of working adults from across the world revealed that in 2021, 64% of working adults from the United States used their personal smartphones for business-related purposes. In comparison…the global average was 54%.” — Statista
Threat actors are leaning on this critical segment hard because mobile devices typically see significantly fewer security protections than their desktop counterparts. Despite having some of the most advanced security features baked right in, if it’s misconfigured or simply not enabled is cause for concern. When paired with the mobile segment’s estimated potential to grow its global market share larger than traditional computers — all while providing users on-the-go access to the same (and sometimes even more) confidential and privacy data than standalone devices — well, that’s a recipe for data breaches in the making.
8. The Zero Trust model finally dethrones legacy VPNs in the enterprise
For a technology designed decades ago, VPN has stood the test of time. That said, several of the predictions in this blog alongside some of the most critical data breaches we’ve seen in 2023 alone may have seen the fallout minimized — while others could’ve been easily mitigated outright — if only Zero Trust Network Access (ZTNA) solutions for mobile devices were implemented in place of legacy VPN.
“…entities still rely on outdated technology and software. These legacy systems often lack the latest security patches and updates, making them easier to breach and more susceptible to exploitation by cybercriminals.” — Emil Sayegh
Some of the predictions listed here will no doubt benefit from ZTNA; 2024 is the year that Zero Trust models push past the final barrier of adoption as the modern security solution of choice for businesses of all sizes to replace legacy VPNs still in use at the enterprise level. As the soon-to-be de facto security technology for Federal Government systems, not only will remote connections continue to remain secure, but thanks in no small part to its integration within the larger security stack, network security threats like MitM and zero-day phishing attacks are prevented while protection is standardized across OS-agnostic device fleets. Enhanced with identity-based conditional access protections and encrypting individual communications for each app/service, ZTNA vets device health prior to granting each access request.
In short: Zero Trust never trusts devices or users implicitly; instead, it always verifies both before secure connections are established.
9. Increasing cyber insurance premiums force enterprises to invest in AI-based security solutions
Cyber insurance remains even more unaffordable for many businesses. Citing already high costs for premiums and exception clauses for certain types of cyberattacks as key reasons to reallocate funding, affected organizations pivot to nascent AI-based threat defense services with promises of dynamic restructuring of their existing security stack to fortify their security posture against growing risks and an ever-evolving threat landscape.
Insurance premiums, though flattening out cost-wise, are still out of reach for many businesses of all sizes. This presents the perfect situation for affected organizations to seize the opportunity to reassess their risk appetite and implement AI-based cybersecurity tools to help keep risk at tolerable levels by mitigating some of the top threats impacting global businesses.
To put it into perspective, consider the following points:
- The average cost of a data breach in the U.S. sits at $4.45 million, according to IBM’s Cost of a Data Breach Report 2023.
- In the same report, IBM’s study found that organizations using AI and automation identified and contained a data breach 108 days faster than organizations without.
- Comparatively, organizations using AI and automation yielded the highest cost savings with an average cost of a data breach at $3.60 million, or $1.76 million less than the average data breach.
10. Organizations enforce native apps for handling business data while scaling back web app usage
Web apps, often referred to as Software-as-a-Service (SaaS), have been used by businesses the world over for their relative ease of implementation and compatibility across multiple device types and operating systems. The ability to deploy a web-based application or service while utilizing minimal resources and providing an optimal user experience regardless of the device or browser being used to access it is every developer’s dream. But as with all things, perspective is key. From a security viewpoint, web apps offer users all the access they desire without any of the relative security protections inherent to the device used to access web apps because the data never really exists on the device but rather is processed out-of-band across the internet on a server or device someone other than the user or admin controls.
"70% of web applications have severe security gaps.” — Security Magazine
For this critical reason, web apps pose increased threats of exposing sensitive data due to unauthorized access, exacerbated by service misconfiguration or lack of appropriate security protocols used by developers during the development of the app’s code. Threat actors know this, and that’s why they continually prime their phishing campaigns to gather user credentials. After all, the simplest way to brute force your way into a locked door is to have a copy of the key, is it not?
Hence the push by Security professionals to prefer the use of native apps installed on user devices, where endpoint security protections and hardened configurations can both be locked down and updated on a regular cadence to ensure apps are up-to-date and devices stay compliant. One such key feature of using native apps in managed settings is that business data can be stored on an encrypted volume that exists independently from personal data on a separate volume. Should personal data become compromised, business data remains unaffected. If a personal device used for work is lost or stolen, the option exists to erase the device entirely or simply delete the protected business volume for granular data security protection.
As organizations worldwide are winding back up from the end of one year and the beginning of a new one, it’s natural to reflect on not only the year that just ended but also what the new one that lies before us will bring. This is a great way for us to learn from what’s come before, assess our security posture earnestly and face forward to the future.
Discover how Jamf's comprehensive solutions can help your organization's security posture
Together, we can face a brighter, more secure future
Have market trends, Apple updates and Jamf news delivered directly to your inbox.