Sasha Henry and Archie Millar summarise the cyber threats recently identified by the World Economic Forum
What is the current state, and where are we going?
From opportunistic ransomware to complex crime-as-a-service, threat actors have adapted their methodologies to facilitate enterprise scale attacks by monetising major business disruption. With increasing Distributed Denial of Service (DDoS) attacks due to Russian aggression in Ukraine and the rise of hacktivist activity in the Middle East, having the capability to attack both boots on the ground and through cyber streams has become strategic to kinetic war efforts. These trends impact not only governments, but also commercial organisations, as threat actors take advantage of global conflict. As we approach the start of the new financial year, there are several new developments on the horizon, driven by these dynamic digital, political, and social transformations.
In their 2024 Global Security Outlook, the World Economic Forum (WEF) cited the accelerating inequity between organisations that are cyber resilient and those disproportionately impacted by the evolution of ransomware. Identifying the minimum viable function of a business has become a driving factor in investment decision-making, and this growing divide in offensive and defensive cyber capabilities requires urgent action.
Whether it is addressing the skills gap in security or heightened anxiety around generative artificial intelligence (AI), the relative direction of travel has remained the same. However, prioritisation of risk management activities has changed. In 2023, the cyber security economy grew four times as fast as the world economy, which has been driven by investment in new technologies and tooling to improve protection of digital assets.1 Chief Information Officers (CIO) and Chief Information Security Officers (CISO) have become increasingly aware of the activities necessary to reduce exposure, mitigate risk and minimise operational disruption. Cyber security is a business problem, not just a technology problem, and as the breadth and depth of impact grows, strategic involvement will be a foundational requirement from business leadership across organisational hierarchies.
Geopolitics driving advancement and division in cyber resilience
Varying perceptions of business, culture and risk across different regions influence the commercial decision-making of organisations. For example, companies in Africa, Asia and South America have more concern over financial extortion whereas companies in the Middle East are more concerned about reputation damage. Inevitably, regional and financial differences have separated the industry into market leaders and others into a position of disparity. According to the WEF, 25% of companies stated their cyber resilience was sufficient in 2024, up from 14% in 2022. Similarly, 39% of companies now report resilience levels exceeding their requirements, up from 19% in 2022.2
It is important to consider how risk transfer plays a role in the management of cyber exposure. In terms of scale, the WEF states that 85% of organisations with more than 100,000 employees have a cyber policy in place, compared with 21% of small to medium-sized enterprises (SME). This seismic gap illustrates the struggle some organisations have in overcoming the barriers to entry.
Although premiums have decreased and capacity has expanded, there are still some concerns in the underwriting community in relation to systematic or catastrophic cyber events. In addition, the WEF noted that the number of organisations holding cyber insurance has dropped by 24% since 2022 due to the economic viability of risk transfer products.
In an effort to support insurers with critical decision making in this evolving environment, Weightmans LLP in partnership with other third parties, have establishment of the Cyber Monitoring Centre (CMC). The objective of this collaborative engagement is to develop a classification and ranking solution for analysing systematic cyber incidents, which have compromised a range of organisations with a single methodology.
While the CMC is addressing challenges faced by the insurance market, individual organisations are directing spend based on types of service offerings and parameters dictating the business environment. Certain industry sectors need to enforce cyber practices onto companies due to regulatory requirements while other large enterprises have developed a culture of cyber resilience because of the nature of their operations.
How is AI impacting threat actor and business decision making?
The flood of commercial and academic discussion around AI can be difficult to follow at times, evolving with each new lawsuit or innovation. Some say it will solve climate change and some say it will cause global destruction. Whether you are an enthusiast or a sceptic, AI is a topic that cannot be ignored. Generative AI has now become the cybercriminals best friend, lowering barriers to entry, and providing access to complex phishing exploits, malware development and deep fakes. In their analysis, the WEF concluded that a series of major global cyber incidents, such as the exploitation of Log4j, in 2021 and 2022 drove businesses to invest more on monitoring and regularly assessing threat information.
Over the past several years, the cost of cybercrime has exceeded more traditional types of illegal economies, as profit margins of ransomware groups outperformed those of the cocaine cartels in the 1990s. Polymorphic malware is a product of this environment, by collating data produced by the attack, and morphing the tooling to adapt and mitigate detection. This approach is becoming more viable for threat actors as AI tools, such as ChatGPT, are readily accessible. Furthermore, with legislation lagging, cyber criminals have free range of the market and have been able to capitalise on this. Cyber defence practices have yet to adopt the same level of dependence on AI tools. Although, some machine learning and use of large language models are already deployed in breach detection, recovery and data protection, there is still opportunity for innovation. In addition to AI and machine learning, the WEF predicts that greater adoption of cloud technology as well as user identity and access management tooling will have the greatest influence on the direction of cyber risk strategies moving forward.
Challenges around data privacy, algorithmic bias, and other types of ethical concern, are growing the need for regulation of AI to ensure transparency as well as accountability. The New York Times recent lawsuit against OpenAI, has seen a shift in rhetoric around challenges such as copyright and intellectual property. In addition, consumer protection and product liability issues are driving countries to develop centralised approaches to managing risks around the evolution of AI. However, these approaches vary according to regional jurisdictional priorities. For example, the EU is taking a restrictive approach, requiring assessment of general purpose AI models through adversarial testing and detailed evaluations. In contrast, the UK is taking an industry and vertical driven approach, using existing regulators to inform the method across sectors with an emphasis on innovation. Based on detailed assessments, the WEF identified that these types of regulatory requirements are influencing a change in spend, with 76% of commercial leaders agreeing that increased enforcement will improve overall cyber resilience.
Cyber skills gaps and organisational divides are of growing concern
The rapid evolution of technology is constantly creating new challenges for businesses, outpacing the development of skilled professionals and organisational awareness. More specifically, the perception gap between technical subject matter experts and executive leadership continues to delay critical decision making. From communication challenges to differing risk perspectives, there is a growing disparity between reporting structures within businesses, driving inconsistency in cyber security governance. With board and technical team misalignment, there is the risk of having a lack of resources for skills and talent development. While IT security teams may focus on acquiring skills relevant to day-to-day operations, executive leadership may prioritise broad strategic skills related to risk management. The WEF states that there is also an industry divide, with businesses using advanced technology having the necessary in-house capabilities compared to a lack of expertise in critical infrastructure organisations. To address the growing inconsistency in the procurement of cyber security professionals, businesses need to foster a collaborative approach to drive a sustainable future of resources for the organisation.
What do we do now and how to prepare for evolving threats of 2024?
While digital transformation has brought immense opportunities, and conveniences, it has also driven a new era of uncertainly. Connectivity is expanding the attack surface; data has become a currency and technical advancement is driving new threat types. Whether it is the impact to our clients from supply chain attacks, operations due to a lack of availability or individuals as a result of a data breach, this new frontier is complex. Going forward, the governance of cyber practices and the resilience of digital operations are both inevitable challenges that governments, organisations, and businesses must accept. Bringing cultural change to these sectors will encourage the tightening of inequity, by sustaining accountability and embracing the shift of direction in our technological ideals. Furthermore, raising awareness of geopolitical tensions and navigating systemic commercial disruptions will be top of mind for decision makers. By staying adaptive, vigilant, and collective, organisations can better protect themselves against these evolving threats and beyond.
- Gartner, “Gartner Identifies Three Factors Influencing Growth in Security Spending”, 13 October 2022: https://www.gartner.com/en/newsroom/press-releases/2022-10-13-gartner-identifies-three-factors-influencing-growth-i. ↩︎
- World Economic Forum, “Global Cyber security Outlook 2024”, January 2024: https://www3.weforum.org/docs/WEF_Global_Cyber security_Outlook_2024.pdf. ↩︎
Sasha Henry, Senior Management Consultant at CyXcel, has worked as a consultant across a diverse set of professional services firms including insurance, information technology, internal audit and legal.
Archie Millar, Cyber Analyst at CyXcel. He has experience in consultancy roles in cybersecurity involving a variety of services including operational technology, incident reporting, and legal.