The Future of Cyber Security

An excerpt from Rhys Gillespie's article, ‘The Future of Cyber Security’.

The number of internet-connected devices worldwide reached c.15.9 billion in 2023 and is forecast to increase to c.32.1 billion by 2030. A recent study by Uswitch found that the average screen time for adults in the UK is five hours per day, on top of screen time at work. These statistics, among numerous others, demonstrate the increasing level of human reliance on technology, something which is showing no signs of slowing down.

Technological development is blurring the lines between the real and digital worlds, making time away from our devices almost impossible. Advancements in virtual and augmented reality are promising alternate existences as avatars within the ‘Metaverse’, where we can live, work and play, interacting with others as if in person, without having to leave our homes. Significant investment into future technologies such as virtual reality is ensuring that technological innovation will continue to shape society in the future.

Underneath this utopian and somewhat unnerving vision of connectivity that technology is promising, lie important questions surrounding privacy and safety. It seems natural to question one’s privacy when existing as a character in a future digital world, however, online privacy and security is a serious problem even today.

Across our multiple devices and accounts, we store vast amounts of personal and private data online, putting significant trust in the technology and those behind the applications we use. There were an estimated 64 zettabytes (64,000,000,000 terabytes) of data online in 2020 and Figure 1 shows that this number is forecast to further increase over the next few years. The potential damage of a security breach is increasing as more information is held online, further adding to the importance of secure technological systems.

Simple common sense informs us that we shouldn’t give anyone else our passwords or private information, and yet we rarely hesitate to let our devices store them for future ease. While allowing your phone, laptop or browser to save your password isn’t the same as giving your housekey directly to a criminal, it is similar to putting a spare key into a ‘secure’ box close to several other keys. In theory, your keys are still safe, but they are now out of your control and are part of a high-risk target where criminals can access multiple keys at once. Breaches of personal information and passwords can have devastating consequences, particularly if access to banking applications is granted. However, such cyber breaches are not limited to individuals but also affect businesses. In fact, with multiple employees and thus more potential weaknesses, businesses can be more susceptible to breaches and often offer greater financial rewards for scammers.

The aim of cyber security is to protect devices, services and personal and business information from all forms of cyber attack. With large quantities of personal information and confidential data stored online, cyber security is already an extremely important industry, and yet its influence is set to grow significantly as we continue to increase our trust in technology.

The cyber crime problem

The cyber security market is worth c.$186 billion and forecast to grow to c.$272 billion by 2029. Figure 2 below shows that this global cyber security spend is far below the c.$8.2 trillion cost of cyber crime globally in 2023, which would make it the third largest global economy if it were a country. Moreover, the cost of cyber crime is forecast to grow to a staggering c.$15.6 trillion by 2027. The scale of the gap between the two measurements shows the magnitude of the cyber crime problem, and the lack of emphasis placed on it with such limited comparative spend.

The average ransom demand from attackers to a company in 2024 was c.$4.3 million, with central and federal governments attracting the highest figures. Alongside these large up front payments are the costs invoked recovering from such attacks. Cyber attacks are not infrequent; it is estimated that the number of data breach victims worldwide has risen from six per hour in 2001 to 97 per hour in 2021. These cyber crime figures are particularly alarming given that they are likely to be conservative estimates due to under-reporting, as a result of embarrassment or fear of reputational harm.

With numerous individual hackers and hacking groups currently active globally, there are multiple ways in which cyber attacks can occur. According to a study by the World Economic Forum of 120 global cyber leaders, the most concerning forms of cyber attacks are ransomware, social engineering and malicious insiders.

Ransomware attacks involve the use of malware to encrypt or block users from files and information until a ransom is paid. Global ransomware damages cost an estimated $20 billion in 2021, up from $11.5 billion in 2019, with an attempted ransomware attack on a business every 11 seconds. This is set to rise to be a ransomware attack every 2 seconds by 2031. In addition to more frequent ransomware attacks, the size of pay-outs is also increasing, with CNA Financial paying $40m in ransom to a Russian cybergang in March 2021. Ransomware damage costs are not limited to ransom pay-outs, but also include damage to or loss of data, loss of productivity, and business disruption. Ransomware attacks can be particularly damaging to organisations in high-pressure sectors, such as healthcare, where restricted access to data can lead to a lack of treatment and even death.

Social engineering attacks involve manipulating human interactions to gain unlawful access to systems or information. Kevin Mitnick, formerly the ‘World’s Most Wanted Hacker’, now security consultant to many Fortune 500 companies, said that “companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems.” It is this ‘weakest link’ that social engineering attacks attempt to exploit. Phishing is the most common form of social engineering attack, where scam emails and texts are sent to organisations or individuals, urging them to click on links to malicious sites, reveal personal information such as banking details, or download malware. It is estimated that 32% of all data breaches involve phishing.

Phishing attacks are generally widespread and untargeted, where hackers send emails to thousands of users at once, with relatively low success rates. However, a more targeted form of phishing, called ‘Spear Phishing’, also exists. Here, attackers choose specific individuals or businesses as targets and tailor the email or text messages to them. Although spear phishing attacks require more work from the scammer, they are more lucrative when performed correctly.

The distinction between phishing and spear phishing might seem trivial, however, it symbolises a fundamental shift within the world of cyber. Scammers and cyber criminals are moving away from widespread attacks with lower success rates and pay-outs, and towards more sophisticated, thought-through and targeted attacks, which are generally more profitable and effective. Greater scam sophistication is a frightening concept, particularly when the likelihood of cyber crime detection and prosecution is already believed to be as low as 0.05% in the US.

Another shift within the cyber landscape has come from the emergence of cryptocurrency, which promises substantial short-term financial gain to those who invest well. Unfortunately, the enticing financial incentives and noise surrounding the crypto market have also led to additional opportunities for cyber criminals to exploit those wanting a slice of the crypto pie. Rug pulls are a form of exit scam, where fraudulent developers lure investors in with a new cryptocurrency, before draining the funds from the liquidity pool when the price hits its maximum, leaving investors with a worthless token. Although cryptocurrency may be the future of money, the market is currently extremely underregulated, and the added level of anonymity makes crypto crime a particularly attractive avenue for criminals.

The covid-19 pandemic has impacted almost every single aspect of life and work, and the shift to working from home has added to the cyber risk for most organisations. Remote working removes the additional security layer, in which employees can check suspect emails with colleagues, and home or remote Wi-Fi connections are often less secure than oce connections. As more businesses operate online, the need to protect business data and information will continue to increase.

Various shifts within the world of cyber are set to add to the substantial cyber crime problem. Cyber regulation is currently lacking in many areas, however, there has been a recent surge in data protection legislation. Large fines for improper handling of personal data, such as a $888 million fine for Amazon in 2021 for breaching GDPR (General Data Protection Regulation), are forcing businesses to suitably protect customer data. Governing bodies are seeking to reduce the growth in cyber crime through increasing cyber security regulation, helping to ensure that businesses are resilient to cyber attacks.

How to prevent cyber crime

Evidently, cyber crime is an important and growing problem, which could cost organisations trillions of pounds every year. Action needs to be taken. Organisations and governments should first understand how cyber crime can be prevented, in order to invest their time and money into effective solutions.

It is estimated that 95% of cyber security breaches can be traced to human error, reinforcing the point that humans are the weakest link in the security chain. Consequently, combatting cyber crime starts with increasing the awareness of cyber risk and ensuring that individuals take more responsibility for their online safety, instead of relying on software to keep their data secure.

The widespread use and trust of technology within modern society no doubt contributes to our largely passive approach to online security. The idea that our data, stored in supposedly secure and trustworthy online locations, could be stolen and used against us is hard to comprehend. We have become so used to technology removing human error that we forget that ‘bad’ people can still exploit it and use it against us. It’s a sad reality to think that we have to teach our relatives, young and old, to second-guess emails and to not trust certain websites. Perhaps the truly ideal versions of new technologies are ones which allow us to trust again, when online. Unfortunately, given the nature of human greed, such dreams are seemingly improbable without removing connectivity altogether, one of the greatest benefits of technology.

One of the simplest and most effective ways for individuals to remain safe online is to increase password and authentication complexity. Using multi-factor authentication makes it significantly harder for hackers to access your accounts, as instead of simply using your username and password to log into an account, multi-factor authentication uses two or more verification steps to confirm your identity. The different factors could be passwords or pin numbers, but could also be a different device or a biometric factor, such as your fingerprint or face.

Businesses need board and executive level involvement to reduce cyber risk across multiple online systems and networks of employees. Hiring CISOs (Chief Information Security Officers) and information security teams to help develop cyber security policies and strategies is an important step for any organisation. These strategies should involve employee training and awareness, software development, and vulnerability assessment. Ethical hacking plays an important role in vulnerability assessment, and is the process of carrying out harmless cyber attacks to identify security vulnerabilities which require attention. A similar testing of weaknesses can be done on employees via phishing simulations, where employees are sent fake phishing emails and organisations are able to track which employees engaged with the emails and so might be most susceptible to genuine phishing attacks.

Businesses require skilled cyber security professionals to develop and implement cyber defence strategies, however, there is a significant shortage in the cyber security workforce globally. Figure 3 below shows the estimated size of the global cyber security workforce from 2018 to 2025, and the demand for cyber security roles globally.

Despite the size of cyber workforce consistently increasing since 2019, the gap in the workforce remains significant. Many cyber leaders noted that a shortage of skills within their teams was causing challenges in responding to cyber security incidents. There is, therefore, a substantial need for more skilled cyber security professionals to keep up with the ever growing cyber crime problem.

Many of the large tech companies are aware of this workforce gap and their role in reducing it. Microsoft have quadrupled their cyber security investment, injecting $20 billion over the next five years into cyber security, and Google have made a similar $10 billion investment. As part of these investments, the tech giants have promised to provide cyber security training. Various specialist cyber security training providers also provide free introductory courses to help in the first step towards becoming a certified cyber security professional.

Even with significant investment into cyber security training, the gap in the workforce is forecast to remain relatively flat for the next few years. According to the US Bureau of Labour Statistics, the number of Information Security Analysts will grow by 32% from 2022 to 2032, the tenth fastest growing role in the US. However, as businesses become more aware of the threats cyber attacks pose, the need for cyber security professionals will continue to grow. Growth in the required number of cyber security roles prompts the following question: will the size of the workforce ever catch up with the demand for workers? And consequently, can greater technological advancement such as artificial intelligence help bridge this gap by reducing the demand for cyber security experts?

The impact of artificial intelligence

Artificial intelligence (AI) is a branch of computer science, where human intelligence is simulated by machines. Although AI covers the notions of theory of mind and self-awareness, where machines are socially intelligent, can understand human emotion and have consciousness, advancement in these areas remains limited and theoretical. Currently, AI is predominantly used in replicating repetitive detail-oriented tasks, but developments are being made in the field of neural networks and machine learning, where AI systems process huge amounts of data, faster than humanly possible, to make accurate predictions.

Artificial intelligence, although in its infancy, is already used in some form across multiple business sectors, including cyber security. (See our article on The Future of AI and Work to investigate the impact of AI on the workforce). For example, natural language processing can be used to detect suspicious email behaviour, thwarting phishing attacks. Moreover, systems utilising machine learning techniques can alert organisations of potential attacks faster than employees and without human error, by identifying similarities to previous or known attack code. The use of AI to detect these potential threats frees up time for cyber security personnel to focus on other areas of cyber security which AI cannot help in.

Although, such techniques still require human oversight and only alert potential attacks for experts to assess and respond to, they can help to reduce the significant pressure on cyber security experts. It is unlikely however that AI can replace the need for cyber security professionals, as its uses are still limited. Artificial intelligence is extremely efficient when performing tasks for which it has the capacity and has been trained to do, but currently has very little success when tackling new unseen tasks, as data-driven training is required.

Despite many uses, there is still significant development to come within the world of AI. Driverless cars, more intelligent AI assistants and domestic robots are on the way. Similar innovation will be made within cyber security, transforming the cyber defence landscape from reactive to predictive. Artificial intelligence-based defence software will be able to examine an organisation’s computer network, predict possible threats, and identify weaknesses to be strengthened. The continued adoption of artificial intelligence will no doubt improve cyber security defences across the world.

However, the influence of AI within the digital world won’t only be positive. As David Wong said, “new technology is not good or evil in and of itself. It’s all about how people choose to use it.” The potential power of AI cannot be disputed, however, as organisations harness its power to protect their customers, employees and data, many will abuse its power. Cyber criminals are constantly adapting their methods of attack to bypass new forms of security and the same is true when it comes to AI-based defences. Cyber attacks will become more sophisticated, harder to detect and altogether more devastating with the use of artificial intelligence.

The power of artificial intelligence in the hands of cyber criminals can already be seen through AI-generated phishing emails, which use natural language processing techniques to increase the number of times malicious links are clicked. A recent 2021 experiment by Singapore’s Government Technology Agency, where two fake phishing emails were sent to 200 staff, one made by humans and the other by AI, using OpenAI’s then GPT-3 platform, found that the AI-generated emails had higher click-through rates. Another potential danger of artificial intelligence in the cyber world is the alteration of AI training code, teaching cyber defence systems to fail to detect attacks, rendering the systems useless.

Deepfake technology is another advancement within the field of AI which can have damaging effects. Deepfakes use deep learning techniques to make images, videos or other digital media of fake events. Many deepfake videos already exist online, impersonating leaders and celebrities such as Barack Obama, Mark Zuckerberg and Morgan Freeman. Digitally-forged celebrity media could have serious consequences, for example in election outcomes or changes in stock prices, particularly when the distinction between real and fake videos is becoming increasing blurred.

However, deepfake technology is not limited to creating fake news from celebrities but can also be used in financial scams. Consider the following scenario: while working from home, you receive an email from your boss asking you to send a sum of money over by the end of the day for a new purchase order. You might be suspicious of the email and rightly so. But, before you have the chance to reply, you receive a phone call from your boss (or at least in their voice) telling you that they need the money now. Could you seriously risk not sending the money over? Such scams are so convincing that it’s hard to blame the victim, but the results can be devastating for companies, as one business in the UK discovered after a phone call imitating the CEO caused an employee to transfer €220,000 to a fraudulent account.

Utilising AI techniques such as machine or deep learning is still complex and time and resource intensive for hackers. However, these barriers are starting to come down as the use of AI is becoming increasingly widespread. While the full power of AI is still currently unknown, its potential impact on the cyber world, business and society are enormous.

Conclusion

The cyber crime problem is immense, and the potential threat to businesses is on the rise. Ginni Rommety, former CEO of IBM, said that “cyber crime is the greatest threat to every company in the world”. With frequent, damaging attacks, limited awareness of the problem and a lack of resource to tackle it, it’s hard to argue with her. Although new technological advancements promise improved online security and are necessary to prevent more cyber attacks, they can also be utilized by cyber criminals to increase attack capability and to avoid detection.

The battle between cyber security experts and hackers to get ahead in terms of digital innovation will, no doubt, significantly alter the cyber landscape. Cyber criminals are currently in the lead, but organisations and governments aim to reduce this via increased cyber security funding. This will not end the battle however, as criminals will continue to adapt their attacks to bypass defence systems, creating a continuous cycle of development and adaptation that is likely to continue for years. Rogue governments or organisations could threaten this cycle with investment into cyber warfare, which could have devastating consequences. The constant cycle of innovation within cyber technology highlights the need for cyber security professionals, as technology will never be enough to prevent cyber crime altogether. An increasing focus on cyber security and further reliance on technology and data will make internet security experts one of the most valuable assets a business can have. Increased training in cyber crime awareness and prevention among all employees will also significantly reduce an organisation’s cyber risk.

The entire cyber market is set to experience continued substantial growth in the years to come, and now is the time for businesses and investors to engage with cyber. Cyber security training providers, consultancies and insurers are all set to cash in on the growing need for individuals and businesses to protect themselves and their information online.

Kingsgate can help you move into or grow within the cyber security market. We are a strategy consultancy that works with our clients to create enduring wealth, specialising in emerging markets. Kingsgate can help you to develop strategies that will allow your business to flourish within the booming cyber security market, or help you to understand the cyber landscape and identify acquisition strategies. For more information on how we can help with your cyber security strategy, please get in touch via our website below.

Full Read:

Click / tap below to download, read and use Rhys Gillespie’s article ‘The Future of Cyber Security’ in full now.

Kingsgate is a professional services firm committed to the growth and transformation of your organization. We are dedicated to helping you unlock enduring value, even in volatile seasons, and bring transformation that lasts.

To learn more about our Transaction Advisory and Growth Advisory consulting services, then please complete the Contact Us form.

See other articles from Kingsgate:

The Future of AI & Work - Graeme Leach

The Future of the Space Economy - Jack Giddy

The Future of the UK Commercial Property Market - Jonathan Gibson