ICAEW.com works better with JavaScript enabled.

Cyber round-up: January 2024

Author: ICAEW Insights

Published: 30 Jan 2024

As the year begins, organisations reflect on lessons learned in 2023, and set priorities and develop strategies for improving cyber security in 2024.

Cyber risk and cyber governance

Cyber incidents are the most important corporate concern in 2024 for large, mid-size and small businesses, according to the Allianz Risk Barometer 2024 report. This follows on from a number of supply chain attacks and a surge in ransomware attacks enabled by Ransomware-as-a-Service (RaaS) in 2023. Cyber-security resilience is also identified as the most concerning environmental, social and governance challenge.

It is important for board members to understand their roles and responsibilities in relation to cyber security and to take steps to ensure they have the necessary skills, expertise and resources to govern in this area. This can be challenging, as highlighted in previous research into board cyber skills

But cyber-resilience concerns are not limited to individual businesses; it is a concern across the whole UK economy. The UK Department for Science, Innovation and Technology has been looking into how to improve the country’s cyber resilience. It has launched a call for views on a draft Cyber Governance Code of Practice, with simplified actions aimed at helping directors and business leaders manage cyber risks. ICAEW will be responding to the consultation and would welcome views at techfac@icaew.com.

AI and cyber security

The impact of AI on cyber security is expected to continue to grow in 2024, with its role in addressing and enabling cybercrime increasing. 

AI has mainly been used for detecting and responding to attacks, but 2024 will see an increase in this use by security operations teams and exploration of its use in predicting and preventing attacks.

On the flip side, its impact in spreading misinformation is likely to grow. In fact IBM’s cyber-security trends predictions for 2024 point to it as the year of deception. Various countries, including the US and UK, will be holding general elections this year, and AI technologies such as deepfakes are likely to be used to spread disinformation and misinformation to influence election results. 

In addition, businesses have already started to see an increase in the use of AI to make phishing attacks more effective, helping cyber criminals to craft realistic-looking communications in various languages. Spelling and grammar mistakes are becoming less effective in identifying suspicious communications. 

Couple this with the fact that AI deepfake technology is increasingly used to imitate video and audio, and employees have a greater challenge to distinguish between genuine interactions and those designed to lure them into taking inappropriate actions. Employees must be trained to be even more vigilant and careful and to question anything unusual. 

The National Cyber Security Centre (NCSC) has performed an analysis and produced a report on the near-term impact of AI on the cyber threat.

AI will also see most organisations working with third parties, either in developing or implementing and using AI systems. As seen throughout 2023, strong supplier cyber-security controls are paramount. 

Help for small or micro AI technology companies working in the UK is available via the NCSC Funded Cyber Essentials Programme, which provides free, hands-on help to get Cyber Essentials Plus certification.

Business account compromise

Business email compromise has been a concern for many years and remains a major risk. This is where a hacker gains access to a legitimate business email account for malicious purposes. However, attacks are not limited to email accounts. They can include social media accounts such as on LinkedIn, WhatsApp and X (formerly Twitter). 

This was seen earlier in the month when the US Securities and Exchange Commission (SEC) X account was hacked and used to announce that it had approved the listing of new Bitcoin Exchange Traded Funds (ETF). The announcement caused the price of Bitcoin to spike to $48,000 before the tweet was deleted 20 minutes later and the SEC announced that its X account had been compromised. 

The attack was conducted using an apparent ‘SIM swap’ attack, whereby the hacker tricked SEC telephone providers into transferring control of a mobile phone number associated with the SEC X account to the hacker’s device. They could then reset the account password. The SEC also revealed that it did not have multi-factor authentication (MFA) enabled on the account, making it easier for the hacker to gain access.

With the large number of credentials available through data breaches such as the Historic Data Leak, it is key for organisations to ensure that they are not entirely reliant on usernames and passwords for account access. 

MFA should be enabled on all relevant business accounts and organisations should consider implementing authentication via a dedicated app rather than phone numbers and email addresses, which are easier to access. The NCSC Guidance on multi-factor authentication for online services provides additional information on how to set up MFA. 

Users should also be trained to question and verify any unusual or unexpected information and communication, even when it seems to be coming from a legitimate source. Seeing it is not always a reason to believe it.

Want to learn more about Cybersecurity?

Attend ICAEW’s Cyber Security immersion event on 6 June 2024. This is a hands-on approach to Cyber Risk management that will be held in person. More details and pricing are available here.

Got an interesting cyber story for us? Email techfac@icaew.com

Recommended content

Resources
Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.
Technology

Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.

Read more
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250