Tuesday, 19 December 2023 It’s been a big year in cyber – big changes, big breaches, big impacts. Much of what we predicted last year has happened. Here’s what we said, what happened, and what we see coming in 2024. Last year we predicted increased insider threats and vulnerabilities, particularly those resulting from the human element – employees failing to recognise a phishing email, clicking a link, and opening the door to cyber criminals. Or worse, malicious action on the part of a disgruntled employee. We have seen these insider threats increase, but with an extra development in how cyber fraudsters are choosing their targets. As expected, we saw increased fraud, in line with economic downturn. In 2023 we saw fraud actors looking for new ways to recruit people who can facilitate fraudulent payments and other crimes in the digital space. Cyber threat actors have become skilled at stalking employees on social media and discovering who is unhappy in their work. They are then able to target those employees directly and offer them cash to provide a path into the organisation’s systems, often through a remote logon procedure. In 2023 we have been surprised by how often we have been called after employee departures. All too frequently, an employee leaves the organisation, but their access, including remote access, is not deactivated. The employee is then able to log onto the system to access data they should no longer be able to. This can result in the theft of IP or other confidential data like customer details. This type of incident is simple to prevent by cancelling access when the employee departs. Along with the escalation in insider threats, we expected an increase in the use of artificial intelligence (AI) in sophisticated deep fake phishing messages using voice and images of people known to the targets. We saw less of this than we expected but saw vast advances in the sophistication and quality of phishing messages in general. Thanks to AI like ChatGPT, poor spelling and grammar are no longer the tell-tale signs of phishing activity. This reason, amongst many, has resulted in governments around the world looking at how to better regulate AI, with the European Union (EU) agreeing to a so-called AI Act between EU member states in the final days of 2023. We forecasted greater targeting of essential infrastructure. This played out most notably in an attack on seaports around the country, which were shut down for several days. Other significant targets included telecommunications and healthcare, with hospitals and other health providers appearing regularly in notification lists, targeted for the wealth of personal information in their customer data. And we predicted tougher privacy laws to support data minimisation. While developments in furthering changes to the Australian Privacy Act have occurred, indicating that data minimisation and purpose limitation will be fundamental elements of the Australian privacy regime going forward, the legislation has not progressed to a vote. Nonetheless, there is broad acceptance that data is no longer ‘the new oil’. Instead, an increasing awareness of the risks that exist in holding too much information has seen organisations seeking to better understand the information they hold, retaining what they need and disposing what they don’t. What to watch for in 2024 So what can we expect in 2024? Not surprisingly, we expect the steady increase in breaches to continue, but not the proportionate increase in cybersecurity insurance premiums we have seen in the past. In fact, we are likely to see insurance premiums fall. Already, some global insurers are taking their own steps to help manage the cyber risk of those they insure. Instead of increasing premiums to cover rising claims, they are working to prevent incidents through offering support to policy holders by testing their systems and installing monitoring. By reducing the number of claims and the damage that results from a breach, they can reduce costs and as such reduce premiums. We expect continuing increases in the number, impact and cost of breaches overall. Additionally, we expect several large, notable breaches in the coming year. This will cause organisations to further question their own cyber preparedness and sharpen their focus on risk management in terms of cybersecurity, privacy and business continuity. The steady increase in incident numbers has prompted increased regulatory focus and we will see the impact of this in 2024, not just in the increase in regulations and mandatory reporting of breaches, but also greater regulatory scrutiny on compliance and investigations. This will result in more pressure on boards, and greater recruitment of people with cyber knowledge to boards. The United States Securities and Exchange Commission (SEC) has ruled that boards must include this expertise in their ranks and the Australian Securities and Investment Commission (ASIC) has made strong comments that it will take action against directors breaching their governance duties in regard to cybersecurity. As part of this heightened regulatory activity, we are likely to see the first judgment from litigation brought by regulators as well as an increase in class actions from those impacted by the consequences of cyber breaches. These may be shareholders whose investments lost value due to perceived negligence on the part of management of a listed entity, or large organisations’ customers whose personal details were stolen. As discussed earlier, the long-awaited overhaul of the Privacy Act is expected to be enacted before the end of 2024, bringing reforms that will increase penalties and provide a greater range of enforcement powers to the Office of the Australian Information Commissioner (OAIC). The reforms are also set to allow individuals to take direct action in the courts if their privacy is breached. Add to this increased Government activity and focus as a result of the 2030 Federal Cybersecurity Strategy released in November. As well as programs to help businesses protect themselves from cyber attack, the strategy includes a new focus on the professionalisation and skills of those who work in cybersecurity. The cumulative effect of these actions is to create an environment in which cybersecurity preparedness is mandatory, not just desirable, with actions taken by business leadership held to scrutiny both legally and morally. The focus on expert handling of cybersecurity is being stretched to include not just prevention, but also expert investigation when an incident occurs. Failure to meet these higher requirements is likely to result in punitive action, if not from the regulators, from other stakeholders through the courts. So in some ways, we can say 2024 will be the year of the cyber professional as the pressure on business leadership for compliance and better handling of breaches increases. Elevated regulatory pressure combined with the threat of class actions means businesses need to have their relationships in place before an incident occurs because there isn’t time to scramble for recommendations after the fact. That means a cyber lawyer, expert investigator, and crisis communications. Because year on year, we are seeing that when it comes to cyber breaches, it’s a matter not of if, but when.