Lebin Cheng, Head of API Security at the cyber firm Imperva, writes that 2024 will be the year organisations finally wake up to API risks. after 2023 saw the ‘API explosion’ rumble on. To explain briefly, API stands for application programming interface, the rules that enable apps to communicate with each other.
“Research shows that the average business has hundreds of APIs in production, while some have more than a thousand. In 2024, organisations will come to terms with the fact that they need to take a more proactive approach towards securing their APIs.
“The challenge is many organisations don’t have the right defences or controls in place. They don’t know where their APIs are deployed or what data they’re accessing. This exposes them to risk in magnitudes that they cannot comprehend, or even begin to quantify. In 2024, as pressure to mitigate API-related security incidents continues to grow, security leaders will look for, and invest in, solutions that integrate seamlessly into their existing application security technology stack. This approach will give organisations a more coordinated and unified view of automated threats that target APIs and critical applications – many of which connect to data stores where the businesses’ data is located. In the coming years, this will force a new era of convergence in the security industry where API management and security are embedded within application security platforms.”
As for types of cyber-crime, Andrew Newell, Chief Scientific Officer at the identity authentication product company iProov notes that CEO fraud is targeting at least 400 companies per day and poses a significant threat. “In this type of crime, attackers pose as senior company executives and attempt to deceive employees into transferring funds, disclosing sensitive information, or initiating other fraudulent activities. They often involve sophisticated social engineering attacks making them challenging to detect. Generative AI tools are now being widely used by fraudsters to create deepfakes to imitate a person. Bad actors can now create convincing AI-generated audio and imagery and deploy it across platforms including Zoom, Microsoft Teams, and Slack. Without sophisticated monitoring and detection tools, it’s almost impossible to detect this type of synthetic imagery. As such, we fully expect to see an AI-generated Zoom call lead to the first billion-dollar CEO fraud in 2024.”
“The focus has been on age verification, but as generative AI continues to increase in sophistication, more robust identity verification will be essential to ensure children are protected. Adding to the challenge will be the tricky balance of mitigating privacy risks and preserving a good user experience.
“Beyond age verification, we can also expect to see more organisations deploying real-time content monitoring and filtering, enhancing their parental controls, and initiating education and awareness campaigns to foster a safer digital environment in the year ahead.
CISOs will begin to franchise cybersecurity, according to Guy Guzner, co-founder and CEO of Savvy, a cyber firm. “We are starting to see CIOs franchise digital delivery and co-lead, co-produce and co-deliver digital transformation initiatives. This evolving mindset will extend into the realm of security, where CISOs are poised to take on a more collaborative and co-owning role with CIOs and business unit leaders in the development and decision-making of security solutions. This departure from the sometimes adversarial relationship between CIOs and CISOs is indicative of a broader trend towards integrated governance.”
James Christiansen, VP, CSO – Cloud Security Transformation at Netskope, said that wars have historically played out on land, sea, and air, but the digital domain is fast emerging as the latest battleground. Netskope. He said: “As we approach 2024 – and beyond – major geopolitical confrontations will increasingly involve cyber elements, elevating cybersecurity to a top priority for countries globally. Just as peace treaties are negotiated for conventional wars, 2024 may see proposals for “Cyber Peace Agreements” between nations.”
As for cyber people, a cyber detection and response services firm, Adarma, surveyed 500 cybersecurity professionals from UK organisations with over 2000 employees. It found that over half (51pc) of organisations believe their security operations staff are challenged, stressed, frustrated and/or exhausted, so it’s only a matter of time before mistakes are made, and some are burnt out and ready to quit; a phenomenon featured in the August 2022 print edition of Professional Security magazine.
John Maynard, Adarma’s CEO said: “Cybersecurity professionals are typically highly passionate people, who feel a strong personal sense of duty to protect their organisation and they’ll often go above and beyond in their roles. But, without the right support and access to resources in place, it’s easy to see how they can quickly become victims of their own passion. The pressure is high and security teams are often understaffed, so it is understandable that many cybersecurity professionals are reporting frustration, burnout, and unsustainable stress. As a result, the potential for mistakes being made that will negatively impact an organisation increases. Business leaders should identify opportunities to ease these gaps, so that their teams can focus on the main task at hand, protecting the organisation.”
The security risk posed by a lack of skills, diversity, and the prevalence of poor mental health among cybersecurity teams exemplifies the real-world effects of burnout and talent shortages. The research found that over 40pc of cybersecurity leaders feel like they have limited capabilities and expertise to fully understand the threats they face, while a further 43pc say that they have some, little or no capabilities or expertise to detect and respond to potential threats in their IT. One in four (25pc) respondents stated that they have limited capability or expertise to respond effectively to an incident at all.
One of the best things that can be done for team capability and performance is to fill it with diverse and thoughtful individuals, Maynard added. “By diversifying the talent pool, new ideas flow and various perspectives can pave the way for innovation. Exploring non-traditional recruitment paths will help to further widen that talent pool by making careers in cybersecurity more accessible to a broader range of candidates. This could go a long way to easing the burden on overworked security teams while also providing opportunity for growth. Indeed, the well-being of the entire workforce, including the security department, must be prioritised and requires the right balance of reliance on technology and people. Ultimately, we want to see organisations strengthen their security defences, optimise resource allocation and invest in people’s capabilities. This will produce a strong overall security posture that can effectively protect against the evolving threat landscape.”
