Gazing Into the Crystal Ball: Cybersecurity and Digital Trust Trends In 2024 and Beyond

Written by: Lim Teck Wee, CyberArk’s ASEAN Area Vice President

Many of us took ChatGPT for a first-time spin just 12 months ago. However, because we found it so easy to use and valuable to our work and lives, we collectively floored the pedal and now we find ourselves concluding 2023 wondering how we ever lived without this wonder vehicle. The past year marked a significant breakthrough for generative Artificial Intelligence (GenAI), evoking both excitement and unease among cybersecurity professionals who recognise the inseparable link between technological advancements and cyber risks. Advancements also provide new ways for attackers to leverage their relentless drive to steal and use identities.

Here are our predictions on how key trends in 2023 will impact 2024 and beyond.

In 2024 …
Session hijacking will become more prevalent than traditional credential theft
More organisations will adopt passwordless access management – an authentication method that allows a user to gain access to an application or IT system without entering a password or answering security questions. Instead, the user provides some other form of evidence such as a fingerprint, proximity badge, or hardware token code. This can be in the form of passkeys and other multi-factor authentication tools to protect organisations against cyberattacks. Threat actors will adapt their strategies to deceive external users, steal session cookies, and circumvent robust authentication measures.

By 2024, we predict that 40% of all cyberattacks will involve session hijacking. Maintaining a constant watch and implementing robust measures to secure, monitor, and respond to the abuse or compromise of user sessions and cookies is imperative. This is particularly crucial given Google’s commitment to eliminating cookies.

We expect traditional credential theft will be less prevalent when passwordless takes hold. However, credential theft is not going away. Organisations implementing passwordless authentication may require a backup factor, and many companies will ironically fall back on insecure options such as passwords. Attackers will continue to take advantage of poor password protections. We predict that 30% of organisations will experience an increase in data breaches linked to credential theft.

By 2025 …
Unprotected AI-driven security mechanisms will fuel a vicious cyber risk cycle
Even as organisations adopt GenAI to enhance cybersecurity, a significant 80% are expected to fall short in safeguarding these AI-driven security models. Gaining a competitive advantage over attackers necessitates adopting an adversarial mindset. This involves training GenAI models with both offensive and defensive samples, incorporating model assurance, and conducting regular stress testing, including methods like red teaming and penetration testing.  According to IDC, by 2026, 25% of organisations will utilise AI to enhance data privacy through the use of data anonymisation, encryption, anomaly detection, and privacy-preserving machine learning (ML) techniques like differential privacy.

Equally crucial is hosting these AI models in highly secure environments with robust access protections. Embedding GenAI in product security is an imperative step.

By 2026 …
Nearly half of Fortune 500 company boards will hire a chief AI security officer.
Cybersecurity is not just an IT problem, it is key for business resilience as well as stakeholder trust. Recognising the critical nature of cybersecurity, most Fortune 500 organisations are enhancing their cybersecurity capabilities at the level of corporate directors. By 2026, AI risks will drive an even greater sense of urgency – 45% of these enterprises will recruit a chief AI security officer to the board. This individual will possess a blend of technical expertise and business acumen, playing a pivotal role in advancing AI innovation, managing associated risks, and safeguarding AI-based security models. Their involvement in cybersecurity strategy will extend to expanding oversight and reporting mechanisms to assess and enhance security initiatives, risk assessments, and incident response plans.

Organisations will face a regulatory reckoning.
60% of all regulated global entities will struggle to comply with ever-increasing data protection and breach disclosure requirements, especially as GenAI use cases expand. More organisations will be subject to penalties for non-compliance as regulatory enforcement becomes more stringent. Today, failure to comply with Singapore’s Personal Data Protection Act (PDPA) alone can cost organisations at least S$1 million or 10% of the organisation’s annual turnover in Singapore for those with annual local turnover exceeding S$10 million, whichever is higher. These substantial fines are expected to rise further, increasing the severity of the financial repercussions.

As we journey through 2024 and beyond, cybersecurity’s rapid evolution underscores the need for proactivity and adaptability to safeguard against both emerging and worsening threats and challenges.