Were We Right? Revisiting Our 2024 Cybersecurity Trend Predictions

Ah, 2024—a year that served us a heady cocktail of cyber drama, regulatory breakthroughs, and the occasional ransomware headache. We made some bold cybersecurity predictions in late 2023, armed with a metaphorical crystal ball (and copious amounts of coffee). Now it’s time to fess up. Did we nail it? Were we close? Or did we miss the mark entirely?

Grab a cup of tea—or maybe something stronger—and let’s dive into the good, the bad, and the “wow, we actually predicted that!” moments of 2024.

Prediction #1: Increasing Regulation of AI and Machine Learning (ML)

What We Said: 2024 would be the year governments and businesses woke up to the need for transparency, accountability, and anti-bias measures in AI systems.

The year didn’t disappoint when it came to AI regulation. The European Union finalised the groundbreaking AI Act, marking a global first in comprehensive governance for artificial intelligence. This ambitious framework introduced sweeping changes, mandating risk assessments, transparency obligations, and human oversight for high-risk AI systems. Across the Atlantic, the United States demonstrated it wasn’t content to sit idly by, with federal bodies such as the FTC proposing regulations to ensure transparency and accountability in AI usage. These initiatives set the tone for a more responsible and ethical approach to machine learning.

Meanwhile, ISO 42001 quietly emerged as a game-changer in the compliance landscape. As the world’s first international standard for AI management systems, ISO 42001 provided organisations with a structured, practical framework to navigate the complex requirements of AI governance. By integrating risk management, transparency, and ethical considerations, the standard gave businesses a much-needed roadmap to align with both regulatory expectations and public trust.

At the same time, tech behemoths like Google and Microsoft doubled down on ethics, establishing AI oversight boards and internal policies that signalled governance was no longer just a legal box to tick—it was a corporate priority. With ISO 42001 enabling practical implementation and global regulations stepping up, accountability and fairness in AI have officially become non-negotiable.

Prediction #2: Increasing Complexity of Ransomware

What We Said: Ransomware would become more sophisticated, hitting cloud environments and popularising “double extortion” tactics, and Ransomware-as-a-Service (RaaS) becoming mainstream.

Sadly, 2024 proved to be another banner year for ransomware, as attacks became more sophisticated and their impacts more devastating. Double extortion tactics surged in popularity, with hackers not just locking down systems but also exfiltrating sensitive data to increase their leverage. The MOVEit breaches epitomised this strategy, as the Clop ransomware group wreaked havoc on hybrid environments, exploiting vulnerabilities in cloud systems to extract and extort.

And the business of ransomware evolved, with Ransomware-as-a-Service (RaaS) making it disturbingly easy for less technically skilled criminals to enter the fray. Groups like LockBit turned this into an art form, offering affiliate programs and sharing profits with their growing roster of bad actors. Reports from ENISA confirmed these trends, while high-profile incidents underscored how deeply ransomware has embedded itself into the modern threat landscape.

Prediction #3: Expansion of IoT and Associated Risks

What We Said: IoT would continue to proliferate, introducing new opportunities but also leaving industries struggling to address the resulting security vulnerabilities.

The Internet of Things (IoT) continued to expand at a breakneck pace in 2024, but with growth came vulnerability. Industries like healthcare and manufacturing, heavily reliant on connected devices, became prime targets for cybercriminals. Hospitals, in particular, felt the brunt, with IoT-driven attacks compromising critical patient data and systems. The EU’s Cyber Resilience Act and updates to the U.S. Cybersecurity Maturity Model Certification (CMMC) framework sought to address these risks, setting new standards for IoT security in critical infrastructure.

Still, progress was uneven. While regulations have improved, many industries are still struggling to implement comprehensive security measures for IoT systems. Unpatched devices remained an Achilles’ heel, and high-profile incidents highlighted the pressing need for better segmentation and monitoring. In the healthcare sector alone, breaches exposed millions to risk, providing a sobering reminder of the challenges still ahead.

Prediction #4: The Importance of Zero Trust Architectures

What We Said: Zero Trust would go from a buzzword to a bona fide compliance requirement, particularly in critical sectors.

The rise of Zero-Trust architecture was one of the brightest spots of 2024. What began as a best practice for a few cutting-edge organisations became a fundamental compliance requirement in critical sectors like finance and healthcare. Regulatory frameworks such as NIS 2 and DORA have pushed organisations toward Zero-Trust models, where user identities are continuously verified and system access is strictly controlled.

Major players like Google and JPMorgan led the charge, showcasing how Zero-Trust could be scaled to meet the demands of massive, global operations. The shift became undeniable as Gartner reported a sharp increase in Zero-Trust spending. The combination of regulatory pressure and real-world success stories underscores that this approach is no longer optional for businesses intent on securing their systems.

Prediction #5: A More Global Approach to Regulations and Compliance Requirements

What We Said: Nations would stop working in silos and start harmonising regulations.

Our prediction on global regulatory harmony felt almost prophetic in some areas, but let’s not pop the champagne just yet. In 2024, international collaboration on data protection did gain traction. The EU-US Data Privacy Framework and the UK-US Data Bridge were notable highlights at the end of 2023, streamlining cross-border data flows and reducing some of the redundancies that have long plagued multinational organisations. These agreements were a step in the right direction, offering glimpses of what a more unified approach could achieve.

Despite these frameworks, challenges persist. The European Data Protection Board’s review of the EU-U.S. Data Privacy Framework indicates that while progress has been made, further work is needed to ensure comprehensive personal data protection.

Additionally, the evolving landscape of data privacy regulations, including state-specific laws in the U.S., adds complexity to compliance efforts for multinational organisations. Beyond these advances lies a growing patchwork of state-specific regulations in the U.S. that further complicate the compliance landscape. From California’s CPRA to emerging frameworks in other states, businesses face a regulatory labyrinth rather than a clear path.

Meanwhile, divergence between Europe and the UK on privacy and data protection standards continues to widen, creating additional hurdles for organisations operating across these regions.

This fragmented approach underscores why global frameworks like ISO 27001, ISO 27701, and the recently introduced ISO 42001 are more critical than ever. ISO 27001 remains the gold standard for information security, providing a common language that transcends borders. ISO 27701 extends this into data privacy, offering organisations a structured way to address evolving privacy obligations. ISO 42001, which focuses on AI management systems, adds another layer to help businesses navigate emerging AI governance requirements.

So, whilst steps toward greater alignment have been taken, the global regulatory landscape still falls short of its potential. The continued reliance on these international standards provides a much-needed lifeline, enabling organisations to build cohesive, future-proof compliance strategies. But let’s be honest: there’s still a lot of room for improvement, and regulators worldwide need to prioritise bridging the gaps to truly ease compliance burdens. Until then, ISO standards will remain essential for managing the complexity and divergence in global regulations.

Prediction #6: Greater Regulation of Supply Chain Security

What We Said: Supply chain security would dominate boardroom agendas, with SBOMs (Software Bill of Materials) and third-party risk management taking centre stage.

Supply chain security remained a top concern in 2024 as software vulnerabilities continued to wreak havoc on organisations worldwide. The U.S. government led the charge with its Cyber Executive Order, mandating the use of Software Bill of Materials (SBOMs) for federal contractors to improve visibility into third-party risks. Meanwhile, NIST and OWASP raised the bar for software security practices, and financial regulators like the FCA issued guidance to tighten controls over vendor relationships.

Despite these efforts, attacks on the supply chain persisted, highlighting the ongoing challenges of managing third-party risks in a complex, interconnected ecosystem. As regulators doubled down on their requirements, businesses began adapting to the new normal of stringent oversight.

So, Were We Right?

2024 was a year of progress, challenges, and more than a few surprises. Our predictions held up in many areas—AI regulation surged forward, Zero Trust gained prominence, and ransomware grew more insidious. However, the year also underscored how far we still have to go to achieve a unified global cybersecurity and compliance approach.

Yes, there were bright spots: the implementation of the EU-US Data Privacy Framework, the emergence of ISO 42001, and the growing adoption of ISO 27001 and 27701 helped organisations navigate the increasingly complex landscape. Yet, the persistence of regulatory fragmentation—particularly in the U.S., where a state-by-state patchwork adds layers of complexity—highlights the ongoing struggle for harmony. Divergences between Europe and the UK illustrate how geopolitical nuances can slow progress toward global alignment.

The silver lining? International standards like ISO 27001, ISO 27701, and ISO 42001 are proving indispensable tools, offering businesses a roadmap to build resilience and stay ahead of the evolving regulatory landscape in which we find ourselves. These frameworks provide a foundation for compliance and a pathway to future-proof business operations as new challenges emerge.

Looking ahead to 2025, the call to action is clear: regulators must work harder to bridge gaps, harmonise requirements, and reduce unnecessary complexity. For businesses, the task remains to embrace established frameworks and continue adapting to a landscape that shows no signs of slowing down. Still, with the right strategies, tools, and a commitment to continuous improvement, organisations can survive and thrive in the face of these challenges.