Professional Documents
Culture Documents
Published by
Information Security Forum
+44 (0)20 3875 6868
info@securityforum.org
securityforum.org
Project Team
Mark Ward – Author
Paul Watts – Co-author
Review and
quality assurance
Eleanor Thrower
Emma Bickerstaffe
Richard Absalom
Paul Holland
Max Brook
Design
Jenna Lord
Abigail Palmer
Charlie Payne
Warning
This document is confidential and is intended for the attention of, and use by, either organisations that are
Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF directly.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF
on info@securityforum.org. Any storage or use of this document by organisations which are not Members of the
ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information
Security Forum and the Information Security Forum Limited accept no responsibility for any problems or
incidents arising from its use.
Classification
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
CONTENTS
Introduction 5
Conclusion 50
Appendices
A: Methodology 51
B: Assessing predictions from Threat Horizon 2021 52
C: Assessing predictions from Threat Horizon 2022 56
D: Assessing predictions from Threat Horizon 2023 60
E: ISF Threat Radar 64
F: Making the most of Threat Horizon 2024 67
G: References 70
Feedback 82
Acknowledgements 83
Technology choices
diminish control
Well-intentioned regulations Dirty data
have unintended consequences disrupts business
T H R E A T
2023
Identity is
HORIZON weaponised
2022 – 2024
Security fails in a
brave new world
2022
1.1 Augmented attacks 1.1 Artificial intelligence industrialises 1.1 Ransomware evolves into
distort reality high-impact attacks triple extortion
1.2 Behavioural analytics trigger 1.2 Automated defences 1.2 Regulators inhibit data-driven
a consumer backlash backfire innovation
1.3 Robo-helpers help 1.3 Layered security causes 1.3 Attackers undermine central
themselves to data complacency and confusion cryptocurrencies
2.1 Edge computing pushes 2.1 Digital doppelgängers 2.1 The cloud risk
security to the brink undermine identity bubble bursts
2.2 Extreme weather wreaks havoc 2.2 Biological data drives a 2.2 Activists pivot to
on infrastructure rash of breaches cyber space
2.3 The internet of forgotten 2.3 Gamed algorithms cause 2.3 Misplaced confidence disguises
things bites back commercial confusion low-code risks
3.1 Deepfakes tell 3.1 Smart grids succumb to an 3.1 Attackers poison the
true lies attack surge data well
3.2 The digital generation become the 3.2 Isolationism creates a 3.2 Misleading signals subvert cyber
scammer’s dream security disconnect fusion centres
3.3 Activists expose 3.3 Security struggles to adjust to 3.3 Digital twins double the
digital ethics abuse the never normal attack surface
CONTENTS THE WORLD IN 2024 ONE TWO THREE CONCLUSION APPENDICES COLLABORATION
Introduction
Trust is imperative for any business to be agile and maintain its competitive edge. However, that
trust will crumble over the coming years as organisations learn that regulators can introduce new
risks, technology does not always achieve all desired outcomes, and data itself is more susceptible
than ever to manipulation and inaccuracy. In a world of perpetual change, magnified by the global
pandemic, this disintegration of trust will create the perfect conditions for potential adversaries to
hide and thrive.
New regulations and laws will be enacted to set parameters for disruptive innovations, such
as artificial intelligence and crypto cash. Some of these may inadvertently cause adverse
consequences, forcing organisations to dedicate significantly more time and resources to adhere
to obligations while still facing volatile levels of risk.
Organisations that look to accelerate digital transformation without fully appreciating the
long‑term implications of their technology choices will find themselves losing control over
business inputs and outputs. The appeal of technological advancements, such as cloud services
and easy-to-use coding tools, will leave organisations unwittingly exposed to an expanding array
of threats.
In an era when data is processed and consumed in real-time to conduct business operations, the
historic trust that organisations place in the integrity of data – and the way in which it is used – will
prove to be misguided. The inability for organisations to assure the accuracy and purity of data at
high speed will provide unique opportunities for attackers to subtly spread misinformation and
disrupt business.
Those days when organisations felt in control of their strategy will be a distant memory. As trust
becomes a scarce commodity, organisations will need to find other ways of safely staying agile
and competitive.
Before studying the predicted threats in this report, the reader is encouraged to assess the forecasts
presented in this section and to consider them in the context of their own organisation. While these
forecasts build on input from ISF Members, the ISF Global Team and external experts, every organisation
will have its own view. Are these predictions reasonable? Do some underestimate the severity of certain
scenarios? Do others go too far? How might the forecasts be adapted in the context of your organisation?
What additional material (e.g. relating to specific industries or geographies) would be needed to support an
organisational review of the predicted threats in this report?
Tailoring these threats to your own organisation can help to develop a proactive approach to risk management.
A world view
As novel ways of living and working are established, efforts to maintain stability will be undermined by
ongoing conflict and turbulence in many sectors.
ITICA
OL In an era when regional organisations, such as NATO and the EU, are struggling to define their
purpose, elections across the globe in 2024 will have the potential to further strain the fabric of
P
societies and challenge international relations.1,2,3 Campaigns in the US, Russia, and the UK will
continue to divide, whilst Chinese support for Sinophile candidates in the Taiwanese election could
cause international disputes.4,5 The EU will face its first European Parliament elections since the
withdrawal of the UK, facing pressure from populist and disruptive agendas.6 The next generation of
fake news will plague political campaigns and polarise voters, eroding trust at all political levels.7
NOMI Despite a mix of rosy forecasts and the warnings of economies sleepwalking into recession, the
CO economic outlook in 2024 will be defined by uncertainty as a result of the pandemic.8,9 Organisations
C
E
Decentralised finance (de-fi) will evolve alongside a cashless society, loosening central banks’ grip
over taxation and regulation. The rapid rise of novel forms of money will cause a bitter battle over
fiscal controls.10 States will wrestle for ownership of these new currencies as they look to define their
policies and approach. Trust will decrease in institutions and governments due to these clumsy
battles to take control.11
Supply chain disruption is expected to continue because of labour and equipment shortages.12 The
interconnected nature of contemporary markets and their associated fragility was exposed in the
East by the instability of debt-riddled, housing giant Evergrande in China.13 The potential time bomb
of a Chinese recession would cause global economic, political and social shockwaves.
CIAL The long shadow of the pandemic will continue to fall over all aspects of society.14 Whilst the primary
SO
effects, such as loneliness, family separation and undisputed health impacts are well documented
secondary effects are brewing. The outfall of the pandemic will cement division between those who
prospered and those who suffered.15 Social disillusionment will be high, and decreasing trust and
support of government policies will whip up support for political violence.16
Ethical considerations will be a driving factor in all aspects of social life. As Generation Z’s influence
becomes more apparent, their emphasis on ethical and moral business practices, both internal
and external, will lead to ground up changes to organisational operations. Organisations will face
difficulties incorporating differing expectations across generations.17 To ensure this new approach
translates across relationships between technology and people, global spending on data protection
and compliance technology is expected to reach $15bn by 2024.18
NOLOG Nations will explore deeper into cyber space, competing for technological and scientific supremacy
H as it becomes a key metric for international power.19 A quantum computer able to hack a 2048-bit
IC
TEC
AL
RSA public-key cryptosystem could come as early as 2024.20 In response, the strategic advantage
for the nation to first harness quantum computing will be extraordinary.21 Though, as instances of
deliberate, state-backed cyber attacks increase, the potential for a physical response will rise.
Beyond Earth, a technological arms race is brewing as the space race shifts from being a matter
of national pride to a way to exhibit genuine strategic advantage. For example, private space
endeavours will be key to NASA’s plan to return humans to the moon by 2024.22 As all nations race
to establish themselves off-planet, the emergence of low orbital debris will begin to impact further
advancements as humans risk trashing a new arena for exploration and exploitation.23,24
LEGAL
The constant rate of change in technology continues to create a game of cat and mouse between
innovation and legislation. By 2024, however, technological advancements will have expanded
this disparity even more.25 Governments will extend the scope of legal obligations and constraints
affecting how organisations use and process data to protect individual human rights.26 Having
realised the pervasive power of data, there will be a concerted effort for legislative reform that goes
beyond data privacy. These efforts will reassess the use of artificial intelligence (AI) techniques and
Internet of Things (IoT) devices to reduce the exponential growth of cyber attacks.27
Laws and regulations will become a tool of political negotiation and power struggles.28 Officials will
seek to build upon existing data-sharing pacts, and to repair broken legal mechanisms to enable
cross-border data transfers,29 advancing existing relations and excluding political challengers.30
Collaboration too will emerge in the wake of ransomware sanctions, as allies enforce legal sanctions
on nefarious actors – indirectly taking aim at these actors’ state-sponsors.31
NME The pandemic will be eclipsed by environmental challenges. By 2024 the world is expected to have
RO
breached the 1.5°C limit set out in the 2015 Paris Agreement32 causing widespread disruption and an
N
I
ENV
TAL
alarming loss of biodiversity.33 Yet, inciting widespread frustration, reform to tackle environmental
change will remain a political talking point rather than concrete action.
1 Well-intentioned regulations
have unintended
consequences
Efforts by governments, regulators and other official bodies to mitigate pressing cyber threats, and assert
control over the ways in which some emerging technological and financial innovations are used, will give
rise to many new policies and regulations. As these legislative changes take hold, it will become apparent
that they are not removing dangers but are forcing evolutions that risk redirecting the threats as well as
burden organisations with a raft of hard-to-meet demands that still leave them open to attack, disruption
and harm.
Victim organisations will become constrained by nation states imposing sanctions that inhibit the payment
of ransoms to certain actors. As insurance providers discontinue or limit ransom payment coverage,
the financial and reputational brunt of these attacks will be amplified, with weak operational resiliency
increasing the time and cost to recover from such attacks. Additionally, legal obligations to immediately
disclose attacks (and near misses) will compel organisations to go public very quickly, hindering response
efforts and risking significant reputational damage. Attacks will become increasingly difficult to bounce back
from as customers become impatient with organisations that suffer either disruption or loss – especially
when their rights and freedoms are directly impinged.
How will you placate the CEOs whose data has been stolen? How will you rebuild confidence in
your brand?
THE
1989 2011 2013 2017 2020 FUTURE
NE
NE Re
W
NE NE
:S
W PA EMale
W
!J
W
Re
AIL
Us
EM
:o Re
YU
Re tK
:K
EM
Op :o idin
EM
si Op no g,
ck
AIL P
tt’ si ST
AIL GO O
sr tt’ kN !ll
AIL
@n se oC ra
UN U
nn
R
k it
ILL UN
so ve so
HA NEN CO AFT WE
mW nm ’s mw
sti1
EG LO
ar or l ra ar
E
e.! e@ e!
HA NCR NT ER Y WI
ns
AL C
ns
om
RD CR
om
mw
PA K FIL
DE AC RE DRI YPT AC O LL
Wa ar
RD YP
re.! e!
TE TIV
TU VE PA TS T UR
CT IT
ED Y YN ES PA DRI T R A YN O
OW Y N VE PA N FIL ND OW O
OW Y N ES
OW
The first notable One of a wave The first The first nation Double extortion: Triple extortion:
ransomware of screen modern-day state sponsored exfiltrate and exfiltrate,
campaign locking industrialised ransomware encrypt encrypt and
ransomware ransomware threaten
campaign subjects
As organisations and technologies become more adept at detecting tell-tale signs of conventional
ransomware techniques, such actors are adjusting their tactics to stay under the radar for longer and protect
their revenues. Attack methods are shifting from easier-to-detect, widely dispersed techniques to a more
crafted, hands-on approach. Targets are selected based on factors such as strength of defence, levels of
insurance cover and likely appetite for paying as well as their profile and prominence, with both large and
small/medium organisations under scrutiny. The more researched approach requires up-front effort (and
in some cases the initial heavy lifting is outsourced or bought as-a-service through intermediaries such as
Initial Access Brokers),40 but the potential prize for threat actors is larger returns from a smaller number of
targeted organisations.
Whilst double extortion attacks generally conclude with widespread data encryption after data has been
stolen, evolving triple extortion techniques see ransomware gangs encrypt the victim’s data selectively,
sporadically, or in some cases not at all. This leaves a smaller footprint that potentially allows longer
dwell time within a penetrated organisation. One growing trend is the rise in theft and extortion without
encryption, which has doubled from affecting 3% of victims in 2020 to 7% in 2021.41 With early signs of
triple‑extortion emerging, it is clear the brazenness of ransomware gangs has no limits.
As ransomware actors continue to be paid by their poorly protected victims, governments are considering
policy and legislative changes to cut off the flow of revenue to such groups. These measures could limit the
options for victim organisations to recover and resume business operations. This attempt to break the cycle
could be accompanied by mandatory reporting of successful and failed attacks. The US, UK and Australia
are three regions where regulators are introducing such requirements with others likely to follow, meaning
that organisations will need to rethink their approach to stakeholder communications within their incident
response plans. However, with ransom payments cut off, the stolen data itself becomes the monetisation
opportunity of future attacks.42
The proliferation of ransomware attacks has caused a spike in claims that has forced insurers to reassess
how they underwrite the risk to limit their exposure. Policies are increasing in cost and reducing in coverage,
not only placing products out of reach of some organisations but also potentially reducing the ability for
others to pay the ransom in the first place.
Positively, there has been recent success with cross-border law enforcement collaboration in historically
‘safe haven’ regions. Most recently, the US and Russia collaborated to dismantle the remnants of the
Russia‑based ‘REvil’ group in January 2022.44 It is too early to say whether this type of collaboration will be
enduring or not. However, it does send a message to these actors that perceived safe havens may in fact be a
façade, increasing the possibility of operations becoming more clandestine in future.
Opportunistic ransomware may be taking a back seat but this does not signify the end of the threat. As
long as there is money to be made, ransomware actors will continue to innovate to maintain those revenue
streams. Organisations will need to adapt quickly to stay on top of the changing dynamics of the ransomware
threat. Boards will need to continue to recognise the clear and constant danger their organisations face from
this evolving threat. If this does not happen, the consequences could be dire.
Organisations that do not regularly evaluate their ability ITICA NOMI CIAL
OL CO SO
to detect and respond to extortion attacks such as
C
E
ransomware should now consider a strategic approach
to managing such an enduring threat to their business.
A re-evaluation of what business-critical data assets
exist in the organisation and where they reside will
NOLOG LEGAL NME
further support this objective. H RO
N
I
IC
ENV
TEC
TAL
AL
Actions for now
– Ensure the subject of extortion and ransomware
threat has been socialised with the board.
– Understand your level of cyber hygiene versus the Key information attribute affected
threat, and understand and risk-assess any gaps.
Confidentiality
– Review existing organisational cyber incident and Integrity
crisis response protocols, and complete simulation Availability
exercises to test efficacy.
– Identify data sources most likely to be hit by targeted Source of threat
extortion attacks (e.g. mission critical data assets,
Adversarial
intellectual property). Nation states, organised criminal group,
hacking groups
Longer-term actions
Potential business impact
– Prepare, implement and actively maintain
an organisational playbook for responding to Financial
extortion attacks. Operational
– Review the resilience of the organisation’s supply Legal and Regulatory Compliance
chain in the context of an organisation’s inherent Reputational
ransomware risk. Health and Safety
Security Architecture:
Navigating complexity
Cyber Insurance:
Is it worth the risk?
Briefing Paper
Business transformation will be slowed as organisations seek ‘pure’ data sources and struggle to develop
algorithms that stay within the parameters demanded by an expanded list of regulators. Efforts by
organisations to maintain a single view of their security arrangements will fail as algorithms and the
data that feeds them need to be kept separate and monitored for biases in both sources and outcomes.
Organisations will be forced to account for and justify the actions and decisions of automated systems over
which they have limited control.
Can you demonstrate that your algorithm-based services comply with regulations in every
region in which the business operates?
********
AI-based
algorithm
development
lifecycle
********
FIGURE 2: Potential restrictions surrounding the use of algorithms developed via machine learning
The power of these algorithms to adversely affect society or erect monopolies has led governments and
regulators to seek ways to limit any negative impact. This action tries to ensure the sources of data used by
algorithms and the outcomes they produce are unbiased.
Satisfying regulators can involve retraining algorithms,46 legal action, significant fines47 or implementing
changes to ensure they meet desired outcomes.48 In some cases, organisations have been unable to
redevelop the algorithm to meet demands, forcing the system to be scrapped49 or withdrawn from particular
regions because local requirements are too hard to meet.50
In some instances, the regulations will tighten existing rules governing the collection and use of data –
such as the EU’s GDPR. Other jurisdictions are making more stringent demands: for example, Chinese draft
regulations require prior government approval to use algorithms, and mandate that machine learning
systems have a positive influence on Chinese society. The criteria used to judge influence remains opaque
and is likely to contrast with EU or US efforts to oversee the outcomes of algorithms. Similar questions
remain about how to define the fairness that Western regulators expect algorithms to produce.52
Early studies suggest that it can be difficult to ensure algorithms do not drift from a strong starting point to
become unfair over time. Bias can emerge when algorithms work in concert to tackle complicated problems.
An emergent issue is ‘proxy discrimination’ which arises when algorithms use categories that turn out to
define groups despite those labels initially appearing to be neutral.54
The complexity inherent in the creation of machine learning systems brings other risks. One study suggests
algorithms typically involve more than 900,000 lines of code and call on 137 external dependencies.55 Add to
this the oversight demands of regulators and there is a significant risk that these core business systems and
the data they use will go astray.
AI-powered algorithms, and by implication the intellectual property at the heart of many businesses, are
coming under greater scrutiny than ever. Organisations will be forced to expose and justify their algorithms,
demonstrate trustworthiness and ensure outcomes do not unfairly disadvantage any group. If this ongoing
and difficult task is neglected it will leave organisations open to fines, reputational damage or regulatory
demands to slow the engines that keep an enterprise operating.
C
E
functions within an organisation. Information security
practitioners should actively participate in this work
and act as advisor and guide.
N
I
IC
ENV
TEC
TAL
– Discover which algorithms are in use across
AL
the organisation and the manner in which they
were developed.
– Find ways to assure the integrity of the data sources
that algorithms use. Key information attribute affected
– Review regulatory landscape to determine which
Confidentiality
laws and regulations apply to algorithms.
Integrity
– Review internal governance structures and policies
Availability
to understand if they cover algorithms.
Source of threat
Longer-term actions
Accidental
– Understand the organisation’s strategy for the use Supplier/vendor/partner customer
of algorithms.
Regulator
– Develop a plan to improve governance of algorithms
(e.g. via policies). Potential business impact
– Create a process to measure outcomes and expose
Financial
potential bias on an ongoing basis.
Operational
– Engage with regulators to find out how rules
Legal and Regulatory Compliance
are changing.
Reputational
Health and Safety
ISF resources
Demystifying Artificial Intelligence
in information security
Briefing Paper
Human-Centred Security:
Addressing psychological vulnerabilities
Briefing Paper
Organisations will find themselves caught in a tight technological race between central banks starting to
distribute digital cash, established de-fi systems (e.g. Bitcoin and Ethereum) and even newer networks set up
by tech giants, game firms and social networks. Attack surfaces will multiply as connections are established
to handle potentially thousands of crypto coins, each with their own quirks.
RANSOM
DEMAND
≈ 13,000 ≈ 70 % $ 5.2bn
cryptocurrencies of the total cryptocurrency paid out in
in operation market value held Bitcoin ransoms
with more created by 5 cryptocurrencies
every day (01 Jan 2011–30 June 2021)
Coincheck
$547m
$ 611m MT Gox
$480m
lost by PolyNetwork in largest
KuCoin
known cryptocurrency
exchange theft $285m
(2021) (estimated losses, 2014–2020)
This chaotic ecosystem will be expanded and complicated by the arrival of CBDCs. As of January 2022, central
banks in nine nations have launched digital currencies and 14 more are running pilots. Feasibility studies
and consultation exercises are being carried out in 14 other nations, and by regional bodies such as the EU,
who are keen to follow these early adopters. The tests and trials include both retail (consumer) and wholesale
(corporate) CBDCs. The nations involved in these launches, tests and exercises represent about 90% of the
world’s GDP.59
Organisations will be caught in the middle of changes imposed by regulated financial institutions setting up
CBDCs, as well as by growing interaction and trade with potentially thousands of de-fi ecosystems. Risks will
emerge in the following categories:
Villainy: Cyber thieves will target CBDC exchanges, wallets and ledgers as they already do with other crypto
systems. Attacks include exploiting weaknesses in code, abusing loose specifications in smart contracts or
tricking people into handing over their holdings. Money launderers will seek to wash dirty cash by converting
it into a CBDC after it has been swapped several times via de-fi exchanges or ‘tumbler’ services. Insiders with
admin rights over CBDC ledgers or who oversee pools of official digital cash could be tempted to steal the
virtual money.60
Variety: CBDCs will be far more diverse than existing currencies. This will create a significant oversight
requirement for organisations holding any of these coins or tokens – different national banks will require
their individual CBDCs to respond to policy and other changes they enact.61 A distributed ledger will support
many CBDCs, bringing with it the usual issues involved with maintaining a large computer system that stores
and processes high value data.62
Velocity: CBDCs could remove many of the inefficiencies inherent in existing cross-border financial
transfers and accelerate activity in the banking sector.63 This increase in speed makes CBDCs susceptible
to denial of service attacks that could scuttle the reconciliation demands that are fundamental to
cryptocurrencies. The delays could allow scammers to double spend or profit by introducing delays. One
attack on de-fi platform dZx, which exploited the speed of settlement, saw an attacker profit by $630,000
from just 60 seconds of work.64
Vulnerability: Cryptocurrency systems are relatively new and have been shown to suffer bugs and other
loopholes. Sometimes these lead to large-scale theft from exchanges or wallets while other vulnerabilities,
such as spelling errors on smart contracts, allow criminals to make off with significant sums.65 CBDCs, which
are even newer innovations, will be hit by similar issues.
Verification: The regulatory demands of CBDCs will be formidable. These financial instruments will prompt
a realignment of laws and regulations relating to the holding of financial reserves and money management,
as well as more specific statutes on fraud, money laundering and terrorist financing.66 Privacy and other
know-your-customer controls could also be overhauled as central banks are unlikely to adopt entirely
anonymous systems.67
The arrival of CBDCs will signal a massive shift as banks and regulators seek to regain some control of
the financial ecosystem they have ceded to de-fi networks and others involved in the crypto revolution.
Information security practitioners will be forced to take action on several fronts to enable their organisations
to work securely with central crypto networks, meet the associated regulatory demands, and manage the
inherent volatility of fast-moving de-fi instruments and products.
The gradual adoption of digital cash will test the ITICA NOMI CIAL
OL CO SO
security arrangements of many organisations as they
C
E
accommodate the different schemes and cash types.
Implementing controls around the processing of
payments is a first step in avoiding costly mistakes.
N
I
IC
ENV
TEC
TAL
AL
– Identify or recruit subject matter experts in
cryptocurrencies and assess the organisation’s
readiness for securely adopting cryptocurrencies
and CBDCs.
– Reach out to central bank experts for guidance on the Key information attribute affected
status of local CBDCs.
Confidentiality
– Audit existing financial systems to expose weak Integrity
points and gauge operational readiness for Availability
cryptocurrency commerce.
– Make sure security operations are familiar with Source of threat
proposed changes.
Adversarial
Nation states, organised criminal group, hacking groups
Longer-term actions
Accidental
– Advise on the creation of a testbed for Privileged employee, customer
cryptocurrency transactions. Regulator
– Talk to regulators about the effect of increased crypto
Potential business impact
trading on existing anti-money laundering and
know-your-customer regulations. Financial
Operational
– Harden payment platforms against denial of service
Legal and Regulatory Compliance
and subversion attacks.
Reputational
– Draw up and rehearse incident response plans to
Health and Safety
handle cryptocurrency
ISF resources
Blockchain and Security:
Safety in numbers
Briefing Paper
Threat Intelligence:
React and prepare
2 Technology choices
diminish control
The technologies that organisations have adopted to accelerate their digital transformation, manage the
move to hybrid working and engage with customers will slowly transpire to be a dead end. Enterprises will
be forced to protect seemingly smart technology choices with a variety of defences and work-arounds just to
avoid a series of unforeseen attacks and threats – some of which will strike from unexpected directions.
The business impact of disruption to cloud services will be exaggerated in severity and protracted in
longevity due to interdependencies with business outcomes. Mitigation via contingency or reversal will
become near impossible if legacy environments are hastily decommissioned and data processing sites
closed during initial migration to the cloud. With limited options available to prevent disruption, the board
will start to question the cost and operational efficiency promises driving their cloud-centric strategies. This
will cause rifts in the relationship between the board and CTO or CIO about who should bear the burden of
accountability for the disruption to the business.
How could this have been prevented and how will you restore customer confidence in
the brand?
Google Cloud
December 2020
Misconfiguration
All Google services offline including
Gmail, YouTube and Workspace
OVH Fastly
March 2021 June 2021
Data centre fire Software bug
Multiple businesses offline Multiple websites offline
Akamai
July 2021
DNS failure
>30,000 websites offline
Meta AWS
October 2021 December 2021
Misconfiguration Network failure
All Meta services offline including Multiple websites offline
Facebook, Whatsapp and Instagram
Cloud computing is promoted as a way to fulfil dynamic business needs by reducing capital technology
overheads while driving flexible, scalable and adaptable technology solutions. However, the negligible
portability of infrastructure, applications and data within a single cloud environment can create the
potential to lock in the organisation and impede its attempts to find alternative providers.
Reliance on external cloud service providers is being compounded by continued consolidation of core
internet services69 creating single points of failure and instilling fragility beyond an organisation’s control
and influence.70 For example, an assessment of the top 10 million websites globally found that 42% leverage
DNS from just five cloud service providers.71 Similarly, 23% of the top 10 million websites are hosted by just
five cloud hosting providers.72
As reliance on cloud providers intensifies, so do the opportunities for disruption when use of those cloud
services is poorly understood. There were several high-profile instances of disruption over a 22 month
period between March 2020 and December 2021.74,75,76,77,78,79,80,81 Commercial cloud providers and operators
accounted for almost 75% of all outages in 2020.82 This is a significant increase on the five-year average
of 53%.83 Now, 56% of all organisations using third-party data centre services have experienced moderate
or serious outages during the last three years caused by the provider.84 While the high number of outages
in 2020 can in part be attributed to the unusual circumstances of the global pandemic, it is a trend that is
expected to continue.
The root cause of outages in the cloud do not fundamentally differ from those experienced in traditional
on‑premise environments. The key differentiator is the organisation’s level of control over those potential
failure modes when using cloud providers.
Managing cloud environments is becoming ever more complex in terms of ownership, knowledge and
operation, exacerbated by an ongoing skills gap. This not only presents obstacles to adoption but also creates
weaknesses if an organisation’s rate of adoption exceeds the expertise and resource base required to sustain
the management of those environments. 88% of organisations identify an internal lack of cloud-related
experience that requires strategic redress as their reliance on these technologies deepens.85
Organisations that race to the cloud but fail to consider portability, resiliency and contingency measures
may find those benefits evaporate when the risk bubble eventually bursts. An outage event or change in
commercial circumstance may leave them with a crippled and captive environment, spiralling costs and
little ability to break free from their captors and re-assert control.
C
E
balanced in cloud strategy before a point of no-return is
reached, and control is lost.
N
I
IC
ENV
TEC
TAL
determine current levels of integration and to
AL
highlight any potential lock-in.
– Establish appropriate governance around cloud
orchestration to ensure understanding of the
footprint, and control of its sprawl, is maintained. Key information attribute affected
– Seek clarity regarding cloud strategy, ensuring that
Confidentiality
it unifies business and technology desired outcomes
Integrity
including business resiliency.
Availability
ISF resources
Cyber Insurance:
Is it worth the risk?
Briefing Paper
Growing social conflict means many organisations are liable to fall victim to this type of attack. However,
those enterprises believed to be explicitly aiding governments, conducting surveillance and repression, or
withholding strong support from the causes favoured by activists will suffer disproportionately. Attackers
will seek out vulnerable operational systems to inflict significant damage and then publicise the way targets
operate, where they do business and with whom they do it.
RedHack leak
Turkish military Adalat Ali leak
Epik hosting deployment videos showing
service hacked information abuse in Evin prison
Extreme action, including digital activism or hacktivism, is becoming a common method for furthering
a cause. Groups in Belarus91, Iran and other nations have used hacking techniques typically employed by
criminals to penetrate government agencies, steal information and publicise abuse.92
Leaders of some high-profile groups and their key sympathisers, especially those concerned with climate
change, have called for sabotage against industrial installations and other polluting assets.93 Organisations
moving towards remote management of their industrial sites94 are prime targets of such attacks, with a spike
in attempted attacks already apparent.95
Anticipating these direct attacks is hard if they are mounted by lone wolf attackers or closed cells of activists.
These solo operators are unlikely to feature in the threat intelligence feeds that organisations regularly
consult and exhibit few of the signals that betray the plans of larger groups.96 They are also free of the
inhibitions that prevent larger groups taking extreme action and can contemplate more wide-reaching acts
of sabotage.97
Tension and conflict will be the backdrop to business and domestic life over the next few years. As climate
change inflicts successive disasters and politics fractures, some activists will become desperate and, keen
to make their voice heard, will want to demonstrate that dramatic change can happen. Organisations will
face attacks both internally and externally, and they will be forced to improve defences around physical
infrastructure and important internal resources to guard against the actions of groups or individuals that
can strike at a wide variety of targets.
C
E
likelihood of its operations being targeted. Ethical and
geopolitical motivations should be considered when
drawing up a list of potential adversaries.
N
I
IC
ENV
TEC
TAL
– Engage with threat intelligence teams to verify
AL
whether early warning indicators of a potential attack
are being observed.
– Conduct purple team exercises on remote
installations to determine whether they can Key information attribute affected
withstand attacks.
Confidentiality
– Assess resilience of remote equipment to direct attack
Integrity
in consultation with physical security managers.
Availability
ISF resources
Threat Intelligence:
React and prepare
Compliance problems will start to surface as it is discovered that developed applications call on reference
data and resources, such as shared drives or spreadsheets, that organisations can neither control nor assure.
Growing use of no-code and low-code tools will encourage attackers to probe ‘cookie cutter’ coding systems
looking for exploitable vulnerabilities and, once discovered, mount large-scale campaigns against all users
of those tools to penetrate organisations, steal information and disrupt operations.
Can you keep track of the shadow apps appearing in your organisation?
1 2
Intern uses DIY coding app Recognising the increased
to create their own software efficiency, the organisation
that helps plot the fastest copies the app and rolls it out it
stock picking route around to all workers in the warehouse.
the warehouse.
SECURITY ISSUES
SECURITY ISSUES App is developed outside the IT
App maker is unknown and department without a secure
could be insecure development process
3 4
Soon after, customers start An investigation reveals the
complaining about not app has a backdoor that
receiving their orders. attackers are using to re-route
and steal thousands of orders.
SECURITY ISSUE
Early mistakes in the app’s BUSINESS ISSUES
development allows it to Loss of revenue after refunding
access data and permission’s stolen orders
without control
Loss of customers due to
unreliability
All major cloud platforms (e.g. Amazon, Google, and Microsoft) as well as more dedicated business software
firms (e.g. Salesforce, Oracle and SAP) already have a suite of low-code tools available for customers and are
working on ways to make them more intuitive. Start-ups have found success with kits and drag-and-drop
interfaces, which let people build apps by linking discrete functions built from ready-made blocks.102 This can
introduce risks by hiding the intricacies of code and concealing potential security flaws. It also standardises
program development so an attack that is successful against one target could be generalised to work against
many others.
AI-based tools for code creation can automate the tedious elements of programming work and therefore
will become part of professional developer workflows. These systems can be relied on to import, and reliably
execute, obscure functions that developers rarely use. Coding tools that depend on machine learning
software, such as GitHub’s Copilot and OpenAI’s Codex engine, will also acquire the ability to solve more
difficult programming problems as the neural network underpinning them grows in size and depth.103
This reliance on ‘black box’ autocompleting tools could undermine secure development efforts. Greater
automation could bypass important checks, use unmonitored libraries and external connections, and even
introduce errors made by human programmers, who created the code used to train the AI-based systems.104
There has already been an example of organisations being caught out by the adoption of these easy-to-use
coding systems. In August 2021, Microsoft revealed that more than 38 million records were exposed by flaws
in the portals used to access its low-code PowerApps platform.105
Allowing experienced developers to translate business knowledge into reusable code, and leverage
automation and fabrication tools to meet unforgiving deadlines, undoubtedly has its advantages. However,
there are downsides to consider too; the creation of loopholes, vulnerabilities and disclosure challenges
could lead to significant harm but give organisations few ways to spot the damage before it is done.
C
E
employees will not be aware that that they are using
them or fail to declare their existence. Training,
awareness and monitoring can help keep track of
applications as they are deployed.
NOLOG LEGAL NME
H RO
N
I
IC
Actions for now
ENV
TEC
TAL
AL
– Define then assess the organisation’s use of no‑code,
low-code tools and discover which applications have
been created with them.
– Investigate data use by applications to see if business Key information attribute affected
data and information is being accessed by these tools
or resulting programmes. Confidentiality
Integrity
– Perform high-level risk assessment of no-code,
low-code tools and provide DevSecOps teams (or Availability
equivalent) with quick guidance on that basis.
Source of threat
ISF resources
Human-Centred Security:
Positively influencing security behaviour
Briefing Paper
Application Security:
Bringing order to chaos
Securing containers:
Keeping pace with change
Briefing Paper
This threat will exploit the growing significance of integrity in a society that is dependent upon trusted
sources of data. As data is consumed at higher speed and volume, it will become increasingly challenging
for organisations to manually assure each source. Attackers will leverage subtle tactics that make early
detection difficult, resulting in organisations struggling to adapt security and data governance postures.
Business processes and outcomes will be compromised with serious consequences, particularly if data
processing is centred around machine learning and AI technologies that depend on high-integrity data.
Those bound by strict regulatory requirements to protect the integrity of their data, such as those in
the finance and life science industries, will find themselves particularly exposed to regulatory scrutiny
in addition to direct financial impact. Consumer confidence and organisational reputation will also be
damaged and difficult to salvage from an increasingly well-regulated and data-savvy society.
How can you tell if data integrity is compromised and what the true impact is? What would do
you do next?
DOW
N
THIS WITH
**!$ FUL
SO
OF TH RT !!!!
CARE W
NO
ING !!
Organisations overwhelmed by the amount of data they now accrue have taken advantage of low-cost
storage options to help process and store their data, with 49% of data expected to be housed in public cloud
environments by 2025.111 This accumulation and sprawl of information across a hybrid technical architecture
further increases the challenges associated with its governance and control. Business efforts to protect the
confidentiality and availability of data have matured but there remain some contradictory views amongst
executive leadership. Only a third of executives have a high level of trust in how data is being used in their
organisations, yet over 90% are concerned about the negative impact of data to their reputation.112
Adversaries who would wish to stage attacks on data integrity have similar hallmarks to those leveraging
ransomware. These attacks will be conducted by similar groups looking to diversify their tactics
and techniques, although other groups may also have an interest in such an approach for slightly
different motives.
Data poisoning is an effective attack against machine learning and threatens model integrity by introducing
misleading data into the training dataset.113 There are documented case studies of machine learning systems
being warped this way, either at the training stage or once in place, to generate skewed, biased or prejudiced
behaviours. Examples include the notorious Microsoft ‘Tay’ incident in 2016114 and in January 2021,
researchers were able to demonstrate that deep learning modules in mobile apps are vulnerable to ‘neural
payload injection’ attacks.115
Legislative changes, law enforcement activities and enhanced detection capabilities are disrupting
traditional cyber-crime revenues that focus on confidentiality and availability, forcing attackers to draw new
battlelines around integrity. As the need for robust integrity becomes a critical dependency for leveraging
data at scale, organisations will need to adapt their information assurance practices to ensure that all
three aspects of the information risk management triad are given equal attention. Boards must continue
to be educated and supported in their understanding of all three and share the collective burden and
responsibility for managing the risk.
C
E
that the quality of data is always fully understood, and
the business takes accountability for inherent risks
associated with poor data quality.
N
I
IC
ENV
TEC
TAL
– Enumerate mission-critical information
AL
assets; where are they, who has access, how are
they protected?
– Review external sources of data to determine their
inherent levels of quality assurance. Key information attribute affected
– Review existing controls that assure integrity,
Confidentiality
particularly around mission-critical data sets.
Integrity
Availability
Longer-term actions
– Prepare, implement and actively maintain an Source of threat
organisational playbook for responding to detected
Adversarial
instances of data poisoning. Nation states, organised criminal group, hacking groups,
– Expand offensive security testing to cover individual hacker, terrorists, activists
machine learning platforms; this should cover
infrastructure, applications and the data inputs and Potential business impact
outputs themselves. Financial
– Implement pan-organisational platforms with Operational
built-in capabilities for data governance and Legal and Regulatory Compliance
data stewardship, as they include measures for Reputational
troubleshooting and monitoring all aspects of data Health and Safety
management including data integrity.
ISF resources
Demystifying Artificial Intelligence
in information security
Briefing Paper
How will you justify the response, your trust in the data and the resulting business consequences?
BUYERROR
SELL BUYERROR
SELL
FIGURE 8: How a subversion attack could cause a cyber fusion centre to inadvertently disrupt an organisation
Over the years SOCs have matured their people, processes and technology to become adept at identifying
signals that could indicate an attack upon the confidentiality or availability of their organisation’s interests.
However, many SOCs are ill-equipped for an era in which the signals they monitor and trust become the very
weapon employed against them.
Misinformation and misdirection events have increased in notoriety in recent years as the information
economy has captivated society. Recent notable examples of deliberately spreading misinformation for
nefarious purposes include the nation state interference during the US Presidential ‘Pandemic Election’117
and disinformation campaigns regarding COVID-19 vaccinations in the US.118 As digital transformation
further connects and automates, misinformation techniques will be attempted on digital platforms to
achieve similar outcomes. Such approaches are likely to be based upon techniques such as the False
Data Injection attack methodology first observed to be used against sensors within cyber-physical
environments,119 120 or attacks on more modern machine learning based malware detection platforms
through model poisoning.121
This converged approach to security operations and the increased reliance on automated responses requires
data inputs that are reliable and trustworthy. It also demands that cyber fusion centres are empowered
to act decisively and swiftly. As the volume of data inputs scale up, the opportunity for human validation
diminishes and integrity must be assumed. Malicious actors can take advantage and negatively influence
the integrity of those data streams by falsification or manipulation. This confuses detection and real-time
response capabilities by giving the impression that an attack is being prepared or in progress. Security
testers have been known to utilise similar poisoning tactics as a method of misdirecting security incident
and event monitoring platforms during blue team exercises.122
A highly digital organisation could be destabilised by a cyber fusion centre chasing ghosts around its
network. Paranoia caused by false indicators of compromise could see whole areas of an organisation placed
into containment for fear of an imminent attack, particularly if the targeted organisation is an operator of
critical services. A threat actor seeking to deflect attention away from their real target could also mount an
illusionary attack as an effective decoy.
Such attacks could prompt business leaders to reduce the operating autonomy of the cyber fusion centre.
Security leaders may have to apply additional checks and balances to weed out false or inaccurate signals,
while bridges between business, technology and security teams will need to be rebuilt. This adds complexity,
demanding an injection of resource and budget that can diminish the fusion centre’s return on investment.
C
E
intelligence inputs. There should be regular scrutiny of
the levels to which their automation systems can freely
operate across the business versus their potential to
cause operational disruption.
NOLOG LEGAL NME
H RO
N
I
IC
Actions for now
ENV
TEC
TAL
AL
– Understand all intelligence inputs, particularly
OSINT feeds, and identify methods of assuring them.
– Baseline the accuracy of existing automated security
operations tooling and agree how to maintain it. Key information attribute affected
– Ensure override procedures are in place in the event
Confidentiality
of automation system malfunction or loss of integrity
Integrity
in any individual data feed.
Availability
ISF resources
Threat Intelligence:
React and prepare
Manufacturers, operators of critical infrastructure, heavy engineering firms, and transport and logistics
providers that use edge and 5G technologies to transport data will be on the front line of attacks. As well as
seeking to disrupt production, attackers will also extort cash from victims by claiming to have infiltrated
control systems, forcing organisations to react, even if the threats are hollow.
Production system
Attackers Attackers
Data flows
Attackers poison external compromise
between factory
gain control data feed to IoT sensors
and digital twin
of digital twin force changes to halt
are corrupted
in production production
Digital double
FIGURE 9: Threats emerging from connections between digital twins, manufacturing and their real-world counterparts
Many different technologies, including 5G, edge computing and IoT, as well as growing familiarity with data
analytics techniques, have driven interest in digital twins. By combining IoT, IIoT, big data analytics, cyber-
physical systems and cloud computing, digital twins can create a connected, coherent entity that allows
real-time data to create and maintain a sophisticated virtual model of a physical system.126 Gartner estimates
that one million digital twin instances will be deployed by large enterprises by 2025.127 IoT deployments will
similarly see a massive rise, with the number of devices in use expected to reach almost 17 billion by 2025.128
Trends in automated manufacturing, creating ‘lights out’ production lines devoid of humans, have also
driven adoption as these robot-only installations demand that information be gathered and analysed
constantly to sustain productivity. The steady mothballing of legacy technologies, such as 3G phone
networks,129 is also forcing organisations to move to use newer technologies. Attackers are actively targeting
interconnected industrial, manufacturing and infrastructure installations,130 triggering warnings that
by 2025, attackers will be extorting organisations by threatening to disrupt operational technologies and
cause loss of life.131 Some ransomware groups, such as the operators of the Ryuk malware, are now actively
targeting industrial firms and their OT installations.132
As the management of factories and critical infrastructure matures, digital twins will become a key part of
ensuring these installations run efficiently and securely. The increased insight into production comes at a
cost, opening up attack surfaces that are a tempting target, ripe for disruption and extortion by specialist
groups of attackers. Organisational change will be pivotal to ensure the advantages offered by digital twins
do not come at too high a price.
C
E
security practitioners with a significant monitoring and
management task. Familiarity with these innovations
and their connections to the wider enterprise will help
lighten this load.
NOLOG LEGAL NME
H RO
N
I
IC
Actions for now
ENV
TEC
TAL
AL
– Draw up and maintain an asset register of ICS, OT and
IoT systems.
– Build relationships with suppliers of digital twins to
assess their security stance. Key information attribute affected
– Look for vulnerabilities in the software linkages
Confidentiality
between digital twins and real-world counterparts.
Integrity
– Segment networks to keep operational systems
Availability
separate and implement verification and
validation processes.
Source of threat
Adversarial
Longer-term actions Nation states, organised criminal group, hacking groups,
– Improve relationships between OT and IT teams individual hacker, competitors
to build trust in digital twins and to help resolve
security issues. Potential business impact
– Track operational and information risks against Financial
industrial control systems. Operational
– Set up and run rapid response system Legal and Regulatory Compliance
overseeing interaction between digital twins Reputational
and their counterparts. Health and Safety
ISF resources
Industrial Control Systems:
Securing the systems that control
physical environments
Threat Intelligence:
React and prepare
Conclusion
With digital economies evolving faster than previously envisaged, the nine threats described in Threat
Horizon 2024 forecast a tough predicament: if trust is now a façade and control an enigma, how do
organisations stay resilient, competitive and confident in business outcomes?
Legislative efforts to keep up with the changing landscape will stifle innovation, or simply redirect
existing threats, rather than providing much-needed clarity. Advancements in architectural and software
development technologies will offer enticing short-term benefits but incubate long-term challenges as
organisations cede control and influence through their technology choices. Misguided confidence in data
integrity will provide a new battleground for adversaries who will pollute and subvert data to introduce
geopolitical, socia and economic risks never before encountered.
The global pandemic has taught society a critical lesson: no one can ever exert full control over events. This
has manifested in the digital realm, where organisations are finding that they no longer control data, but in
fact the data controls them. A threat landscape will emerge that many organisations will not be equipped to
interpret, let alone manage.
Data has become the new superpower; a force for good but also a force for evil that can be wielded by
conspiracy theorists, criminal gangs, manipulative states and a host of other actors. It will be near impossible
to discern what data to trust.
Misuse of information, malicious sabotage of data and wilful ignorance will provoke a complete
disintegration of trust. Attackers will exploit the resulting disarray, displaying brazen ingenuity to protect
their own interests. Business and security leaders therefore need to support each other now more than ever,
building upon relationships forged in a time of crisis to build resilience. There is a fundamental choice they
need to make collectively: attempt to rebuild trust, or accept that it has disintegrated entirely and
adapt accordingly?
Further reading
Members will gain most value from this report if they question, challenge and revise the proposed
threats in the context of their own organisation using the ISF Threat Radar, which can be found in
Appendix E. A rich set of related reading is included in Appendix G, which supports the threats within
the report. Members are invited to review the references used to create their own view of Threat
Horizon 2024.
Appendix A: Methodology
Threat Horizon is the ISF’s flagship publication and has been released every year for over a decade. The
report predicts the top cyber security threats that will emerge over the next two to three years. The PESTLE
model is used to provide context and background to these threats. Researchers draw upon materials from
a variety of sources. Of particular value is the structured input from Members at ISF Chapter meetings,
ISF Annual World Congress and on ISF Live.
PO
LITICAL
Chapter
Ongoing
meetings and
E N TA L
research and
ISF Annual World
analysis
ECON
Congress
NM
RO M
O
E N VI IC
Academics
and subject THREAT
matter experts HORIZON Blogs and
discussions
L
AL
EG
I
S OC
A L
NOLOGI
CH
CA
TE
Appendix B: Assessing
predictions from 2021
The original Threat Horizon 2021 predictions are summarised below and on the proceeding pages,
together with:
– a scale indicating the accuracy of the predictions
– a rating showing the degree to which the threat merits continued consideration moving forward
– supporting evidence.
These threats should be assessed and prioritised to reflect an organisation’s specific circumstances.
1.1 5G technologies broaden The impact of this threat has been dulled as the rollout of 5G technology in
attack surfaces 2021 has been slowed by two factors – politics and the pandemic. US concerns
about Chinese State-influence on mobile network equipment made by Huawei
5G networks and technologies will led to much of its installed infrastructure being removed and replaced in many
provide a game-changing platform nations.134 Lengthened deployment timetables have had a downstream impact
for businesses and consumers alike, on the number of deployed devices that use 5G networks, especially services
but also broaden attack surfaces. that rely on them and attacks which exploit them.135
Millions of previously unconnected
devices will be added to the mix, At the same time, security researchers have looked into 5G vulnerabilities and
with telecommunications masts uncovered issues with its virtualised network feature.136 Other issues have
that have varying levels of security. been found with its susceptibility to the insertion of fake base stations, the
Attackers will exploit a range of new lack of co-operation on standards and policies137 and its reliance on older 4G
attack vectors. networks.138 Theoretical problems have also been found in 5G protocols and
warnings have been issued about physical security vulnerabilities in the small,
Accuracy level: local data centres that 5G networks may deploy.139
1.2 Manipulated machine The enthusiasm with which organisations have adopted machine learning
learning sows confusion has not been matched by a similar level of interest by attackers seeking to
use the technology to compromise or subvert AI systems. Broad attacks that
Organisations will become more attempt to skew the ML systems on social networks, video and music platforms
reliant upon machine learning, are well established.140 However, attacks aimed at ML-based systems run by
and as humans are taken out of the organisations remain rare.
knowledge loop, it will become a
prime target for attackers. Confusion, Even when attacks are recorded, such as the successful penetration of an
obfuscation, and deception will be open-source ML framework called Kubeflow, the motivation is to use the
used by attackers to manipulate computational power to mine crypto cash rather than poison the database.141
machine learning systems, either for
financial gain or to cause as much In anticipation of future attacks, cross-industry efforts are now underway
disruption as possible. to spread information about potential problems.142 In addition, tools such as
Microsoft’s ‘Counterfit’ are emerging to help organisations harden their ML
Accuracy level: resources against subversion and attack.143
The rarity of attacks and upsurge of effort being put into defences and
research render it less prominent than initially expected.
Ongoing threat rating:
1.3 Parasitic malware feasts on Critical infrastructure has continued to be a primary target of cyberattacks
critical infrastructure over the past year, rising by 300% in the US alone.144 However, these have been
largely ransomware attacks, focusing on disrupting services and withholding
Attackers will turn their attention data rather than using the processing power for nefarious activities.
to the vast interconnectivity and
power consumption of Industrial Parasitic malware has been used by attackers to target cloud-based services
Control Systems (ICS), IoT devices rather than critical infrastructure. Crypto mining code has been found on tens
and other critical infrastructure, of millions of Docker images,145 millions of Qnap NAS boxes146 and free cloud
which offer an enticing environment computing services.147
for parasitic malware to thrive. All
organisations will be threatened as The threat of parasitic malware targeting critical infrastructure has not
this form of malware sucks the life out dissipated, with one estimate suggesting it has more than doubled over the
of systems, degrading performance past year and is targeting larger organisations. OT vulnerabilities have also
and potentially shutting down been increasing at a rate of 68% year on year.148 A coordinated response will
critical services. be needed from the public and private sectors due to critical infrastructure
spanning the two spheres. Considering this, and the continued presence of
Accuracy level: parasitic malware and crypto jacking, the threat level remains high.
2.1 State-backed espionage The high tempo of state-sponsored attacks against organisations has
targets next gen tech continued. In 2021 Google sent more than 50,000 warnings to customers
about this type of attack – a figure up 33% on 2020.149 High, profile, large-scale
Organisations developing attacks, such as the Microsoft Exchange150 and SolarWinds incidents151 were
technologies such as AI, 5G, robotics also recorded. The number of organisations compromised in these campaigns
and quantum computing, will find suggests that attackers gained access to high-tech secrets even though the
their intellectual property (IP) initial attack simply sought to breach as many enterprises as possible.
systematically targeted by nation
state-backed actors. Other targeted attacks have come to light over the last 12 months: the
notorious North Korean Lazarus hacking group152 has targeted defence firms
Accuracy level: across the world, while the US defence industry has been targeted by China
through flaws in the Pulse secure VPN system.153 Japan’s space agency154 and
many high-performance computing facilities155 are also known to have been
hit by attackers seeking to gain access and steal industrial secrets.
Ongoing threat rating:
At the same time, the US is moving to impose further restrictions on Chinese
technology firms, especially with regard to quantum computing, prompting
a diplomatic exchange over who has access to innovation.156 This increased
tension could be a catalyst for further attacks and this factor, allied to the high
number of successful attacks and the pressure that global supply chain issues
are putting on technology-dependent businesses, suggests the level of this
threat should remain high.
2.2 Sabotaged cloud services Demand for cloud services has remained strong as the pandemic lingers and
freeze operations hybrid working patterns become embedded. Innovations such as edge computing,
serverless architectures and containerisation have driven specialisation in this
Attackers will aim to sabotage cloud sector – adding to its rapid growth.157 These developments have put organisations
service providers, causing disruption in thrall to the larger cloud service providers and at risk of becoming collateral
to critical national infrastructure damage when attackers take direct aim at the services. This concentration has led
(CNI), crippling supply chains and regulators, particularly those overseeing finance firms, to look at dependencies
compromising vast quantities of data. and ask organisations to test their resilience to attacks.158
Organisations and supply chains
that are reliant on cloud services Attacks on cloud services are persistent and growing in volume. Records for
will become collateral damage when the biggest attacks on cloud services were broken twice in the span of a few
cloud services go down for extended days in October 2021 when Azure and Russian cloud provider Yandex fended
periods of time. off massive DDoS attempts.159 Attacks and breaches across many other cloud
services have occurred regularly over the last 12 months, causing the release
Accuracy level: of gigabytes of data and affecting thousands of companies.160 Attackers are
becoming more savvy and are now starting to target high-availability services,
such as VPN providers, in a bid to force quick payment of extortion demands.161
Ongoing threat rating: Concerted action by a growing roster of threat actors, including nation states,
reinforces the notion that this threat should be kept at its high level.
2.3 Drones become both Nation states, insurgent groups and terrorists are increasingly deploying drones
predator and prey during armed conflicts, underscoring their role in surveillance and enforcing
air dominance as a method of disruption. During 2021 destructive drone-borne
Drones will become predators attacks were recorded in India,162 Iraq,163 Saudi Arabia,164 Iran165 and Turkey.166 In
controlled by malicious actors to addition, details emerged in 2021 of an incident involving US Navy destroyers
carry out more targeted attacks on engaged in exercises off the California coast which were regularly monitored by
business. Conversely, drones used ‘swarms’ of drones.167 In all cases, the aircraft remained under human control but
for commercial benefit will be preyed there is worrying evidence that, in at least one case in Libya,168 drones were used to
upon, hijacked and spoofed, with autonomously attack people.
organisations facing disruption and
loss of sensitive data. By contrast, the use of drones in business appears to have stalled as Amazon
and other tech firms delay plans to use autonomous craft for delivery and other
Accuracy level: purposes. Amazon laid off 100 staff in its Prime Air division169 and the growth
of the sector remains sluggish despite some small-scale successes during the
pandemic to deliver medical supplies and food to house-bound families.170
Established drone delivery services are growing slowly, typically expanding into
Ongoing threat rating:
specific towns or campuses rather than across entire regions or nations. While
there are a few examples of drones being attacked by birds171 and some Starship
drones have been vandalised, there is little evidence that these autonomous craft
are being preyed upon.172
The diverging use of drones and the diminishing danger they represent to
organisations who do not operate in conflict zones has reduced the rating of
this threat.
3.1 Digital vigilantes weaponise The flood of ransomware seen in 2021 has ridden high on the back of
vulnerability disclosure exploitable vulnerabilities, suggesting that finding and fixing these loopholes
would be a useful tactic for ethical hackers keen to nudge organisations
Ethical vulnerability disclosure will into improving their security stance. While some disclosures have caused
descend into digital vigilantism. reputational damage to organisations, examples of where this exposure has
Attackers will weaponise vulnerability been ethically weaponised are rare.173
disclosure to undercut organisations,
destroy corporate reputations or even Instead, the main users of these vulnerabilities are organised criminal groups
manipulate stock prices. with the financial muscle to buy them when they go on sale.174 A market has
also emerged for Initial Access Brokers, who gather information regarding
Accuracy level: vulnerable targets and sell this to highest bidder, who then goes on to mount
the attack.175 The bought vulnerabilities are often used to steal and leak data
but for profit rather than in the service of ethics.
Ongoing threat rating: The potential for organisations to be embarrassed by the vulnerabilities
they do not fix is undercut by the fact that most often attackers use known
vulnerabilities to infiltrate organisations. In addition, almost two-thirds
of those vulnerabilities actively being targeted are more than three years
old and many already have a patch released to fix them,176 limiting the
chance for weaponisation by ethical hackers. According to the Verizon Data
Breach Investigation Report only about 5% of breaches involved unpatched
vulnerabilities.177 Given this, and against a background of growing official
mandates to tackle vulnerabilities, this threat poses much less of a danger.178
3.2 Big tech break up fractures No big tech giant has been broken up by the end of 2021 despite mounting
business models evidence that they are continuing to cause harm to society and business.
Facebook has been hit by a series of revelations by whistleblowers who
By 2021, at least one of the big tech demonstrated how it maximised its survival at the expense of meaningful
giants will be broken up, significantly action to limit the effect its algorithms have on users.179
disrupting the availability of the
products and services they provide More broadly, other actions against tech giants include the levying of large
to dependent organisations. From fines against Facebook,180,181 WhatsApp,182 Google,183 Apple184 and Amazon185
email to search engines, advertising, across many jurisdictions. In the UK, Facebook’s acquisition of gif creator
logistics and delivery, the entire Giphy has been scotched by a market regulator. Other regulatory action is
operating environment will change. pending. In the US186 and Europe187 work is continuing on more long-lasting
legislative efforts to rein in the tech giants.
Accuracy level:
China has enacted a series of restrictions including massive fines for anti-
competitive activity and increasing regulatory scrutiny, so they are aligned
with official goals to maintain social cohesion. In one case this regulatory
Ongoing threat rating: action led to the partial break-up of the Ant group.188
Despite this effort tech firms have prospered during and after the worst of
the pandemic.
3.3 Rushed digital The pandemic has helped organisations cram several years of digital
transformations destroy trust transformation into a few short months. Many aspects of business operations,
including working patterns, supply chains and customer interactions, have all
Organisations will deploy been re-engineered to cope with lockdown conditions and the changes that
technologies such as blockchain, have persisted.189 Spending on these projects will top $1.73tn in 2022, offsetting
AI and robotics, expecting them to the slowing investment in technology and change programmes seen during
seamlessly integrate with ageing the earlier days of lockdown in 2020.190 Digital transformations centred around
systems. They will face significant other innovations, such as blockchain, AI and robotics, have been paused to
disruption to services, as well as ensure the business keeps on running.
compromised data when digital
transformations go wrong. The costs of these workplace changes have also become apparent with one
estimate suggesting 19% of all projects stumble or fail during execution.191
Accuracy level:
Threat actors have also adapted their response to the pandemic. Law
enforcement agencies report192 that the shift to home working and greater
use of digital channels for communication has opened up avenues for attack,
Ongoing threat rating: widening the pool of victims that can be targeted.193
Appendix C: Assessing
predictions from 2022
The original Threat Horizon 2022 predictions are summarised below and on the following pages, together
with the level of confidence in the threat materialising and supporting evidence for the confidence rating.
These threats should be assessed and prioritised to reflect an organisation’s specific circumstances.
1.1 Augmented attacks Augmented Reality (AR) has been widely adopted in many manufacturing
distort reality and engineering businesses but few attacks against the technology have been
recorded. One well-known example saw a plan by the Williams F1 team to use
The development and acceptance of an immersive AR app to introduce its re-designed Formula 1 race car foiled by
Augmented Reality technologies will an attack that sought to subvert the application prior to the launch.194
usher in new immersive opportunities
for businesses and consumers alike. Whilst industrial businesses have taken to AR, there is little suggestion
However, organisations leveraging of non‑commercial adoption – many research and development deals to
this immature and poorly secured create AR are yet to be successful or viable commercially. This is despite the
technology will provide attackers technology’s potential to introduce new ways of gathering more intimate and
with the chance to compromise the useable data about users such as eye movement and response to stimuli.195
privacy and safety of individuals when
systems and devices are exploited. Targeting of AR may be limited, but the technology does still pose some
risks. The physically compromising nature of AR amplifies the risk of virtual
Confidence level: intrusion in which attackers look through headsets to reconnoitre potential
targets. In addition, because user attention is divided between two worlds, AR
can distract users from real dangers.
Despite expectations that hybrid working patterns will boost AR uptake, the
lack of significant attacks conducted via AR suggest confidence in the danger
this threat poses has reduced.196
1.2 Behavioural analytics trigger Public awareness of unfettered data collection has grown during the
a consumer backlash pandemic, but this has not prompted a massive rejection of social media
platforms or other organisations known to be stockpiling personal
Organisations that have invested information. The widespread adoption of apps to monitor movements
in a highly connected nexus of and trace contacts during the pandemic has led to a greater tolerance of
sensors, cameras and mobile apps confidential data gathering for public welfare.
to develop behavioural analytics will
find themselves under intensifying This is set against growing use of behavioural analytics that can lead to false
scrutiny from consumers and conclusions about consumers. Reliance on algorithms that use incomplete
regulators alike as the practice is data sets can bring about unfair discrimination. At least one lawsuit has been
deemed invasive and unethical. filed because of wrongful identification by a facial recognition program.197
The treasure trove of information There is some evidence that consumers will reject companies if they feel
harvested and sold will become a key mistreated by algorithms198 but the reaction is short-lived and has not resulted
target for attackers aiming to steal in large-scale protests.
consumer secrets, with organisations
facing severe financial penalties and It is likely that governments will increase regulations on large-scale data
reputational damage for failing to gathering and start to oversee algorithms.199 The EU, China, California, and
secure their information and systems. South Korea are all seeking to reform the data harvesting practices of tech
giants, dismantle intrusive systems such as online ad-tracking and ensure
Confidence level: algorithms operate transparently. This evidence suggests the dynamics of this
threat have shifted from consumer to official concern leading to a reduction in
confidence in it materialising.
1.3 Robo-helpers help themselves The pandemic has accelerated the use of robots in many sectors of industry,
to data particularly healthcare, but there is little evidence that these helpful machines
are being compromised by attackers. For instance, Spot the robot dog created
Poorly secured robo-helpers will be by Boston Robotics is being tested in several US states in a variety of roles –
weaponised by attackers, committing notably in law enforcement. The American Civil Liberties Union, however, has
acts of corporate espionage and highlighted the different dangers this robot posed to civil liberties rather than
stealing intellectual property. its potential for attackers to use it to infiltrate organisations.200
Attackers will exploit robo-helpers to
target the most vulnerable members Ongoing laboratory research projects are logging the vulnerabilities in
of society, such as the elderly or the software controlling robots that attackers could exploit for gain.201
sick at home, in care homes or Vulnerabilities have been found in both industrial and domestic machines.202
hospitals, resulting in reputational The reluctance of attackers to exploit these avenues leads to a significant
damage for both manufacturers and reduction in the level of confidence in the danger this threat poses.
corporate users.
Confidence level:
2.1 Edge computing pushes The global market for edge computing has grown fast with estimates
security to the brink predicting it will grow at a compound rate of 38.4% over the next three
years.203 This suggests organisations are becoming enthusiastic users of this
In a bid to deal with ever- technology as they adopt 5G networks and build exceptionally large cloud
increasing volumes of data and networks.204
process information in real time,
organisations will adopt edge The steady deployment of edge technologies brings a significant degree of
computing – an architectural information risk, especially if attackers can gain access to hardware.205 This
approach that reduces latency physical access could allow attackers to insert malicious nodes into an edge
between devices and increases network – these camouflaged nodes can act as a trojan, observing and stealing
speed – in addition to, or in place of, data from within the network.
cloud services. Edge computing will
become a key target for attackers, Attacks on specific edge systems, however, remain theoretical. While attacks
creating numerous points of failure. on IT systems at the edge of networks have been recorded, these attacks have
Security benefits provided by cloud primarily focused on 5G and IoT devices connected via this perimeter.
service providers, such as oversight of
particular IT assets, will also be lost.
Confidence level:
2.2 Extreme weather wreaks Climate change poses unprecedented challenges to infrastructure
havoc on infrastructure worldwide.206 One estimate suggests 10% of total economic value is set to be
lost by mid-21st century if climate change stays on trajectory and the Paris
Extreme weather events will Agreement net-zero emissions targets for 2050 are not met.207
increase in frequency and severity
year‑on‑year, with organisations Texas is a stark example of the chaos that extreme weather can inflict. It
suffering damage to their digital suffered a prolonged and severe power crisis in response to a rare burst of
and physical estates. Floodplains Arctic air spread across the central US. As temperatures dropped to single
will expand; coastal areas will be digits, the power grid collapsed. The failures in natural gas and electricity
impacted by rising sea levels and systems left four million Texans without power for days. The effect on
storms; extreme heat and droughts infrastructure was widespread and its impact on businesses, especially
will become more damaging; and semi‑conductor makers, was profound.208
wildfires will sweep across even
greater areas. Critical infrastructure Global supply chains will continue to be impacted by extreme weather. For
and data centres will be particularly example, Taiwan, which leads semiconductor production globally, is currently
susceptible to extreme weather facing its worst drought for 56 years, receiving only one typhoon in 2020
conditions, with business continuity compared to the annual average of between 7–9 every year. Additionally, the
and disaster recovery plans pushed to previous winter and spring were also deficient in rainfall, leading to a water
breaking point. shortage209 – a crucial part of the chip making process.
Confidence level: A surge in the frequency of extreme weather events that are more intense and
more unpredictable than ever before led the World Economic Forum to rate
this threat as the top risk by likelihood in 2021.210
2.3 The internet of forgotten As IoT devices proliferate, many regions and nations are moving to regulate
things bites back the way these potentially insecure devices are built and sold. The UK, EU and
US are all enacting rules that seek to ensure that manufacturers follow basic
The risks posed by multiple forgotten security steps.211
or abandoned IoT devices will
emerge across all areas of business. These regulations come in the wake of a pandemic-induced increase in
Unsecured and unsupported devices privacy breaches related to IoT devices. Millions of devices have been exposed
will be increasingly vulnerable as by weak security credentials212 and specific vulnerabilities, such as the
manufacturers go out of business, operating system level Urgent/11 and CDPwn vulnerabilities, have left millions
discontinue support or fail to deliver of unpatched and unprotected systems open to attack.213 These vulnerabilities
the necessary patches to devices. allow attackers to take over network equipment, move laterally across the
Opportunistic attackers will discover network, and gain access to mission-critical devices such as infusion pumps
poorly secured, network-connected and PLCs.214
devices, exploiting organisations in
the process. Strong competition in the IoT space means many manufacturers have
gone bust and abandoned gadgets that have already been installed and
Confidence level: activated215,216,217 but will no longer be updated by any security fixes.
Chinese hackers are reportedly stealing substantial amounts of data from IoT
devices, such as home recordings being sold on illegal dark web platforms.
Criminals claim that these recordings were taken from security cameras in
hotels, dressing rooms, houses and parks.218
The vast attack surface revealed by these trends suggests this threat will
continue to pose a significant risk.
3.1 Deepfakes tell true lies Deepfakes have caught the attention of cyber thieves with many security
firms reporting that they are seeing increasing ‘chatter’ on dark web forums
Highly plausible digital clones will about tools and technologies to create convincing fakes.219 The FBI has issued a
cause organisations and customers similar warning suggesting hostile nations will use ‘synthetic content’ in their
to lose trust in many forms of ongoing propaganda and disinformation campaigns.220
communication. Social engineering
attacks will be amplified and credible So far, there has been little use of these tools to create deepfakes that are
fake news and misinformation will then used in frauds and social engineering attacks but high-profile examples
spread, with unwary organisations demonstrate the potential of this attack vector. Adversa.ai developed a
experiencing defamation and successful black-box attack that tricked the PimEyes facial recognition system
reputational damage. into believing a company CEO was Elon Musk.221
Confidence level: This is an attack type that may grow in popularity as office work via video
meetings becomes more common.222 Gangs that specialise in business email
compromise attacks seem most interested as deepfakes could lend credibility
to their attempts to trick finance staff by posing as a senior executive.
3.2 The digital generation Generation Z now makes up about 10% of the global workforce223 and has
becomes the begun shaping culture inside many organisations. This step change has
scammer’s dream already caused security problems – for instance, the SolarWinds breach was
blamed on lax password use by a Gen Z age employee.224
Generation Z will start to enter
the workplace, introducing new There are signs that adversarial threat actors are actively targeting the
information security concerns to platforms favoured by Gen Z including Discord, Slack, and social media
organisations. Attitudes, behaviours, networks.225 At least one high profile hack was carried out by abusing a Discord
characteristics and values exhibited cookie bought online.226
by the newest generation will
transcend their working lives. Despite this evidence, it is difficult to claim that an entire generation’s attitude
Reckless approaches to security, towards information security will bring about a flood of attacks or other
privacy and consumption of content breaches. These digital natives do regard online friends as part of an inclusive
will make them obvious targets for community with whom they share almost everything they experience, known
scammers, consequently threatening as ‘radical inclusion’. Some of their behaviour sets them apart from their older
the information security of colleagues227 and does lend some weight to the threat. This ongoing clash of
their employers. ideologies will become a pinch point in many organisations in the
near future.
Confidence level:
3.3 Activists expose digital Glitches in software that unduly lengthen prison sentences,228 racial biases in
ethics abuse facial recognition systems229 and crude monitoring of employee productivity
via IT-based evaluation systems,230 are notable examples of the unethical
Activists will begin targeting ramifications of using technology. Although these incidents are contributing
organisations that they deem to greater public awareness of how data can be used and abused, unethical
immoral, exposing unethical or practices do not seem to motivate attacks against those responsible.
exploitative practices surrounding
the technologies they develop and Protests are being staged when crude technology tools are used to solve
who they are sold to. Employees complicated business and workplace issues,231 and whistleblowers are
motivated by ethical concerns will regularly exposing activity within organisations, such as Facebook, to prompt
leak intellectual property, becoming regulators and legislators to probe these practices.232 However, activists are not
whistle-blowers or withdrawing exploiting inappropriate usage as much as expected.
labour entirely. Brand reputations will
suffer, as organisations that ignore
their ethical responsibilities are
placed under mounting pressure.
Confidence level:
Appendix D: Assessing
predictions from 2023
The original Threat Horizon 2023 predictions are summarised below and on the following pages, together
with the level of confidence in the threat materialising and supporting evidence for the confidence rating.
These threats should be assessed and prioritised to reflect an organisation’s specific circumstances.
1.1 AI industrialises high AI is becoming a transformative force in mainstream business with estimates
impact attacks suggesting that by 2030, the technology will contribute $11.7tn to global GDP233
and global investment in the sector is forecast to reach $97.9bn by 2023.234
The malicious use of AI will lead Following this trend, it is likely that AI will feature prominently in the activities
to the industrialisation of tailored, of cyber criminal groups, who will continue to harness the capability of AI to
high‑volume, high-impact cyber continuously learn and adapt to changing information. Human-mimicking
attacks, leaving organisations attacks will become more personalised and increasingly scalable.235
overwhelmed and unable to
operate effectively. Evidence is emerging that AI tools are being used for less sophisticated
tasks such as automating aspects of existing attacks236 and to mount specific
Confidence level: campaigns, such as stealing gift cards.237
Despite the above trends, AI does not seem to have caught on among cyber
crime groups as an attack enabler – despite many of those groups operating in
a very similar manner to modern e-commerce companies238 that are making
good use of machine learning and other AI-enabled techniques. Instead, as
cyber crime businesses have sought to expand, industrialisation has led to an
upsurge in established attack types,239 such as ransomware, rather than an
exploration of new techniques that utilise AI.
1.2 Automated defences backfire The foremost risk associated with the rise of automated defence technologies
is their susceptibility to hacking by cyber criminals. Advanced technologies are
Organisations will discover the pitfalls usually built around ‘black box’ models which mean organisations are often
of relying heavily on automated unaware when systems have been compromised.240 Already cyber criminals
defences. Ineffective implementation have been targeting systems by feeding in corrupt or unrepresentative
of security controls and a lack of data injecting bias into ML algorithms. These attacks can have devastating
human oversight will prove costly. consequences, initially appearing as legitimate data traffic, but causing harm
over longer periods.
Confidence level:
At the same time laboratory work is unearthing innovative ways to attack
automated systems.241 For some of these approaches attackers are not required
to trick the system, they only need to overload it, causing networks to fail.242
1.3 Layered security causes Nefarious actors have begun to exploit the numerous layers of policies and
complacency and confusion processes within organisations to launch their attacks. For instance, CISA
reported several cases244 which exploited failings in authentication systems for
The ever-expanding array of policies, cloud services that had adopted MFA to collapse some of their security layers.
processes and technologies forming
an organisation’s security eco- The burden on security analysts is increasing with some required to handle
system will clash and contradict, more than 11,000 alerts a day on average.245 According to one study, 75% of
degrading security. analysts believed most of their time was wasted chasing false positives.246
This combination of too many alerts, too few staff and growing automation
Confidence level: is problematic because it can mean security analysts take shortcuts around
established policies to get work done and automation can punch holes in
layered defences as they are given permission to act independently. Defence
systems such as Endpoint Detection & Response (EDR) and Cloud Access
Security Brokers (CASB) could add to this burden and cause ‘tool sprawl’, which
could facilitate a feeling of complacency.247
Work trends continue to be reliant on remote working but this has yet to evolve
into a more encompassing technological change that would involve avatars
standing in for people in virtual offices or meeting spaces. While much work
is going into the creation of these metaverse systems, the long development
cycle of these technologies merits a low threat rating.
2.2 Biological data drives a rash The global pandemic has prompted greater interest in healthier lifestyles and
of breaches an increase in apps that offer services in monitoring and tracking biological
data to help people avoid hotspots, book vaccines or just keep fit.256 Apple’s
Attackers will relentlessly flagship watch, for example, tracks numerous health indicators and can be
target organisations that gather found on almost 100 million wrists – demonstrating the rising interest in
biological data recognising its high health data.257
value and utility.
The biological data gathered by individuals, stored by organisations and
Confidence level: shared with healthcare providers is a type of personal information that
attracts high demand on the black market. Attackers have mounted numerous
campaigns against healthcare providers to secure this valuable resource.258
Those exposed to biological data theft are at risk of financial fraud, identity
theft, and account takeovers.
2.3 Gamed algorithms cause The use of bots to game algorithms, secure limited supplies of goods, exploit
commercial confusion loopholes in poorly written algorithms and mount creative attacks has
undergone a swift industrialisation in the last 12 months.259
As organisations power
interaction with customers So-called ‘grinch’ bots are being used to distort the market value of some
via algorithms, attackers will goods so prices exceed the manufacturer’s recommended retail price.260
manipulate these systems to Doordash drivers successfully gamed algorithms261 to improve their pay and
undermine digital experiences and Uber moved to limit use of bots that worked out if drivers were being paid
commercial advantages. correctly.262 Bot attacks on social media services are now commonplace263
and are beginning to be seen securing pitches at campsites and vaccination
Confidence level: appointments.264
3.1 Smart grids succumb to an The move to smart grids has begun, with more organisations willing to swap
attack surge fossil fuel sources for sustainable energy supplies. The market for smart grid
technology is set to triple by 2023267 and that growth is expected to run in
Adversarial actors will take advantage excess of 10% per year up to 2028.268
of vulnerable and poorly secured
components in smart grids. Blackouts Energy firms are already regularly under attack with both domestic suppliers
that disrupt operations will result. (register) and infrastructure operators in India,269 Brazil,270 and the US271
suffering breaches. In addition, vulnerabilities have been found in several
Confidence level: types of hardware, including smart meters, used to build smart grids272,273
highlighting the susceptibility of this technology to hack attacks. This led the
US to issue a mandate urging all operators of critical infrastructure, which
includes power generators and distributors, to take part in a program to secure
the new and old ICS systems involved in this sector.274
3.2 Isolationism creates a A rapid increase in the number of short-term and region-specific regulations
security disconnect governing internet use is threatening to turn the internet into a collection of
disparate networks. This ‘splinternet’,275 as some have called it, would force
Global operations will be hit by a raft organisations to operate under very different regimes and potentially force
of social, legal and political changes them to hold and process data locally rather than centrally.
confronting organisations with an
increasingly costly and fragmented China276 and India277 have been enthusiastic enactors of rules and regulations
operating environment. governing the use of the internet and technology. Other nations to follow
suit include Cambodia, Iran, Nigeria, Russia, Turkey, Uganda, Israel and
Confidence level: Myanmar. Many of the restrictions are aimed at encryption, VPNs, apps, and
data processing, potentially making it hard for multinational organisations
to operate in these regions with the freedom they used to enjoy. The US and
China continue to spar over advanced technologies with many restrictions
now placed on who US firms can trade with and on what technologies they
can collaborate.278
These factors and the ongoing trading and operating difficulties they thrust
onto organisations give this threat a high rating.
3.3 Security struggles to adjust to The global shift to remote working driven by the pandemic has left many
the never normal organisations struggling to re-erect the shell of security controls and practices
they used to rely on. Zoom, Teams, other video messaging services and many
A constantly shifting security cloud services all have default settings that have the potential to upend
landscape will leave organisations in policies that were designed to govern information management unless they
the world of the ‘never normal’ where are customised.282
technologies, policies and processes
are not fit for purpose. At the same time, attackers have been swift to mount attacks on the
technologies and services used to support remote working – including
Confidence level: VPNs, Slack, Discord and other messaging services283,284 – to capitalise on the
unfamiliarity of workers with these systems.
Culturally, organisations still have some way to go to cope with the shift in
working patterns, the security debt they incur, and the effect they have had on
their information security activities.287
Very high
Threat Horizon reports.
A BILITY TO MA NA G E
– record relevant future threats to information presented in
Threat Horizon reports or those that are identified as specific to
B Threat B
the organisation
– assess the potential impact of these threats
– determine the organisation’s ability to manage these threats A Threat A
Very low
– prioritise plans and the investment needed to remediate threats.
Very high Very low
Each threat is shown as a red, amber or green circle denoting the I M P AC T
priority the threat has been assigned. The closer a threat is to the
bottom left of the Radar, the more attention it merits.
FIGURE 10: Example ISF Threat Radar
The Radar is not a traditional risk matrix or heatmap and should therefore not be treated as such:
it does not consider likelihood, probability or frequency.
The Radar can facilitate engagement with the board, offering a way to visualise the extent of impending
threats to the organisation and to identify areas that require investment or further development to
support the business in the future.
An example radar
An example of how a fictitious organisation might assess the nine threats in this report, and plot them on the
Radar, is presented below and on the following page.
In this example, France Digital Electronics (FDE) is a global organisation operating in the competitive
market of consumer electronics, creating innovative products that are ahead of general trends and have a
competitive advantage over Chinese imports. This has been achieved by outsourcing many core services
through expansive supply chains. The main customer centre is based in India, outsourced to a local company,
whilst the production facilities are primarily outsourced to a Chinese manufacturer. The company HQ is
based in Paris, with product development operating via a vast network of suppliers in Asia. The IT capabilities
are mainly outsourced with a preferred cloud service provider offering nearly all the IT and analytics
services. The cloud datacentre resides in Dublin, Ireland to assist with compliance to the GDPR.
How the fictitious organisation has plotted the nine threats in this report on the Radar is illustrated in Figure
11, with its reasoning presented on page 66.
Activists pivot to
2.2
cyber space
AB ILI TY T O MAN AGE
Attackers undermine
1.3
central cryptocurrencies
The cloud
2.1
risk bubble bursts
Misplaced confidence
2.3
disguises low-code risks
Regulators inhibit
Very low
1.2
data-driven innovation
With the disparate nature of our At present we do not use either AI As we are a manufacturer CBDCs
network, ransomware could take or algorithms driven by machine are not a current concern as
hold quickly as the network traffic learning, therefore regulation in they will impact others before
travels much quicker than our this area is of little concern due to demanding changes to our
communications could do on limited impact. finance processing systems.
spotting the problem. This is a This gives us time to assess
problem that is not unique to us and understand the risks of
but one we are concerned about, implementing changes to our
with many outsourced providers financial systems.
connected to our infrastructure
there are many entry points that
we do not control.
As we have focused on one cloud Although we do have OT The chance of programs created by
provider it leaves us open to being environments they are to produce no-code or low-code tools being
held hostage to changes in costs, consumer electronics and used in our environment is high.
technology or outages at that therefore we are unlikely to be This could be by internal staff
supplier. As we are so ingrained in the target of activists. However, it trying to quickly fix a problem or
the setup it would be a large costly would be worth scrutinising our an outsourced partner trying to
project to move our infrastructure supply chain to reveal how key save time and money to produce
over to a new provider. components and materials are applications. This will be hard to
sourced in case these could open uncover and control, having a
us up to censure or attack. severe impact on our systems.
Attackers poison the Misleading signals subvert Digital twins double the
3.1 3.2 3.3
data well cyber fusion centres attack surface
We currently do not use machine As we outsource all our IT Our OT operations, as part of our
learning, but we do collect data services including the SOC there manufacturing processes, include
for analytical purposes to provide are some concerns about the several digital twins. The need to
a better service to our customers. impact that this could cause. protect our OT systems is one of
The impact of maliciously However, as the majority of our our biggest concerns and a breach
manipulated data would be infrastructure is in the cloud this here could be crippling, so this is
minimal to us and mitigating the mitigates some of the concerns a high priority for us to mitigate
risk would be relatively simple for and potential impacts but it would and resolve. Information security
us to achieve with solutions such be sensible to assess the integrity practice in this area is evolving
as MFA. of our threat intelligence and and we are actively engaged in
data feeds. improving our understanding of
these threats.
Understand future threats Assess the potential financial, Influence research and
to information. operational, legal and regulatory development of new products
compliance, reputational and or services, transformation
health and safety impacts on programmes or M&A plans.
the organisation.
Discuss and report Define information Build secure IT Implement plans and
information risk with security strategy and infrastructure coordinate responses
the board. set budgets. and architecture. across various functions
affected by the threats.
Step 1
Parties to involve:
CISO, information risk management team, IT managers, senior business leaders.
Information
Previous issues of Risk Assessment
ISF Threat Radar
Threat Horizon Methodology 2
(IRAM2)
Step 2
Parties to involve:
Risk committee, senior business leaders, board members, CISO, IT managers
Step 3
Parties to involve:
Risk committee, senior business leaders, board members, CISO, IT managers.
Appendix G: References
This appendix lists resources that readers may find useful for further research and reading around each
section of the report.
Political
1 Wylie, C., “Donald Trump predicts ‘big’ 2024 as he declares love for the US”, The Independent, 1 December 2021,
https://www.independent.co.uk/news/uk/donald-trump-nigel-farage-boris-johnson-gb-news-brexit-b1968056.html
2 “Global Trends 2040: A more contested world”, US National Intelligence Council, March 2021,
https://www.dni.gov/files/ODNI/documents/assessments/GlobalTrends_2040.pdf
3 Quinn, J., “Beijing’s Taiwan Invasion Timeline: Two Predictions”, National Review, 8 November 2021,
https://www.nationalreview.com/corner/beijings-taiwan-invasion-timeline-two-predictions/
4 Ellis, S. and Lin, M., “Taiwan’s Pro-China KMT Reelects Old Hand in Bid to Reclaim Power”, Bloomberg, 25 September 2021,
https://www.bloomberg.com/news/articles/2021-09-25/taiwan-s-pro-china-kmt-reelects-old-hand-in-bid-to-reclaim-power
5 “Taiwan opposition party’s new leader pledges renewed talks with China”, Euronews, 26 September 2021,
https://www.euronews.com/2021/09/26/uk-taiwan-politics
6 Millman, N., “Europe is becoming a right-wing continent”, The Week, 7 July 2021,
https://theweek.com/politics/1002381/europe-is-becoming-a-right-wing-continent
7 “Understanding the Threat of Truth Decay”, Rand, 16 January 2018,
https://www.rand.org/research/projects/truth-decay.html
Economic
8 “The Global Economy: on Track for Strong but Uneven Growth as COVID-19 Still Weighs”, World Bank, 8 June 2021,
https://www.worldbank.org/en/news/feature/2021/06/08/the-global-economy-on-track-for-strong-but-uneven-growth-as-covid-19-
still-weighs
9 Nabarro, B., “UK economic outlook: the future isn’t what it used to be”, Institute for Fiscal Studies, 12 October 2021,
https://ifs.org.uk/publications/15691
10 “Govt to change laws in Budget to tax cryptocurrency gains: FinMin official”, Business Standard, 19 November 2021,
https://www.business-standard.com/article/markets/govt-to-change-tax-laws-in-budget-to-tax-crypto-gains-finmin-
official-121111900699_1.html
11 Ballentine, C., et al., “The Fight to Control the $2 Trillion Crypto Market Is Heating Up”, Bloomberg, 25 September 2021,
https://www.bloomberg.com/news/articles/2021-09-25/who-will-control-crypto-and-bitcoin-btc-us-china-fight-rattles-investors
12 “Lisa Anderson, Predicts Supply Chain Disruptions Beyond 2024”, Supply Chain Quarterly, 5 November 2021,
https://www.supplychainquarterly.com/articles/5793-lisa-anderson-predicts-supply-chain-disruptions-beyond-2024
13 Stevenson, A. and Li, C., “What to Know About China Evergrande, the Troubled Property Giant”, New York Times, 9 December 2021,
https://www.nytimes.com/article/evergrande-debt-crisis.html
Social
14 Christakis, N., “The Long Shadow of the Pandemic: 2024 and Beyond”, Wall Street Journal, 16 October 2020,
https://www.wsj.com/articles/the-long-shadow-of-the-pandemic-2024-and-beyond-11602860214
15 Kluth, A., “Social Unrest Is the Inevitable Legacy of the Covid Pandemic”, Bloomberg, 14 November 2020,
https://www.bloombergquint.com/gadfly/2020-s-covid-protests-are-a-sign-of-the-social-unrest-to-come
16 Petersen, M. B., Twitter, 13 November 2021,
https://twitter.com/M_B_Petersen/status/1459462822719537156
17 Goldberg, E., “The 37-Year-Olds Are Afraid of the 23-Year-Olds Who Work for Them”, New York Times, 28 October 2021,
https://www.nytimes.com/2021/10/28/business/gen-z-workplace-culture.html
18 “Gartner Says Digital Ethics is at the Peak of Inflated Expectations in the 2021 Gartner Hype Cycle for Privacy”, Gartner, 30 September 2021,
https://www.gartner.com/en/newsroom/press-releases/2021-09-30-gartner-says-digital-ethics-is-at-the-peak-of-inflate
Technological
19 “Global Britain in a competitive age”, UK Government, March 2021,
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/975077/Global_Britain_in_a_
Competitive_Age-_the_Integrated_Review_of_Security__Defence__Development_and_Foreign_Policy.pdf
20 Wieland, K., “BT warns “Quantum Apocalypse” might happen in 2024”, Telco Titans, 6 May 2021,
https://www.telcotitans.com/btwatch/bt-warns-quantum-apocalypse-might-happen-in-2024/3176.article
21 Sengupta, K., “MI6 must harness new technologies to combat hostile states, security service chief warns”, The Independent, 30 November
2021, https://www.independent.co.uk/news/uk/home-news/mi6-technology-spying-digital-age-b1966747.html
22 Grush, L., “NASA’s Moon landing will likely be delayed ‘several years’ beyond 2024, auditors say”, The Verge, 16 November 2021,
https://www.theverge.com/2021/11/16/22783149/nasa-artemis-moon-landing-2026-office-inspector-general-report
23 Wall, M., “Kessler Syndrome and the space debris problem”, Space.com, 15 November 2021,
https://www.space.com/kessler-syndrome-space-debris
24 “Russian anti-satellite missile test draws condemnation”, BBC News, 16 November 2021,
https://www.bbc.co.uk/news/science-environment-59299101
Legal
25 “Global Britain in a competitive age”, UK Government, March 2021,
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/975077/Global_Britain_in_a_
Competitive_Age-_the_Integrated_Review_of_Security__Defence__Development_and_Foreign_Policy.pdf
26 “AI and automation: how can the UK prepare for the future of work?”, New Statesman, 4 November 2021,
https://www.newstatesman.com/spotlight/2021/11/ai-and-automation-how-can-the-uk-prepare-for-the-future-of-work
27 Cooper, D., et al., “The UK Government Publishes its AI Strategy”, Covington Inside Privacy, 4 October 2021,
https://www.insideprivacy.com/artificial-intelligence/the-uk-government-publishes-its-ai-strategy/
28 Franke, U., and Torreblanca, T. I., “Geo-tech politics: Why technology shapes European power”, European Council on Foreign Relations
policy brief, 15 July 2021,
https://ecfr.eu/publication/geo-tech-politics-why-technology-shapes-european-power/
29 Scott, M., “US offers deal to woo Europe on data”, Politico, 21 October 2021,
https://www.politico.eu/article/negotiations-for-new-transatlantic-data-deal-nudge-forward/
30 Keane, J., “With Biden in the White House, EU officials are pushing hard for a new data-sharing pact with the U.S.”, CNBC, 19 April 2021,
https://www.cnbc.com/2021/04/19/privacy-shield-eu-officials-pushing-hard-for-us-data-sharing-pact.html
31 “Can Diplomacy Win the Fight against Ransomware?”, SecAlliance, 15 June 2021,
https://www.secalliance.com/blog/can-diplomacy-win-the-fight-against-ransomware
Environmental
32 Barnes, K., “Earth may temporarily pass dangerous 1.5 warming limit by 2024, major new report says”, The Conversation, 9 September 2020,
https://theconversation.com/earth-may-temporarily-pass-dangerous-1-5-warming-limit-by-2024-major-new-report-says-145450
33 Weatherley-Singh, J., “Time for governments to take biodiversity loss as seriously as climate change”, Euractiv, 14 April 2021,
https://www.euractiv.com/section/energy-environment/opinion/time-for-governments-to-take-biodiversity-loss-as-seriously-as-
climate-change/
34 “’Sustainable’ Companies Face Increased Pressure to Justify the Sustainability Label Amid Investor Challenges and Demands for
Greater Risk Assessment and Disclosure”, National Law Review, 15 December 2021,
https://www.natlawreview.com/article/sustainable-companies-face-increased-pressure-to-justify-sustainability-label-amid
35 Levin, J., “Imagining The Future Of ESG – Investing Is Just The Beginning For The Values-Based Economy”, Forbes, 26 May 2021,
https://www.forbes.com/sites/forbesbusinesscouncil/2021/05/26/imagining-the-future-of-esg--investing-is-just-the-beginning-for-
the-values-based-economy/
36 Rowling, M., “Tired of COP26 promises, Glasgow protesters push climate justice from ‘the outside’”, Reuters, 6 November 2021,
https://www.reuters.com/business/cop/tired-cop26-promises-glasgow-protesters-push-climate-justice-the-outside-2021-11-06/
https://www.darkreading.com/vulnerabilities-threats/cisa-issues-new-directive-for-patching-known-exploited-vulnerabilities
Feedback
We’d love to hear from you
Feedback
SOGP WebApp
* Link opens an external Alchemer survey.
An internet connection is required.
The ISF encourages collaboration on its research and tools. ISF Members are invited
to join the Threat Horizon community on ISF Live to to share experiences.
Submit an idea for the ISF Forward Work Programme on ISF Live
For further
information contact: