Advancements in technology have driven growth within the Northern business community however, this success brings with it ever-evolving cyber risks, says The North East Business Resilience Centre (NEBRC).
Businesses and cyber professionals must prepare as they face new challenges, what worked yesterday won’t necessarily work in the future.
The North East Business Resilience Centre (NEBRC), a police-led, not-for-profit organisation, educates, supports and protects small businesses against cyber threats. After releasing its 2024 cyber predictions report, some of the region’s cyber experts have come together to share their predictions for how small businesses can prepare for upcoming threats in 2024 and beyond.
Small businesses must acknowledge and act on cyber threats
Small businesses must be bold with the protections and training currently in place, with no room for complacency. They are no less likely to be targeted than larger corporations. A 2023 report by Hiscox revealed that there has been a “rise in the proportion of the smallest businesses being targeted”.
Up by half in the past three years alone, the percentage of attacks is now 36%. Often smaller businesses have tighter margins and less available resources to dedicate to cyber protection, meaning that an attack will likely have an immediate and critical impact on the business.
Six predictions from some of the North East and Yorkshire’s cybersecurity experts
Experts in the NEBRC’s cyber predictions report state that threats will become more difficult to spot and almost undetectable in the coming years, requiring awareness, training and diligence from employees. From voice impersonation, phishing scams to deep learning systems able to extract sound data and lookalike domains, here are some of their predictions:
- Deep learning systems capable of extracting sound data from keyboard inputs
Martin Wilson, Detective Inspector and Head of Student Services at NEBRC, said: “Researchers have crafted a deep learning system, a type of artificial intelligence (AI), capable of extracting data which uses keyboard inputs. Essentially, this AI can predict typed content by interpreting the sound of your keystrokes.
“The ramifications imply that sensitive information like passwords or private messages could potentially be accessed. It is important to stress that this is just a theoretical finding at this stage, but it is a useful case study to demonstrate the importance of a wider point of some simple remote working precautions.”
- Supply chain cyber threats to move from emerging risk to a current and prevalent risk
According to Debra Cairns, Managing Director at Net-Defence: “Supply chain risk has moved from an emerging risk to a current risk in the last 12 months and will continue to be a threat in 2024. Most organisations are dependent on their suppliers to deliver products, systems and services, meaning that an attack on your supply chain could be as damaging as a direct attack on your business.
“Once inside your supply chain, an attack can take many forms including; service interruption, data theft, a stepping stone to directly access your systems and infrastructure or to launch a direct cyber attack. By coming through your supply chain, the attack can be incredibly difficult and sometimes impossible for the employee to detect.
“However, if your supply chain has been compromised (customer or supplier) and the criminal has access to their email, your standard prevent and detect controls can be of little or no use. Authentication, authorisation and signature-based detection have all been compromised. Combined with the insider knowledge a hacked email account can provide an attacker, the communication patterns will not flag up anomalies.”
- AI social media information gathering will make phishing attacks almost undetectable
“AI is developing at a rapid rate, being applied to existing cybercriminal tactics. We expect to see AI being used to gather much more personal and business information from social media, enabling phishing attacks to become even more difficult to spot and almost undetectable. The days of grammatically bad phishing attempts are coming to an end,” said Martin Heart, MD at CyberShelter.
“This can become an issue for businesses, as collecting social information is just step one. Once credentials have been exfiltrated then further, monetised attacks can start to happen.”
- Increased uptake of two-factor authentication to reduce risk from AI threats
For Marcus Dempsey, Director at InfoSec Governance, he said: “This year there will be increased uptake of two-factor authentication within businesses, to reduce the risks posed by cybercriminals who are leveraging AI within attacks. This new and heavy reliance upon artificial Intelligence, as well as increasing phishing, requires additional layers of protection. Businesses are already fighting a losing battle against cyber-related attacks, the use of AI is only going to make discovering attacks harder.”
- A pronounced shift towards passwordless authentication
“There will be a pronounced shift towards passwordless authentication in 2024, propelled by a surge in new members aligning with the FIDO Alliance,” predicts Garry Brown, Managing Director at Bondgate IT.
“We have gone through iterations of increased user authentication security, with complex passwords and MFA becoming more commonplace, however, these protection mechanisms no longer offer the highest level of protection. The biggest challenge service providers face is validating that we are who we say we are and that the individual requesting access is genuine.
“2024 will herald the gradual obsolescence of conventional passwords, with passkeys or biometrics combining with time-based-one-time passwords used to authenticate users, replacing traditional passwords and SMS or email based MFA.”
- More believable ‘lookalike’ domains that play on human error
According to Jamie Robson, Professional Services & Cyber Security Manager – Aindale, he said there will be an “increase in the sophistication of cyber attacks” and include more believable ‘lookalike’ domains.
“Leveraging AI, domains will be created which are, visually, indistinguishable from genuine domains to deceive people using methods like the use of ‘Homographs’, ‘Combosquatting’ and ‘Typosquatting’. These exploit slight oversights in varying digital interaction methods and with the increase in sophistication, this will result in greater success for the attackers.
“These attacks don’t just impact the organisation at the time of the breach, there is potential downtime whilst remediation is completed. Most phishing attacks are targeting monetary gains directly and indirectly by persuading your clients to pay into incorrect bank accounts etc. They can also have a damaging effect on your brand reputation and can negatively impact consumer and partner trust.”
One thing all of the experts agree on is that awareness and training are key in the fight against cyber crime.
