10 Cybersecurity Trends Emerging In 2024

When it comes to cybersecurity, things are never static.

So far, 2024 is consistent with this theme. We’re seeing a mix of familiar trends intensifying alongside startling new developments. From the cybersecurity skills crunch to AI-powered attacks, 2024 is shaping up to be a wild ride.

So which cybersecurity trends matter most?

How can your organization stay on top of them—particularly if you’re not working with a managed cybersecurity services provider?

Here’s everything we’re seeing so far.  

1. It’s almost impossible to hire (and retain) cybersecurity professionals

There’s a significant shortage of skilled professionals working in cybersecurity. The demand for these professionals is simply growing faster than the pool of available talent. As Thomson Reuters explains, 92% of cybersecurity professionals report a gap in skills at their organization—while 54% claim that the gap has gotten worse in the last few years.

Just how fast is this demand growing?

The U.S. Bureau of Labor Statistics projects job growth of 32% for cybersecurity professionals between 2022 and 2032. For reference, that’s 10x more than the average growth rate of all jobs, which is 3%.

How fast are salaries growing?

That’s hard to boil down to a single number. However, check out this Reddit thread in which cybersecurity professionals discuss the raises they’ve been offered—and the new jobs they’ve taken instead. While the evidence here is anecdotal, the stories provide a feel for the state of the cybersecurity job market. Nothing sums it up better than this statement from one of the commenters:

“I got a 100% raise in 2021. I quit my job and changed companies.

That’s the best way to keep up with inflation. Jump companies every few years. I’m not happy about it, but it’s the harsh reality.”

This situation makes it increasingly difficult to hire and retain cybersecurity professionals in-house. Organizations have two options for dealing with this challenge.

• Investing in training their existing IT staff to deal with cybersecurity on a professional level. This may offer a short-term fix, but it can also backfire. Skilled cybersecurity professionals are in high demand, whatever route they take to get there. An IT professional who gains significant cybersecurity experience can likely find a higher-paying job elsewhere.
• Outsourcing cybersecurity services. For many organizations, it simply makes more sense to partner with an MSSP (managed security services provider), or a combined MSP/MSSP who handles both IT and cybersecurity. This provides guaranteed attention from cybersecurity professionals without the challenge of frequent churn among staff hires.   

If we had to pick one trend that’s dominating 2024, this is it. Cybersecurity professionals are just too hard to find when you hire in-house—and you need them more than ever.

2. Generative AI is taking center stage… both for good and evil

No doubt about it, AI is here to stay.

The technology is getting more sophisticated all the time. Unfortunately, this gives cybercriminals all kinds of new ways to mount attacks enabled by AI.

What kind of attacks are we talking about?

So far in 2024, we’re seeing:

• AI-driven phishing attacks. Generative AI gives cybercriminals the ability to send highly convincing phishing messages (more on that below).
• Deepfake social engineering attacks in which cybercriminals use AI to impersonate a real human being, manipulating the victim into taking action. This can take many forms, including AI voice impersonation, video impersonation, and more.
• Automated malware that intelligently adapts to evade detection. We haven’t seen this level of sophistication in malware before. It’s a significant development that’s pushing AI advancement in cybersecurity defenses (more on that in a moment).
• AI-powered password attacks. AI allows cybercriminals to process vast amounts of data. This means they can guess billions of passwords—until they find the one that works.
• AI-powered vulnerability scanning. Just as AI gives cybersecurity professionals an edge in detecting vulnerabilities, it can help criminals find the same vulnerabilities.

This list only scrapes the surface. Almost any type of cyberattack can be executed with AI, whether in whole or in part.

That’s the bad news. Now the good news!

AI gives cybersecurity professionals an incredible advantage in fighting cyberattacks. Specialized AI solutions can detect, evade, and neutralize threats through processes like real-time anomaly detection, smart authentication, and automated incident response.

In other words, AI is becoming central to modern cybersecurity. If this is a game of chess, then AI is the queen, offering powerful strategic advantages to the parties who use it best.

Add this challenge to the staffing challenge, and it’s even harder for midmarket organizations to handle cybersecurity in-house. The good news is that the best MSSPs stay on top of AI developments in cybersecurity, using the most advanced tools to fight emerging threats. As 2024 progresses, we expect this trend will only become more prominent.

3. Phishing attacks are getting more sophisticated

This trend is related to the previous one. Generative AI tools like ChatGPT make it far too easy for hackers to write better messages for phishing and smishing (i.e. phishing via SMS message).

Before the arrival of generative AI, we could train employees to look for misspelled words and obvious grammatical errors as the first way to detect a dangerous message.

ChatGPT and similar tools have changed that forever.

Now cybercriminals can send messages in clear, error-free English—even if they don’t speak or write the language themselves.

But clear communication isn’t the only advantage that phishers are getting from AI.

The most effective forms of phishing are highly personalized, targeting individuals with details drawn from their lives. Personalized messages take more time and energy to create and send. AI acts as a force multiplier in personalized phishing, allowing hackers to produce and send more personalized attacks than they ever could without it.

How can organizations deal with this trend?

Companies should focus on cybersecurity awareness training across the entire organization. Human users are the weakest link in any cybersecurity program, and phishing targets this weakness. Awareness is the answer—but it’s not enough to train people once and move on. Phishing attacks are always evolving, and smart organizations are implementing programs that provide continuous training at regular intervals. This is the only way to stay ahead of phishers—particularly now that they have AI at their disposal.

4. Cybersecurity is getting the attention of the CFO… and the board

Gartner believes that by 2026, “70% of boards will include one member with cybersecurity experience.”

If this is a startling stat, consider how we got here.

• IBM reports that the average cost of a data breach is $4.45M. For midmarket organizations, that’s a devastating loss.
• The University of North Georgia estimates that 54% of companies have experienced at least one cyberattack in the last 12 months.

In other words, cybersecurity has a direct impact on profit and loss—and that impact is becoming more widespread in the market.

In fact, smart companies are treating cybersecurity breaches like loss prevention in retail. Statistics indicate you should assume a certain amount of shrinkage in retail, and that needs to be modeled financially (and accounted for in the budget).

Cybersecurity is no different. CFOs and boards are now starting from the assumption that a breach will happen.

When they do this, they find themselves needing to calculate the ROI (or ROSI, return on security investment) of cybersecurity controls.

When they go to calculate cybersecurity ROSI, they find that estimated loss avoided far outweighs the cost of the controls when those controls are sourced from an MSSP (managed security service provider). Learn more here: FREE Cybersecurity ROSI Calculator.

At a high level, the takeaway is clear. Cybersecurity is now a board-level concern. We expect this trend to only intensify throughout 2024.  

5. IoT cyber attacks are getting more sophisticated

The internet of things (IoT) provides an ever-growing opportunity for cybercriminals. With more and more smart devices, vehicles, building systems, machines, and similar objects connected to the internet, IoT represents a significant cybersecurity concern for companies with inadequate controls.

As with every other type of attack, IoT attacks come in numerous forms.

• Malware attacks. IoT devices typically lack the sophisticated security controls of more complex computers. They simply don’t have the storage or processing power needed for such controls. This makes them great targets for malware attacks. This is typically seen in the installation of malware on multiple IoT devices, creating a botnet that attackers can use for things like DDoS attacks (which, by the way, can also happen to IoT devices).
• DDoS (distributed denial of service) attacks. If an IoT device gets overwhelmed with network traffic, it can’t function. DDoS gives hackers an easy way to take down a critical device and hold it for ransom or disrupt operations for a strategic purpose.
• Ransomware attacks. DDoS isn’t the only way hackers can hold an essential device for ransom. With their limited security controls, IoT devices are particularly vulnerable to this type of attack.
• Zero-day attacks. As with any other type of software, the systems that run on IoT devices may contain unknown vulnerabilities. If a hacker discovers a vulnerability before the device vendor does, they can exploit that vulnerability in a zero-day attack.
• Firmware attacks. Firmware controls a device’s hardware, which makes firmware attacks especially dangerous. Hackers can modify firmware to make a device behave outside the scope of the original design—or simply render the device inoperative.

As IoT devices become more and more common, organizations are realizing that they must manage these devices from a cybersecurity perspective. Given the scarcity of professional resources in cybersecurity, that’s getting harder—even as the IoT attack surface grows larger and larger.

Unfortunately, many organizations aren’t prepared for this emerging trend. We expect it to become a more significant issue this year.

6. The conversation is shifting to cyber resilience

As cybersecurity gains greater visibility across the organization, stakeholders are realizing that it’s impossible to create 100% bulletproof security.

The attack surface is so complex—and evolving so fast—that no single system can give you 100% visibility into your cybersecurity status. Likewise, no single tool can prevent attacks.

As we said above, leaders are starting to view cyber breaches like loss prevention. Likewise, the conversation is shifting away from 100% bulletproof security. Rather, leaders are realizing that cyber resilience is far more valuable to pursue—and realistic to achieve.

So what does this mean?

Cyber resilience measures are designed to ensure continuity of operations, even in the wake of a successful breach. The goal is to develop the ability to recover fast, minimizing data loss and downtime in an agile manner.

The focus on cyber resilience is a key trend for 2024. We’re seeing organizations waking up to their need for processes, policies, tools, and professional resources to make them resilient.

7. Less-than-Zero Trust

The Zero Trust framework is fundamental to a modern view of cybersecurity. In its essence, it states that there is no perimeter within which you can assume network activity is safe.

Rather, you should assume every device and every user are unsafe until they’ve verified their identity.

While Zero Trust is nothing new in 2024, it is evolving. Several factors are pushing Zero Trust beyond the bounds of the corporate network.

• Remote work. Whether employees use corporate devices or their own, remote work adds new complexity and risk to Zero Trust initiatives.
• Partnered organizations. The increasing complexity of business relationships, coupled with collaboration and data sharing needs, makes it more difficult than ever to define where the corporate network and datasphere end. This makes Zero Trust more difficult to implement.
• IoT devices. As we covered above, IoT devices come with unique cybersecurity vulnerabilities. A comprehensive approach to Zero Trust must account for these devices.

For all these factors, midmarket organizations sometimes struggle to implement Zero Trust. This is one of many reasons they turn to an MSSP.

8. Cyber warfare and state-sponsored cyberattacks

Russia’s war against Ukraine has exposed the extent to which states are willing and able to deploy cyberattacks against infrastructure targets, whether military or civilian. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) puts it this way:

“Russian state-sponsored cyber actors have demonstrated capabilities to compromise IT networks; develop mechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from IT and operational technology (OT) networks; and disrupt critical industrial control systems (ICS)/OT functions by deploying destructive malware.”

Unfortunately, no organization is immune to state-sponsored attacks—and Russia isn’t the only country from which these attacks originate. According to ClearanceJobs, the top 5 nations conducting the most cyberattacks are China, North Korea, Iran, Russia, and—believe it or not—the United States.

While US-based organizations don’t need to worry about US military cyber operations, any American organization can become the target of a state-sponsored attack.

What do these attacks look like? Here are the ones we see the most.

• Phishing attacks designed to gain access to systems for the purpose of disruption and espionage (both political and economic).
• DDoS attacks intended to disable communications, public utilities, transportation, and security infrastructure.
• Attacks on election infrastructure and democratic processes, as countries such as the US, UK, and India will all hold major elections in 2024.

State-sponsored attacks are varied and constantly evolving. All in all, we expect these attacks to remain a significant cybersecurity trend in 2024 as geopolitical tensions continue.

9. Soft skills are becoming increasingly essential for cybersecurity professionals

Cybersecurity has never been an exclusively technical discipline. The need for interpersonal skills, relationship-building, and cultural sensitivity is nothing new. 

However, as cybersecurity gains a higher profile in organizations of all sizes—and as C-suites and boards make it a strategic priority—the execution of cybersecurity is getting more and more complex.

It’s one thing to turn on MFA (multi-factor authentication) for all company email accounts.

It’s another thing to prepare the organization for this transition—and to make sure every email user understands their role in cybersecurity.

Email is only one example. Whenever an organization implements new cybersecurity controls, real people experience an impact in their work. The most skilled cybersecurity professionals seek to understand this impact in the planning phase of an implementation. They also include processes and communication touchpoints for bringing all stakeholders on board and equipping them for success.

In other words, the need for soft skills is emerging as a key trend in 2024.

10. Increasing prominence of cybersecurity regulation

With the general rise in cyberattacks, particularly those sponsored by world governments, calls for cybersecurity regulation are gaining increased attention.

In the UK, businesses have until April 2024 to comply with the Product Security and Telecommunications Act, which sets out the minimum security requirements that networked products must adhere to.

Of course, the US still does not have a single, comprehensive federal law covering cybersecurity and data privacy. However, every organization must still understand the applicable state-level cybersecurity laws that may apply to their operations—as well as industry-specific regulation like HIPAA. All in all, the cybersecurity regulation landscape is getting more complex. It remains a strong factor that influences all cybersecurity trends in 2024.

Moving forward: Staying on top of cybersecurity trends

Every midmarket organization needs to stay on top of evolving cybersecurity trends. But that’s where the challenge arises. IT teams are already strapped—yet the burden of cybersecurity is only increasing.

Companies that struggle with cybersecurity are increasingly turning to MSSPs to get the comprehensive protection they need. The key, though, is to find an MSSP who not only notifies you of incidents but also remediates them. Here at Corsica Technologies, we cover cybersecurity and IT managed services from top to bottom. You get a single team handling all things cyber, IT, and digital transformation—which means security is baked right into every system and technology initiative at your organization. It’s the best way to keep your business secure.

Want to learn more about cybersecurity trends affecting your business?

Reach out to schedule a consultation with our cybersecurity specialists.

Schedule Now