As we step into the new year, there are a lot of developments on the horizon in the tech landscape. But alongside the excitement, concerns over cybersecurity are ever present.

Cybersecurity experts largely predict that 2024 will see a rising wave in artificial intelligence (AI) powered cyberthreats, particularly in the area of phishing attacks, due in part to the wider availability of powerful tools.

Andrew Shikiar, the Fast Identity Online (FIDO) Alliance’s executive director and chief marketing officer, says that both individuals and businesses are already being duped by social engineering and phishing tactics en masse.

He expects that AI will greatly augment the effectiveness and scale of these attack vectors.

“Social engineering is already the cause of the majority of attacks, and now any fraudster, anywhere in the world, can generate word-perfect phishing attacks that are near-impossible to detect – at a fraction of the effort of creating a deepfake.

“This will be the biggest AI-driven security threat of the year. In fact, our recent study found that over half the population (54%) have already seen an increase in suspicious messages and scams, while 52% believe they have become more sophisticated.

“As this problem grows, businesses and service providers will look to non-phishable solutions to better protect themselves and their employees, and secure one of the biggest weak links in any organisation’s cyber defenses,” he says.

Cybersecurity firm Trend Micro’s vice president of market strategy, Eric Skinner, similarly expects a widespread escalation in AI-powered phishing threats during the year.

The situation is exacerbated, he says, as the issue now expands beyond just the English language.

“Advanced large language models (LLMs), proficient in any language, pose a significant threat as they eliminate the traditional indicators of phishing such as odd formatting or grammatical errors, making them exceedingly difficult to detect,” he says.

Skinner adds that due to this, businesses need to go beyond conventional phishing training and adopt modern security controls to circumvent these tactics.

The firm also expects generative AI to supercharge the phishing market this year, saying that it would “enable cost-effective creation of hyper-realistic audio and video content – driving a new wave of business email compromise (BEC), virtual kidnapping, and other scams.”

With that in mind, the use of zero-trust policies would be the best direction to move towards, according to the cybersecurity company.

“Zero-trust” refers to a cybersecurity approach that assumes that no user should be trusted with unrestricted access by default, instead requiring authentication and validation at each step.

Trend Micro’s vice-president of cybersecurity, Greg Young, says that this rising trend may lead to more scrutiny from regulators, while also spurring the cybersecurity sector to take initiative in addressing AI.

“In the coming year, the cyber industry will begin to outpace the government when it comes to developing cybersecurity-specific AI policy or regulation,” he says, adding that “the industry is moving quickly to self-regulate on an opt-in basis”.

Looking locally

A study published by cybersecurity company Cloudflare found that 53% of Malaysian companies were hit with more than 10 cybersecurity incidents between November 2022 to November 2023, while 72% had experienced at least one during the same period.

Cloudflare compiled this data via a survey of 207 local companies, and published it late last year in its Securing The Future: Asia Pacific Cybersecurity Readiness Survey report.

According to the report, these intrusions were largely made via vectors such as web attacks (68%), phishing (60%) and BECs (46%).

Overall, 48% of the affected companies report a financial impact of at least US$1mil (RM4.63mil), while 31% say they lost US$2mil (RM9.26mil).

The most interesting piece of data presented in the report however was that only 35% of these companies hit by cyberattacks disclosed the incident to authorities.

Under the current Personal Data Protection Act 2010 (PDPA), reporting of such incidents is not mandatory, though an upcoming revision is expected in early 2024.

Another cybersecurity firm, Surfshark reported in early December 2023 that Malaysia ranks as the eighth most breached country in between July to September 2023, with a total of 494,699 compromised accounts.

According to the 2023 Mid-Year Threat Landscape report from CyberSecurity Malaysia, the country saw data breaches largely in the government (22%), telecommunications (9%), education (6%), and retail (6%) sectors, with the remaining 48% split amongst other sectors.

However, by sheer amount of data leaked, the telecommunications sector leads at 424.91GB, followed by the government (291.49GB), banking (62.46GB), and IT (14.60GB) sectors.

The report goes on to propose that a comprehensive assessment across all government agencies be done, looking into the web and hosting infrastructure, data centres, internal systems, and the entire ecosystem of each ministry.

It also recommends an increase in funding and a more proactive cybersecurity approach.