IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image

Cyber security spending to hit USD $212B amid AI threats

Thu, 28th Nov 2024

The cyber security landscape is set to face significant challenges in 2025, with predictions of escalating cyber threats driven by advanced technologies and increased vulnerabilities.

Gartner has projected that global end-user spending on information security will reach USD $212 billion in 2025, marking a 15.1% rise compared to the previous year. Imperva, a cyber security company, has identified several key trends anticipated to influence the security sector, ranging from AI-enhanced threats to the risks posed by APIs.

Nanhi Singh, General Manager and Chief Customer Officer at Imperva, highlighted the dominance of bad bots in ticket scalping. "In 2025, bad bots will take ticket scalping to a whole new level, with devastating impacts on fans and consumers alike. We've seen the heartbreak recently with Oasis fans, who faced sold-out shows in seconds, only to find tickets at astronomical prices on resale sites. Worse still, many tickets were later cancelled due to scalping. And with anticipated tours from the likes of Beyoncé, Billie Eilish, and Coldplay, fans could be left out in the cold as bots grab the best seats. Our Bad Bots report found that entertainment websites have seen the second-highest ratio of advanced bots in the past year, with ticketing sites being the most targeted. Despite global crackdowns on bots, such as recent laws in various countries, bots are evolving faster than regulations can keep up. Just as with the grey areas around web scraping, businesses can't afford to rely solely on legal measures. They need robust, proactive bot management strategies to protect fans and restore fairness in ticketing. Without this, we're facing a bleak future for live entertainment access, where fans consistently lose out to automated scalpers."

Ido Breger, Vice President of Product Management at Imperva Application Security, addressed the ongoing threat of supply chain attacks. "The software supply chain has been a hot topic in security, and 2024 was no exception, with incidents like the Polyfill breach highlighting the widespread impact of such attacks. In 2025, we can expect supply chain attacks to dominate the threat landscape, driven by AI tools creating new risks. Open repositories are a major vulnerability. While the industry is more aware of the threats from open-source software, AI has escalated these risks. Open model repositories give cybercriminals a roadmap into their inner workings, exposing companies using them to potential attacks. Many organisations are unaware of these risks, and a flaw in a major AI solution's public repository could put all its users at risk. IT, security, and DevOps teams must collaborate closely in 2025 to mitigate the growing threats AI poses to the supply chain."

Moshe Lipsker, Vice President of Global Product Development at Imperva, warned about a resurgence in traditional attack methods with AI enhancements. "While AI is rapidly evolving the security landscape, the biggest threats in 2025 won't be entirely new. Instead, we'll see a resurgence of traditional attacks with an AI-powered twist. Cybercriminals are refining their tried-and-true methods, making them more advanced with AI. Bot attacks are on the rise again. In 2023, the U.S. accounted for 47% of all global bot attacks, reversing a years-long decline. AI has made it easier for anyone to create malicious bots, leading to a surge in content creation scams and more severe bot proliferation. In fact, a recent 6-month analysis our Threat Research team found that retail sites alone collectively experience 569,884 AI-driven attacks each day – with attacks originating from AI tools like ChatGPT, Claude, and Gemini, alongside specialized bots that are designed to scrape websites for LLM training data. This is driving up prices in industries like entertainment. As attackers become even more familiar with these new technologies their use of AI will only increase placing even greater pressure on teams to shore up defences. This rise in familiar attacks means organisations must not let their defences down. Entering 2025, they need solutions capable of detecting these increasingly sophisticated AI-enhanced threats."

Lipsker also highlighted a shift to DevSecOps teams in response to the API boom. "As we head into 2025, we'll be four years into application programming interfaces (APIs) taking over the world. As it stands, the Economic Impact of API and Bot Attacks study conducted by the Marsh McLennan Cyber Risk Intelligence Center for Imperva found that the average enterprise managed 613 API endpoints last year. APIs enable seamless integration and user experience, but consequently, attract hacker interest as these endpoints provide direct access to sensitive data. On average, API-related security issues cost organizations $25-87 billion annually. This massive loss begs the question: are IT security teams and DevOps teams ready to work together to balance the speed of business development with security? As more organizations continue to adopt APIs in 2025, these increasing risks will force their hand in strengthening security posture at the point of development so that they can provide widespread protection of their software. Though it's not easy, we will continue to see the transition to DevSecOps teams to ensure that security is effectively built into product development from the start. With these transitions, organizations will adopt automated solutions such as runtime application self-protection to increase security without adding overhead to development processes."

Lebin Cheng, Vice President of API Security at Imperva, elaborated on the financial implications of API-related threats. "Adoption of LLM based applications and custom components, such as LLM agents, will start to proliferate at speed in 2025, leading to an explosion of application programming interfaces (APIs). As the agentic AI wave takes hold, API traffic will undoubtedly increase – becoming an even greater threat to an organization's sensitive data, and drive a greater need for API observability. In fact, I predict that in the year 2025, there will be at least one well-publicised LLM application security breach that is related to APIs and that the cost of API-related security incidents will likely increase overall. With API-related security issues already costing organizations $25-87 billion annually, we could see these costs escalate to over $100 billion by 2026 if smart interventions are not taken. But we may also see that it is detected and remediated thanks to developments in API security – helping to counter-balance some of the risks. As organizations start to reach the maturity stage of implementing automated remediation actions against sophisticated API related business logic abuse, the cost of API-related security incidents could be reduced. Continuous visibility, categorisation, and monitoring of data that flows through APIs and API protection will become a direct extension of a business's strategy to mitigate the risk of data breaches and data leakage. By uncovering hidden APIs, software developers and security administrators can gain more accurate insight into how to address potential security issues. As 2025 will likely bring more national cybersecurity guidelines, enabling API governance will ensure that business leaders in highly regulated industries have a sustainable model that stops potential data breaches. It will be a very happy coincidence if a working detection and remediation solution can actually help detect and limit the damage when an API abuse happens to the LLM based app – but time will tell."

Finally, David Holmes, Chief Technology Officer of Imperva Application Security, pointed to the swelling AI investment and its implications. "AI investment will pass $1T at the peak of its hype in 2025. But alongside questions of whether the savings generated by AI will ever justify this investment, AI's latest killer app – the natural language interface to data – will create a new threat vector: prompt injections. I firmly believe a global 2000 company will lose significant intellectual property due to a prompt injection breach next year. A combination of lack of clear return on investment and the new dangers generated by AI may plunge it into the trough of disillusionment faster than otherwise would have happened."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X