Half-Year Review: The Key Security and Compliance Challenges of 2024 So Far

In April, the government told us that half of UK businesses had suffered a breach over the previous 12 months, rising to even higher for medium (70%) and large firms (74%). It found that basic cyber-hygiene, risk and supply chain management, and incident response are still lacking in a worryingly large share of these organisations.

But what about the past six months? We’re only halfway through the year, but some significant themes have already emerged that will likely dominate the security and compliance narrative of 2024. Our top five are:

The NVD Is In Crisis

Vulnerability exploitation is back in vogue. Mandiant claims 38% of intrusions in 2023 started like this, a six-percentage point annual increase. This is bad news for network defenders because, arguably, the world’s most important source of vulnerability information – NIST’s National Vulnerability Database (NVD) – has been effectively paralysed for several months. As a standardised repository of enriched CVE data, it has become a crucial component of many firms’ automated patch and vulnerability management processes, as well as security tooling. A sudden slowdown in the processing of CVEs since February has left security teams scrambling for alternative intelligence sources.

Verizon claims that detections of vulnerability exploitation as an initial access vector for data breaches surged 180% year-on-year (YoY) in 2023. It now accounts for 14% of all breaches – meaning that security teams need to think urgently about additional sources of CVE info, like the CVE Program, alongside improved threat intelligence and other tactics.

Ransomware Goes From Bad To Worse

Back in January, the National Cyber Security Centre (NCSC) warned that ransomware would “almost certainly increase the volume and impact of cyber-attacks in the next two years”. It singled out ransomware for special attention, claiming that AI will provide an “uplift” to attackers in social engineering and reconnaissance. In other words, AI technology will be set to work creating highly convincing phishing content which it’s hard to spot, and scanning for known vulnerabilities in targeted organisations. The ISMS State of Information Security Report 2024 revealed that 29% of organisations had suffered a ransomware attack over the past year.

It’s unclear whether AI is already being used in this way. Still, so far this year, ransomware groups have been on the offensive, despite isolated wins for law enforcement in disrupting LockBitand forcing BlackCat/ALPHV to disband. Healthcare organisations have once again been on the receiving end. First, it was US providers Change Healthcare and Ascension– the former expected to book costs over $1bn in relation to the attack. The NHS England was hit hard after the Qilin ransomware strain took out a supplier. It initially forced the cancellation of over 800 planned operations and 700 outpatient appointments.

Given that ransomware actors still usually achieve their ends via relatively straightforward attack vectors (RDP compromise, phishing, vulnerability exploitation), it seems like organisations need to continue focusing on getting the basics right in order to stay safe.

Edge Devices Are Taking A Battering

The edge appears to be the new frontier in state-sponsored cyber-attacks. The NCSC was one of the first to signal a warning this year, claiming that threat actors are increasing their targeting perimeter-based products (like file transfer applications, firewalls, VPNs and load balancers) after improvements in the design of client software. They’re a perfect target, as code is less likely to be secure by design than client software, making bug exploitation easier, and there’s a lack of effective logging on edge devices, the NCSC claimed.

We’ve seen a tsunami of ransomware and cyber-espionage attacks over the past six months as a result, including mass exploitation of Ivanti Connect Secure and Policy Secure gateways, FortiGate devices, and a legacy F5 BIG-IP appliance. A recent Action1 report revealed a record exploitation rate for load balancers from 2021-23, while another vendor claimed the number of CVEs linked to edge services and infrastructure rose 22% between 2023 and YTD 2024.

The NCSC urges organisations to switch from on-premises to cloud-hosted perimeter products and use firewalls to block any unused “interfaces, portals or services of internet-facing software”.

Open-Source Risks Snowball

The risks of using open-source software have been understood for some time. Threat actors increasingly hide malware in third-party components and place it in official repositories in the hope that a time-poor developer downloads them. However, in April, an even more insidious threat was unearthed after an accidental discovery: a sophisticated years-long effort to infiltrate and implant backdoor malware in a popular open-source component known as xz Utils. The group behind the scheme went to great lengths to hide their malicious activity while socially engineering the original maintainer, Lasse Collin, into bringing their developer persona on board as a ‘trusted’ contributor.

The bad news for security teams is that multiple copycat efforts have since been discovered, potentially hinting at a growing crisis for open source. Some 79% of respondents of ISMS.online spoke to say their business has been impacted over the past year by a security incident caused by a third-party vendor or supply chain partner. Going forward, great scrutiny of software supply chains, including bills of materials (SBOMs), regular vulnerability scanning and more rigorous governance policies will be needed.

Compliance Challenges Proliferate

To misquote Benjamin Franklin, nothing in this world is certain except for death, taxes and new compliance mandates. So 2024 has proven, with the launch of the EU AI Act, a new IoT security act in the UK, proposals for new UK datacentre security rules, an EU cybersecurity certification scheme, and more besides. Organisations also saw the compliance deadline for PCI DSS 4.0 pass in March and are currently busy preparing for NIS 2.

Many are struggling with the workload. ISACA research claims that privacy programmes, in particular, are underfunded and understaffed. Legacy tools and processes aren’t helping either.

Compliance with industry best practices can build a strong foundation for delivering regulatory compliance programmes in areas like information security (ISO 27001) and AI (ISO 42001). But while ISMS.online finds that 59% of organisations plan to increase spending on such programmes in the coming year, nearly half (46%) say it takes 6-12 months to comply with ISO 27001. A further 11% claim it takes 12 -18 months. With the right set of intuitive and pre-configured tools, it shouldn’t be this difficult.