As cyberthreats evolve, businesses need more than just tech solutions
Organisations need more than technology-based solutions to combat increasingly sophisticated threats from cybercriminals who are using AI for attack campaigns
There is an intensifying “arms race” between cyber criminals and the defences meant to thwart them, according to UNSW Sydney’s Dr Eila Erfani, who says businesses need a ”multifaceted and user-centric cybersecurity approach and empowerment strategies” to fight what they should see as more than just a technological threat.
The threat to businesses has escalated significantly in the aftermath of high-profile data breach scandals involving major entities like Optus and Medibank. The potential consequences, including share value loss and reputational damage, underscore the importance of robust cybersecurity strategies.
Dr Erfani, a Senior Lecturer in the School of Information Systems and Technology Management at UNSW Business School, said developments in cybercriminals’ capabilities mean businesses must be more holistic in fighting scams. “As we navigate the complexities of the cybersecurity landscape in 2024 and beyond, it’s clear that a multifaceted and user-centric approach is essential for effectively countering emerging threats,” she said.
This approach extends beyond technology alone, incorporating insights from psychology, sociology, ethics, and economics to create more resilient and responsible cybersecurity strategies. And with information security regulator the Australian Signals Directorate, citing a 23 per cent year-on-year increase in cybercrime reports – including a massive 300 per cent increase in attacks against Australian servers – businesses and organisations need to fortify their cybersecurity to counter these threats effectively.
New risks in a changing world
High-profile scam campaigns against large companies globally have recently kept anxiety over cybersecurity in the news. A drumbeat of negative publicity in Australia began with massive data breaches at Optus and Medibank in late 2022. The Australian Communication and Media Authority recently announced it had sued Optus over its September 2022 breach, while it was recently revealed that a cyberattack on Ticketmaster could threaten the data of millions of Australians.
These breaches have severe consequences for businesses, which can face reputational damage and operational security risks, particularly as scammers get more sophisticated and take advantage of artificial intelligence (AI) and “deepfake” technology to enhance their attack campaigns, Dr Erfani said.
She explained that deepfake scams harness the power of AI to create realistic audio and video forgeries, allowing scammers to impersonate trusted figures or entities. The increasing use of this technology in scams presents significant challenges for businesses, fundamentally altering the “landscape of trust and security” in the digital age.
She said this technology poses a “dual threat” to businesses, beginning with reputational damage when scams attribute fabricated statements or actions to a company or its representatives. Such damage can have lasting effects on customer trust and market position.
Read more: Company directors fall short of cyber security skills mark
“Secondly, there is a risk to operational security, as deepfakes can be used in spear-phishing campaigns to gain unauthorised access to corporate systems or sensitive information,” said Dr Erfani, who explained that spear-phishing scams target specific individuals or organisations through malicious email campaigns. Dr Erfani added: “The financial and strategic implications are significant, necessitating a reassessment of security measures and verification processes.”
According to the Australian Signals Directorate’s most recent Cyber Threat Report, the intensification of scam threats domestically stems partly from changing geopolitics following a long period in which geography and the limitations of other regional actors had provided some natural protection for Australia. Defence Minister Richard Marles wrote in the report that Australian governments, critical infrastructure, businesses and households are targets for cybercriminals, as both state and non-state actors are now using AI and other emerging technologies to enhance their attack capabilities.
Australian entities filed nearly 94,000 cybercrime reports in FY 2023 – a 23 per cent increase from FY 2022 – amounting to one report every six minutes on average, according to the Cyber Threat Report. It also found a 14 per cent increase in the average self-reported cost of cybercrime to businesses; medium-sized businesses saw the most significant losses, at $97,200 on average.
The five biggest cyber threats in 2024
1. Artificial intelligence
As a result of this changing backdrop, AI and other technological developments feature heavily in the biggest threats to cybersecurity that businesses are facing this year. Attackers are taking full advantage of AI and machine learning as these technologies become more sophisticated; moreover, bad actors have shown an adaptiveness that keeps the threat level high.
“AI can lead to cybersecurity attacks by automating and scaling up attacks, generating personalised phishing emails, creating deepfakes, evading detection, cracking passwords, optimising DDoS attacks, exploiting AI systems, poisoning data, and enhancing social engineering tactics,” Dr Erfani said. “The arms race between cybersecurity defences and AI-powered attacks is expected to intensify. AI plays a dual role in cybersecurity: while it can be used to create sophisticated attacks, we can also harness its power to develop effective strategies for mitigating these threats.”
The ASD report also noted that advancements in AI also help fight against cybercrime. “As online adversaries can use AI tools, so too can system defenders,” the report stated. “AI can sort through large volumes of logs or telemetry data to look for malicious behaviour, identify malware, detect and block exploitation attempts, or derive intelligence insights. AI can also help triage information and automate security tasks, so humans can focus on other problems.”
Read more: Microsoft’s Kevin Peesker on ethical AI and bridging the tech skills gap
The agency recommended that entities wanting to deploy AI in their business “should treat them with the same care” as other information services and use a risk-based approach to procurement.
2. Ransomware-as-a-service platforms
Ransomware strategies – which use malware to encrypt data or systems for extortion – have presented a “critical threat” for years, but Dr Erfani said they are now becoming more sophisticated. “Beyond encrypting data, future ransomware attacks may escalate by threatening to leak sensitive information publicly or by targeting backups and cloud services to maximise their impact,” she said.
“The rise of ‘Ransomware-as-a-service’ platforms also makes these attacks accessible to a broader range of malicious actors,” she added. These platforms, which make a market between ransomware operators and buyer ‘affiliates’, can enable actors with little technical knowledge to deploy harmful ransomware attacks, according to the ASD, which calls ransomware the “most destructive cybercrime threat to Australians”.
Ransomware attacks made up 10 per cent of all cybersecurity incidents the ASD responded to in 2023, with a 7 per cent increase in entities hit by ransomware activity over the previous year.
3. Supply chain cyberattacks
Another increasingly critical threat is supply chain attacks, which compromise software updates, hardware integrity or third-party services and can lead to widespread security breaches.
“Cyberattacks targeting supply chains aim to exploit vulnerabilities in the network of suppliers, vendors and partners that organisations rely on,” Dr Erfani said. “The interconnectedness of digital ecosystems makes supply chain attacks efficient for attackers to exploit multiple targets through a single point of weakness.”
4. Internet of Things (IoT) vulnerabilities
Many of these increased risks stem from the fact that cybercriminals now have an expanded “attack surface,” according to Dr Erfani.
The explosion of ‘Internet of Things’ (IoT) devices has been critical to that expansion. According to the ASD, cyberattacks compromise common small-home-office products and Internet-of-Things devices to steal sensitive information, target corporate networks or to enslave them into botnets for distributed-denial-of-service (DDoS) attacks.
Read more: How Australia can reap the benefits and dodge the dangers of the IoT
Dr. Erfani said IoT devices are susceptible to cyberattacks due to their interconnected operations, which expose them to a wide range of threats across complex networks, particularly when devices have inadequate security features. “Attackers can exploit these devices to gain unauthorised access to networks, conduct surveillance or launch large-scale DDoS attacks. Ensuring the security of these devices remains a significant challenge,” she said.
“To efficiently mitigate IoT device vulnerabilities, it’s essential to begin with secure design, including encryption and access controls, and to keep devices updated with the latest firmware. Segmenting networks, using strong authentication, encrypting data, monitoring for suspicious activity, educating users, and ensuring regulatory compliance are also crucial steps.”
5. Quantum computing: a two-edged sword
Finally, Dr Erfani said quantum computing has the potential to both threaten and enhance cybersecurity. On one hand, quantum computers could break current encryption algorithms, compromising sensitive data. On the other hand, quantum cryptography offers more secure communication channels. As quantum computing advances, cybersecurity measures must evolve to address these new challenges and opportunities.”
“Turning to the risks around quantum computing, she said investment in quantum-resistant technologies and encryption methods would be a “forward-thinking step towards securing our digital future, making societies more resistant to the quantum threat against our cryptographic standards,” she said.
Multifaceted, user-centric cybersecurity and empowerment
Because of the complexity of the cybersecurity threat facing businesses today, Dr Erfani argued that countering it requires a “multifaceted and user-centric cybersecurity approach and empowerment strategies” solution.
Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School
“Integrating advanced technology with insights from psychology, sociology, and economics, along with a strong ethical foundation, offers the potential to establish a cybersecurity infrastructure that not only defends against threats but also fosters a secure, inclusive, and equitable digital environment for all users,” said Dr Erfani, who detailed 11 critical elements of this solution:
• Embrace a user-centric approach for assessment and guidance development: By tailoring cybersecurity assessments and guidance to users’ specific needs and behaviours, we ensure the relevance and effectiveness of our measures in protecting against threats, thereby enhancing user experience and security.
• Prioritise the creation of a cyber victim support hub: This dedicated support hub will play a crucial role in assisting individuals and organisations affected by cyber incidents, providing them with the necessary resources, guidance, and recovery assistance. It will demonstrate our commitment to their security and recovery.
• Combatting AI with AI (responsible AI): By implementing responsible AI technologies, we take a proactive stance in detecting, preventing, and mitigating cyber threats. This approach ensures ethical use and safeguards against misuse, demonstrating our commitment to responsible and effective cybersecurity.
• Expansion of the Digital ID program: Enhance and broaden digital identity initiatives to provide secure and reliable verification methods, reducing identity fraud and enhancing online security.
• Facilitating collaboration and knowledge sharing: Promote cooperation and information exchange among cybersecurity professionals, organisations, and stakeholders to strengthen collective defence mechanisms.
• Expansion and support of cybersecurity awareness campaigns: Increase the reach and impact of educational campaigns to raise awareness about cybersecurity best practices and threats, empowering users to take proactive measures.
• Adopting cybersecurity frameworks: Implement established cybersecurity frameworks to provide a structured and comprehensive approach to managing and mitigating cyber risks.
• Public-Private Partnerships: Foster collaborations between government entities and private sector organisations to leverage shared expertise, resources, and intelligence in combating cyber threats.
• Regular security audits and penetration testing: Conduct frequent security audits and penetration tests to identify vulnerabilities and ensure robust defences against potential cyber-attacks.
• Enhancing cybersecurity compliance behaviour with psychological insights: Utilise psychological and behavioural research to understand user behaviour, improve compliance with cybersecurity policies, and develop effective strategies for fostering a security culture and proactive risk management.
• Implementing continuous improvement programs: Establish ongoing improvement initiatives to regularly assess, update, and enhance cybersecurity practices, ensuring they evolve to counter emerging threats and adapt to technological advancements.
A recent UNSW Sydney #CareersUnlocked event on trends, threats and the future of cybersecurity featured a number of distinguished panel members, including Priyal Dalal, Cyber Security Consultant with KPMG (left), Professor in CyberCrime, Cyberwar and Cyberterror at the School of Computer Science and Engineering at UNSW Sydney (centre) and Dr Eila Erfani, a Senior Lecturer in the School of Information Systems and Technology Management at UNSW Business School (right).