Magazine menu Close Magazine menu

Safer business

Growing cyberthreats for business leaders to keep on top of in 2024

In 2023, the speed of changing technology reached fever pitch, with AI and metaverses taking center stage. And it’s brought in a new threat landscape for 2024.

Author

Suraya Casey

Art by

GettyImages

Published on

Dec 29, 2023

minute read

Share article

Art by

GettyImages

Share article

Cybersecurity predictions 2024, a bright bridge leads to the darkness

Just as things seemed to be settling down post-pandemic, 2023 turned out to be a year of global political upheaval, conflict and climate catastrophe. Recession impacts and rising prices for business basics like electricity have seen closures rise and start-ups decline. Congratulations are in order if your organization still has its head above water.

The last thing any business needs in 2024 is a highly damaging and costly cyberattack or data leak. IBM’s 2023 Cost of a Data Breach report found, “The average cost of a data breach reached an all-time high in 2023 of 4.45 million US dollars,” having increased over 15 percent in the past three years.

Keeping track of how cyberthreats are changing and adjusting your cybersecurity strategy and resourcing accordingly will help businesses avoid the punishing cost of a breach. Here are some of the changing and new threats Kaspersky researchers think you should prepare for in 2024.

AI-related threats

AI and other interconnected technologies – think augmented reality (AR,) 6G, data spaces and more – made a huge splash for business in 2023, and we’ll soon be releasing some exciting new research about the impact of their widespread adoption. On top of that, we think these changes will loom large for AI in 2024:

1.    AI tools will make scams more convincing

Scammers use many techniques to get past our defenses. AI tools can now effortlessly create stunning images, even designing whole landing pages. Malicious actors will, of course, use these to craft more convincing materials for fraud, like fake marketing emails and login screens. Expect fraud-related cyberthreats to increase.

insight story, ethical and ai, robot communicates with people

Related article

As AI’s influence rapidly expands, here’s how business ethics must keep up

When AI can make or break your business, how do you harness its power while staying within ethical boundaries?

  • Artificial intelligence
  • min read
    • We live in a world where algorithms can make decisions and data fuels innovation. It means ethical considerations are more critical than ever for business. They must balance using new technology to increase competitive advantage while preserving integrity and protecting customers. In our podcast Insight Story, experts Tomoko Yokoi (Switzerland,) senior business executive and researcher at Global Centre for Digital Business Transformation, IMD Business School and Andy Crouch (UK,) consultant and co-founder of ethical-AI natural language processing company, Akumen, outline how AI biases can impact business and what steps they can take to ensure its fairness. Kaspersky Global Research and Analysis Team's Dr. Amin Hasbini expands on the privacy and responsible data use implications. Not all AI is created ethically equal Andy's company Akumen found a problem that needed solving. "Scores out of five are useful, but we wanted insight from written responses like product reviews, and there was no way to do it. The team created an AI solution to identify meaning like topics, emotions and sentiment. Sentiment measures opinion – positive, negative or neutral – but emotions drive behavior. It works on text feedback anywhere, which might be about consumer goods, healthcare or anything else." Their approach uses AI differently from generative AI tools like ChatGPT. "Our AI is rule-based, human-created and human-curated. It's completely transparent and there are no algorithms as with large language models. We can dive in and make rules more nuanced if we recognize bias. With large language models, that would be complex and expensive." Andy expands on generative AI's limits for truly understanding people. "We asked ChatGPT how many emotions humans experience – it said 138,000. That doesn't help us understand what drives behavior. Our platform has 22 emotions – enough to see what drives behavior. Through our partner, Civicom, we're helping the UK's national health service (NHS) to understand what patients and staff experience." And that understanding can improve lives: Larger language models use big data pools, but there are also more contained, enterprise-level tools like ChatGPT Enterprise that businesses can furnish with their own data and control how they use it. Tomoko sees enterprise-level tools as useful but notes they can't do what big data can do. "Organizations are developing new functions around AI, like data annotators, who clean data before it goes into models. But is it foolproof? The beauty of using data from everywhere is it gives you insights you otherwise wouldn't get." Choosing ethical suppliers Luckily for companies using AI ethically, more businesses are adopting digital responsibility policies and choosing ethics-first suppliers. Tomoko gives an example. "Deutsche Telekom has been a pioneer in AI ethics. They've trained all employees to ensure AI ethics are distributed throughout the organization. At the same time, they have about 300 suppliers and ensure it's in all their contracts. So it goes beyond the boundaries of the company." But many businesses don't know where to start. Tomoko says, "Over 250 companies have committed to AI ethics, but codified mechanisms only help if they change behavior. How can we live these principles and ideals? External experts can help, and there's a case for individuals taking responsibility, which will have a collective impact." She suggests how companies frame AI ethics matters. "You can see AI ethics as value or as compliance. If it's compliance, it will be cost- or risk-driven. But AI ethics could also be a competitive advantage." Andy compares AI ethics to health and safety. "If you have a health and safety director, it's only one person's responsibility. Change won't happen unless everyone understands health and safety's importance, and especially that it drives productivity and revenue." The competitive advantage is real. McKinsey research found 72 percent of customers considered a business's AI policy before making an AI-related purchase. Tomoko highlights the importance of backing up policies with action. Which AI issues should companies care about? Tomoko outlines three places to look. "First, consider the software development lifecycle. If you're considering developing an AI product, think of how it's designed. Look for bias in the data. "Second, once it's being developed, although many companies say they're implementing AI ethics, people developing AI-driven products don't know how to apply those principles. So, look at how people use ethical principles in day-to-day software development. "Third, we test products in controlled environments. Once it launches, ask who is monitoring it and how we ensure it doesn't gather bias and that people use it correctly." Tomoko is part of IMD Business School and knows that what future executives learn about AI ethics will shape future companies' ethical behaviors with AI. She says, "First, we say everyone has a responsibility to these issues that goes beyond the company. You need to be aware of this responsibility, but also be able to make others in your team aware." Secondly, "What type of organizations do we want to build? We coach people to be able to handle multiple goals – not only profit but also social, environmental and ethical goals. We want them to walk away thinking of the future." Andy drills down into the data AI is using. "Understand how the AI model is built. Is the data you're analyzing through that AI model ethically sourced, and are you using it ethically? The lack of transparency over large language models is rife for ethical risk and bias." AI training data bias can have life-threatening impacts. Poor AI translations have been found to be jeopardizing asylum claims. Andy sees retrieval-augmented generation (RAG,) which uses more proofed datasets, as part of the solution. Can we have secure and well-regulated AI? Dr. Amin Hasbini. Head of Research Centre, Middle East, Turkey and Africa for Kaspersky Global Research and Analysis Team, thinks AI ethical standards are needed. "AI won't self-define its ethics. They must be programmed with ethical standards." Since there is almost no way the public can evaluate, critique or improve AI ethics, regulation must play a part, according to Amin. "We need security and safety by design, and continuous verification of it. That would require transparency, especially from big tech vendors, and letting the public influence how these technologies develop." He likens the challenge to that of regulating social media. "We're asking people to adopt technologies that can do much damage without giving them ways to ensure that doesn't happen. The same has happened before with social media, with it being used for data leaks and fake news. European Union regulation is moving fast around AI, but AI could be much more dangerous than social media – we need rules now." For improved ethical data use, Amin recommends asset management controls. "If well deployed, asset management controls allow data to be classified, including which is available to AI, which can be shared publicly and which needs to stay inside the organization." Andy says regulation is hard in this fast-moving space because no one knows what's coming next. "I question anyone saying they know what will happen in the next six months or beyond. But there's a lot of fear and lobbying going on – so go slow. If your AI-driven capability can't deliver because it's non-compliant, ethically or otherwise, it will be damaging." However, he believes regulation is necessary. "It will be interesting to see how they regulate something that's not easily defined and morphs quickly, but we must protect those who need protecting." Kaspersky has recently proposed six principles for ethical use of AI in the cybersecurity industry with transparency at the core. Getting started with AI ethics Our experts have straightforward advice for those business executives yet to approach AI ethics. Tomoko says, "As a mindset, remember the analog and digital worlds are the same. Your analog-world values should extend into the digital world." Andy highlights the need for both widespread knowledge and deep expertise. "Get your whole team conversant with AI, but have a well-informed friend who lives and breathes this stuff to call when there are challenges." With headlines about AI taking our jobs and AI founders like Geoffrey Hinton sounding the alarm on unregulated AI perils, it's easy to write off AI ethics as a problem too hard to fix. But these complex issues need priority. There are green shoots of change. In December 2023, the AI Alliance launched to focus on developing AI responsibly, including safety and security tools. Its 50 members include Meta, IBM, CERN and Cornell. The message may be, 'Let's not move too fast and not break things.' With OpenAI, creators of ChatGPT, not invited to the party, could the tortoise of collective corporations beat the nimble hare of innovation? AI gives business potential for great gains but comes with great risks to reputation, security and privacy. With strong ethical AI policies translated into action and widespread knowledge among employees, businesses can have more confidence to take advantage of AI's many benefits.

What to do about it: Improve your employee cybersecurity awareness education to help them become more vigilant to potentially fraudulent content. Use robust antivirus software to block scam emails and warn about suspicious websites.

2.    Concerns about pre-trained AI models will rise

As more organizations start using AI chatbots and large language models (LLMs) to help professionals with their work, privacy and security concerns around the data fueling these models will rise, especially in large businesses that deal with a lot of information. And for good reason – training common LLMs often relies on public datasets containing sensitive information, raising uncertainty about whether corporate data fed into these models will stay confidential or be used to train the model further.

What to do about it: Businesses must adopt policies limiting how employees can use AI products and educate staff about these policies to reduce the risk of data leaks. They may also adopt Private Large Language Models (PLLMs) – these models are trained only with datasets owned by the organization using them.

3.    AI regulation will ramp up

More countries and international organizations will join efforts to regulate AI in the coming year, especially African and Asian nations that are engaged in discussions but haven’t yet begun regulating AI domestically. Those already involved will expand regulation, adopting more specific rules, for example, around creating training datasets and using personal data.

With their experience developing and using AI, businesses can offer invaluable insight for discussions on AI regulation. Policymakers worldwide are actively seeking input from businesses, academia and the public on shaping AI governance.

In 2023, the Bletchley Declaration promoted greater uniformity in AI regulation. But with rising geopolitical tensions, cooperation between countries may reduce, derailing efforts to keep it consistent.

What to do about it: Ensure your business is staying ahead of developments in regulation and planning for how it will comply. Take opportunities to get involved in developing AI regulation.

More 2024 AI security predictions from Kaspersky researchers

Financial services threats

4.    Fraudsters will target direct payment systems

Cybercriminals will exploit increasingly popular direct payment systems like Brazil’s Pix, the US’s FedNow and India’s UPI for fraud. We’ll also see more clipboard malware – malware that steals data users copy to their clipboard – designed to attack new direct payment systems. Mobile banking trojans will increasingly exploit these systems as a quick and efficient means of cashing out ill-gotten gains.

What to do about it: Direct payment systems have enormous benefits for business but must be appropriately secured. Businesses can also educate customers to help reduce their likelihood of accidentally downloading clipboard malware or mobile banking trojans – often disguised as legitimate apps in trusted app stores.

5.    Mobile Automated Transfer Systems (ATS) will spread worldwide

Mobile Automated Transfer System (ATS) attacks are fairly new and involve banking malware making fraudulent transactions when the user logs in to their banking app. Mobile ATS has only been seen in Brazilian malware types but could go global in 2024.

What to do about it: Those who make banking apps must ensure their security is capable of defending against Mobile ATS.

6.    Brazilian banking trojans will also keep spreading

Cybercrime originating from Brazil is well-known to be growing. As many Eastern European cybercriminals have shifted focus to ransomware, Brazilian banking trojans will fill the void left by desktop banking trojans. Trojan Grandoreiro has already targeted more than 900 banks in 40 countries.

Grandoreiro attacks start with a malicious link in a phishing email, including fake shared documents, utility bills and tax forms. It then harvests data using keyloggers, screen-grabbers or overlays on online banking login pages.

What to do about it: Despite the growing sophistication, cybersecurity awareness education still helps employees and customers avoid falling prey to phishing. Businesses must also make sure users feel comfortable reporting their suspicions.

More financial services cybersecurity predictions for 2024

Advanced persistent threats

7.    Creative exploits of wearables and smart devices will grow

In 2023, Kaspersky discovered Operation Triangulation – a stealthy new espionage campaign targeting Apple devices. Kaspersky’s investigation found five vulnerabilities in Apple’s operating systems that affect everything Apple – from smartphones to wearable devices to smart home gadgets like Apple TV and Apple Watch.

In 2024, we’ll see more advanced attacks on consumer devices and smart home technology, including other operating systems.

Devices like smart home cameras and connected car systems are attractive for threat actors because of their surveillance potential and tendency to run on outdated software, which makes them easier to attack.

What to do about it: Secure your business Internet of Things (IoT) devices and ensure that if they don’t need to connect to the internet, they don’t.

8.    Supply chain attacks-as-a-service: Bulk-buying access

There is a growing trend of attacking businesses through their suppliers. Small and medium companies that may lack advanced protection become gateways for hackers to access the data and infrastructure of big players. 2022 and 2023 saw breaches through identity management company Okta, which serves over 18,000 customers worldwide.

What to do about it: Supply chain attacks expert Eliza-May Austin has great advice on preventing supply chain attacks in this Tomorrow Unlocked video:

9.    More attacks on Managed File Transfer systems

Managed File Transfer (MFT) systems that let businesses securely exchange sensitive information with partners have become a cornerstone of organizational efficiency. But housing confidential information like intellectual property, financial records and customer data puts them in the crosshairs of cyber adversaries.

MFT systems’ intricate architecture and integration into business networks also means potential security weaknesses. In 2023, MFT system incidents involving MOVEit and GoAnywhere confirmed this.

What to do about it: Undertake comprehensive reviews of your MFT solutions to identify and reduce security weaknesses. Implement robust Data Loss Prevention (DLP) solutions, encrypt sensitive data and build a cybersecurity awareness culture among employees.

More advanced persistent threat predictions for 2024

With attention to where threats will likely grow, the year ahead need not be daunting for business. From getting ahead of AI regulation to improved cybersecurity awareness education, organizations of all sizes can stay secure even as threats grow.

Keywords

Kaspersky Enterprise Cybersecurity

Regularly assessed by independent industry experts, our solutions have won hundreds of awards and substantial recognition.

See solution

About authors

Suraya Casey

Suraya Casey is a freelance writer, editor and content strategist based in New Zealand. Her interests include cybersecurity, technology, climate, transport, healthcare and accessibility.

More articles by Suraya

Suggested articles

by Innovating leaders.
Innovative tech.
About Secure Futures

Secure Futures magazine is your go-to business guide for opinions, trends and insight into the world of technology and cybersecurity. We help your business to bring on the future. Brought to you by Kaspersky, the global cybersecurity experts.

  • For all other countries