InfoSecBulletin Cybersecurity for mankind
The World Economic Forum’s Global Cybersecurity Outlook 2024, produced in collaboration with Accenture, examines the cybersecurity trends that will affect economies and societies in the year to come. The report illuminates major findings and puts a spotlight on the widening cyber inequity and the profound impact of emerging technologies.
The report showed that discussions on resilience during workshops emphasized the importance of operational technology (OT) security.
CISA Flags Craft CMS Code Injection Flaw Amid Active Attacks
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
“Legacy systems were most pronounced in organizations with an operational technology (OT) footprint,” the WEF wrote in its Thursday report. “This issue becomes more apparent when looking at how responses differ between cyber and business leaders. Following on from the fact that the gap between cyber and business leaders is closing, the main conclusion of the GCO 2023 report, both groups said that resource or skills gaps were the highest barriers to cyber resilience (38% of business leaders and 32% of cyber leaders).”
Security leaders are mostly concerned about securing legacy technology (29%) and facing cultural resistance to change (25%). Business leaders, however, are less worried about these issues, with only 14% and 8% expressing concern, respectively. Both of these issues are related to resource and skills gaps.
The report emphasizes that security leaders believe the challenges they face can only be resolved if they have the right people and skills. However, business leaders find these challenges more manageable because they are not directly involved in day-to-day cyber resilience tasks.
Organizations are rapidly adopting new technologies like generative AI, but they are not updating their older systems at the same speed. As a result, they are increasing their technological footprint and adding risk. This can also make it harder for larger organizations to support and monitor smaller ones in their supply chain, which worsens inequalities.
The WEF report showed that some organizations are more cyber-resilient than others.t. “The number of organizations that maintain minimum viable cyber resilience is down 30%. While large organizations demonstrated remarkable gains in cyber resilience, SMEs showed a significant decline. More than twice as many SMEs as the largest organizations say they lack the cyber resilience to meet their critical operational requirements,” it added.
New technology will make existing cyber resilience challenges worse and widen the gap between highly capable and less capable organizations, according to the agency.“As organizations race to adopt new technologies, such as generative artificial intelligence (AI), a basic understanding is needed of the immediate, mid-term, and long-term implications of these technologies for their cyber-resilience posture.”
Fewer than 10% of respondents believe that generative AI will give an advantage to defenders over attackers in the next two years. Approximately half of executives are concerned about the impact of generative AI on cyber due to advances in adversarial capabilities such as phishing, malware, and deepfakes.
The report also focused on the cyber-skills and talent shortage that continues to widen at an alarming rate. Half of the smallest organizations by revenue say they either do not have or are unsure as to whether they have the skills they need to meet their cyber objectives. Only 15 percent of all organizations are optimistic that cyber skills and education will significantly improve in the next two years, while 52 percent of public organizations state that a lack of resources and skills is their biggest challenge when designing for cyber resilience.
These findings highlight the growing concerns surrounding the impact of new technology on cyber resilience. With the adoption of generative AI, organizations must be aware of the potential implications it has on their ability to defend against cyberattacks. Furthermore, the report emphasizes the alarming shortage of cyber-skills and talent, making it even more challenging for organizations to bolster their cyber resilience efforts.
WEF stated that the alignment between cyber and business is increasing. Organizations need to invest in and maintain essential security fundamentals. 29% of organizations reported being materially affected by a cyber incident in the past year. The biggest organizations consider transforming legacy technology and processes as the main barrier to cyber resilience.
93 percent of organizations that are leaders and innovators in cyber resilience trust their CEO to speak externally about their cyber risk. However, only 23 percent of organizations that are not cyber resilient have trust in their CEO’s ability to speak about their cyber risk.
WEF also found that cyber ecosystem risk is becoming more problematic. “For any organization, the partners in its ecosystem are both the greatest asset and the biggest hindrance to a secure, resilient, and trustworthy digital future. 41% of the organizations that suffered a material incident in the past 12 months say it was caused by a third party.”
54% of organizations don’t understand cyber vulnerabilities in their supply chain. 64% of executives, even if they believe their cyber resilience meets minimum requirements, still don’t understand their supply-chain cyber vulnerabilities. Additionally, 60% of executives think that cyber and privacy regulations decrease risk in their organization’s system, which is an increase of 21% since 2022.
In its conclusion, the WEF report said that the struggle to maintain high-quality – or even adequate – cyber-resilience capability is fast becoming a zero-sum game.
“The ability to cultivate best practices, to compete for sufficient talent and, in some cases, simply to afford the right tools and services, is increasingly determining which organizations win and which lose out,” WEF identified in its report. “As a result, the organization’s most lacking can least accomplish it. A secure supply chain requires all organizations to meet minimum viability for a truly secure ecosystem, but the inequity that exists today makes it vulnerable. Yet it does not have to be this way and there are many reasons to be optimistic about the near future.”
Practical cybersecurity practices are gradually making a difference, but there is still a need for change in the current direction.
“Otherwise, as seen throughout 2023, early adoption of new technology by leading-edge organizations, the struggle by those on the underside of the curve to keep pace with foundational capabilities for trust and security, and fragmented incentives within digital ecosystems will accelerate digital disparity in the coming years,” the WEF wrote in its report. “Furthermore, the interconnection of the digital economy makes it inevitable that the negative effects will compound, affecting everyone. Therefore, everyone needs to work together to encourage sustainable capability for the future – including developing the right priorities and organizational culture while providing for equitable access to talent, technology, and security tools.”
The agency emphasized that the most important responsibility is to improve systemic resilience by addressing inequalities and strengthening connections between organizations.
The WEF recently published guidelines for ensuring cybersecurity in the OT environment as digitalization and the merging of OT and IT environments increases. This is essential for keeping industrial operations, global economies, and infrastructures running.
