Small and medium-sized enterprises (SMEs) are increasingly becoming targets of cyber attacks. In this article, we look back at the cyber security trends that emerged back in 2023, paying close attention to the impact AI has had, and identifying how the trends have evolved in 2024.
Looking back at 2023
The hard-to-miss technology story of 2023 was the sudden emergence of generative AI as a technology with the potential to influence sectors such as cyber security. A year on, and despite many alarming predictions about how this technology will be used by attackers, not much has happened. The lesson of AI, however, is that this could change very suddenly, without warning.
The gap between the sort of attacks launched against large organisations and smaller ones has been narrowing for some time; AI has the potential to close whatever gap remains for good. If AI can be used to target large enterprises, it will also work against SMEs too.
Meanwhile, while quantum computing remains some way off – the use of post-quantum encryption (that is, encryption able in principle to resist quantum factorisation) was an almost ignored but important trend with Cloudflare reporting that 1.7% of its traffic used this format once Google Chrome started supporting it. Is this an issue for SMEs? Arguably, yes. If public key encryption fails, everybody will suffer, so PQE is an issue of interest for organisations across the spectrum.
Another important trend of 2023 that will doubtless continue in 2024 is the increasing sophistication with which attackers can bypass multi-factor authentication (MFA). A variety of techniques have emerged, including fatigue attacks against push notification MFA, stealing session cookies (not, technically, a failure of MFA but incredibly effective in some circumstances) and man-in-the-middle attacks using real-time proxying. MFA is a necessary security layer, but the wide range of implementations still makes it a complex technology to manage and secure. Its security should never be taken for granted.
Interesting 2024 trends
For years, ransomware has looked unstoppable. Attack numbers only seem to grow, with experts warning that the risk of an incident big enough to disrupt economies is now on the cards. The data for 2023 bears out the pessimism with most security vendors noticing record or near-record numbers of attacks during the year. Despite this, there is cause for some optimism. In December, the U.S. Department of Justice (DOJ) announced that it had seized infrastructure connected to one of the ALPHV/BlackCat ransomware groups, probably the second most active extortion platform of the last two years. The group’s doomed attempt to claw back the servers simply reinforced the operation’s success. This wasn’t an isolated takedown. In October, Europol and the FBI disrupted Ragnar Locker, another prominent ransomware group. This followed similar action earlier in the year against the Hive ransomware. Ransomware is not going away but perhaps some of the impunity is at last fading.
For e-commerce companies, bots are a menace whose evolution is starting to outstrip the ability of defenders to contain them. Bots are simply automated programs designed to interact with e-commerce systems faster than a human can. Some are legitimate and beneficial, but a growing number are not even when they are not illegal. Common uses include product scalping, price scraping, account takeover, and CAPTCHA defeat with the OWASP Foundation listing 21 types of bad bots. Data scraping bots targeting APIs have become a particular problem and are being used to extract data from large platforms in a way that mimics a data breach. Defending against them is becoming less effective using traditional defences such as web application firewalls (WAFs) and IP blocking.
Software supply chain attacks were a notable trend in 2023 and there is no reason to believe 2024 will be any different. Examples include Okta, MOVEit, JetBrains, and 3CX. The genius of these attacks is that attacks could compromise one service provider to gain access to their entire customer base without that being obvious until serious damage has been done. How does an SME defend against an attack on a trusted software partner? With the same difficulty as everyone else.
It’s unlikely much progress will be made on the perennial cyber security skills gap in 2024. Some fatalism has set in around the issue, not helped by ISC2’s recent estimate that the gap in the UK reached 367,000 in 2023, up 8.3% year-on-year. This doesn’t just measure the job roles advertised but not filled but also accounts for the underlying need for people that can’t be met, usually for budgetary reasons. SMEs, of course, are increasingly using Managed Security Service Providers (MSSPs) to fill the gap but even these service providers can be affected by the same shortages of people with the right skills.
