A Year in Compliance: Five Key Trends from 2024
Table Of Contents:
It’s been another year full of incidents for security and compliance teams. Buffeted by ransomware attacks, supply chain and open source threats, infostealers, global IT outages, and much more, many struggled to keep their heads above water. As technology innovation, particularly in artificial intelligence (AI), accelerated at pace, regulators also had a busy year. However, as legislative mandates piled up, some security pros admitted that many new rules are too difficult to understand and too time-consuming to implement.
This is a troubling trend that will likely continue as skills shortages bite. But there is light at the end of the tunnel, if security teams can find a way to optimise their compliance efforts through best practice standards like ISO 27001. With that in mind, these are the five things we learned from 2024.
Australia Is Finally Getting Serious About Cybersecurity
It’s been a long time coming, but Australia finally got its first piece of standalone cybersecurity legislation. Still making its way through parliament at the time of writing, the Cyber Security Act is an ambitious new law which promises to implement seven key initiatives outlined in the Albanese government’s new Cyber Security Strategy. It will mandate the reporting of ransomware payments and new standards for smart gadgets, as well as encourage information sharing with the authorities, among other things.
Experts say that Australian organisations can get ahead of the likely new requirements by reviewing their current security practices, determining where there are any gaps or areas for improvement, and following a security-by-design mindset. Something certainly needs to change Down Under. There were 483 data breach notifications in the second half of 2023, up 19% from the first part of the year, with most (67%) caused by malicious attacks.
AI Threats Abound As New Rules Come Into Force
One of the headline stats from the ISMS.online State of Information Security Report 2024 is that 30% of respondents experienced attacks featuring deepfakes. That puts it just behind social engineering and malware infection and is a testament to the astonishing acceleration of technology innovation over the past year. As ever, regulators have been racing to catch up to this and other AI threats to businesses, consumers, and society.
The EU is unsurprisingly taking the lead on regulation with its AI Act, which will impact UK firms wishing to sell into the single market. It employs a risk-based approach which classifies AI systems into four categories based on their potential harm. Those in the high-risk category will require the most work, demanding that organisations conduct thorough risk assessments, implement human oversight mechanisms, and ensure the AI systems are safe, reliable, and transparent. Elsewhere, the Council of Europe Framework Convention on Artificial Intelligence is a broad-based, nation state-level convention designed to address any legal gaps stemming from rapid AI technological advances. It remains to be seen whether it has the desired impact.
The US is taking a less hands-on approach to regulation, something likely to continue with a new Trump administration. But this regulatory hole is being filled at a state level. Organisations should look to ISO 42001 as a helpful guide to using AI safely. New guidance documents from NIST (on adversarial threats) and the NCSC (for AI development) should also help.
IoT Manufacturers Are Coming Under Intense Scrutiny
Internet of Things (IoT) systems are making their way into everything from fitness bands to smart factories. But they also represent a potentially significant security risk, as manufacturers have, up until now, had no formal regulations to mandate minimum standards of best practice. That has now changed, with new UK and EU-level laws. The UK was first to the punch with its Product Security and Telecommunications Infrastructure (PSTI) Act. It mandates unique and strong passwords for each device, and manufacturer vulnerability disclosure and security update programmes, which must run for a certain length of time.
Although modest, it should help improve IoT security standards in the consumer space and may be enhanced in time. However, the EU’s Cyber Resilience Act (CRA) is far more ambitious and will be required for any manufacturers or retailers hoping to sell consumer IoT products on the continent. It has a wider scope and mandates a longer list of security requirements. UK firms with one eye on Europe should meet the PSTI’s requirements by focusing on the CRA.
New UK Cybersecurity Legislation Is Incoming
In the UK, the new Labour government wasted no time this year in rolling out notice of new cybersecurity-related laws designed to boost the nation’s resilience to evolving threats. The main one is the Cyber Security and Resilience Bill, which will update the NIS Regulations. Specifically, it will increase the scope of the current NIS regime “to protect more digital services and supply chains”, introduce mandatory ransomware reporting, and hand more powers to regulators – although exactly how is unclear. The government also announced a Digital Information and Smart Data Bill, which is essentially a new version of the canned Data Protection and Digital Information Bill, intended to update the UK’s GDPR regime. Compliance teams will closely follow any new information on the proposed laws next year.
The final months of the previous administration also left plenty for UK businesses to chew on, including a proposed new Code of Practice for cyber governance and new regulations designed to enhance the security posture of data centres.
Critical Infrastructure Providers Have Plenty To Keep Them Busy
In the EU, two new pieces of legislation impose strict demands on critical infrastructure providers. The long-awaited deadline for NIS 2 implementation passed in October. It will bring a huge number of extra European organisations into scope, mandate a new set of baseline security requirements, and place a new level of liability for incidents on senior management. Once again, UK firms trading with Europe will need to comply, and they can use best practice standards like ISO 27001 to help them do so.
Meanwhile, the Digital Operational Resilience Act (DORA) will come into force early in the new year: January 17th, 2025. It also mandates a strict new set of rules, this time for financial services firms and their IT suppliers. Again, ISO 27001 can help by establishing the foundational processes needed to comply with requirements in areas like incident response, risk management, supply chain risk management, and resilience testing.
A Helping Hand
As corporate attack surfaces expand, threat actors continue to circle and regulators grow more demanding, security and compliance teams threaten to become overwhelmed with the workload. It seems to be having a worrying impact. Half (50%) of UK businesses report having experienced some form of security breach or attack in the past 12 months – rising to 70% of medium businesses and 74% of large businesses. This is up considerably from respective figures of 32%, 59% and 69% in 2023.
Best practice standards and frameworks are not a panacea. However, they can do much of the heavy lifting as many of the requirements in the legislation cited above share the same underlying goals. The key is to find a provider capable of accelerating and streamlining this compliance burden amid persistent skills gaps. Fortunately, these tools do exist.
