Introduction

In 2024, technology continued to accelerate working environments, with mainstream Artificial Intelligence (AI) catching attention along with its inherent new risks, such as increased speed and scale of attacks leveraging Generative AI (GenAI) and fraud-enabling “deep fakes”. Further, the implementation of foundational cybersecurity capabilities continued to be a challenge for many organizations – often due to a lack of executive buy-in and resourcing – leaving some critical systems, sensitive data, and organizational operations exposed.

Neuvik spent the year assisting organizations in addressing many of these challenges, acting as a trusted partner from penetration testing to strategic cybersecurity program development and risk assessments. Over the course of this work, as well as during research on new tools and techniques, three main trends emerged:

  1. Cybersecurity ROI: Cybersecurity due diligence during M&A can result in $Ms of savings on deal price
  2. Open Vulnerabilities: Most companies fall (or are at risk of falling) victim to the same vulnerabilities, even though simple fixes exist
  3. Risk Perception: Third-Party Risk Management continues to be a challenge – but management providers don’t necessarily reduce risk

Read on for Neuvik’s perspective on these trends in 2024.

Top insights in 2024:

Cybersecurity due diligence during M&A can result in $M of savings on deal price

While the inclusion of cybersecurity in diligence for M&A isn’t a new trend, 2024 saw a significant increase in the impact of cybersecurity findings to deal price. Unlike in previous years, where a cybersecurity review acted as a “check-the-box” component of diligence, 2024 cemented the fact that cybersecurity capability – or lack thereof – can materially influence deal dynamics.

This is especially true for organizations in the core sectors of Neuvik services – financial services and healthcare. In both industries, legal regulations and increased scrutiny mandate strong cybersecurity. As a result, legacy infrastructure, insecure or outdated configurations, and lack of appropriate access management can significantly impact deal price, as the acquiring company must not only absorb the risk associated with these issues, but also the financial and time burden of upgrading, replacing, or reconfiguring critical systems.

For healthcare especially, cybersecurity is essential to protect patient privacy, ensure the integrity of medical systems, and prevent disruptions that could jeopardize lives.

The healthcare industry has become a prime target for cyberattacks due to its reliance on sensitive patient data, interconnected devices, and critical systems. As a case example, Neuvik identified numerous cybersecurity issues during a healthcare M&A diligence – including a significant number of legacy medical devices and insecurely configured systems that could pose significant risk to the target organization’s ability to perform patient care and maintain the security of patient health records. Ultimately, these findings contributed to a ~$15M adjustment in the negotiated deal price to offset the anticipated post-merger costs of updating and integrating these vulnerable systems.

As increased M&A activity is anticipated in 2025, Neuvik expects cybersecurity to become an even more prominent component of deal pricing.  

Most companies fall victim to the same vulnerabilities (or will), even though simple fixes exist

Over the course of 2024, Neuvik conducted 40+ offensive assessments and, time and time again, saw the same common vulnerabilities across organizations of different industries, sizes and levels of complexity.

Compounding the fact that these issues appear with significant frequency is the fact that – in almost all cases – quick fixes exist. Not only does this suggest that organizations may not be aware of the continued presence of these vulnerabilities within their environments, but that they don’t sufficiently understand the risk that these vulnerabilities pose as they are “known” to attackers and frequently exploited. By leaving “low-hanging fruit” unaddressed, organizations signal to malicious actors that their cybersecurity program is weak – and therefore may find themselves more frequently targeted for attacks.

By addressing these vulnerabilities, organizations can significantly reduce their “known” risk – and then repurpose resources to address more novel vulnerabilities and sources of risk.

The common vulnerabilities seen in 2024:

  • Use of overly complex passwords and “strong password” policies
  • Weaknesses with Multi-factor Authentication (MFA)
  • Lack of Asset and Inventory Management and limited visibility within the environment
  • Legacy and misconfigured internal architecture
  • Use of legacy LLMNR and NB-NS protocols
  • Misuse of and/or lack of awareness of default Internet Protocol version 6 (IPv6)
  • Weaknesses with Printers, including Spooler Service vulnerabilities
  • Insecure Web Applications / Admin Portals
  • Issues with Active Directory Certificate Services, including misconfigured templates and default configurations
  • Password reuse

Many – if not most – of these vulnerabilities have quick fixes. In fact, Neuvik’s Director of Advanced Assessments for the EU, Jean Maes, provides a detailed overview of the risks associated with these vulnerabilities and how to address them in his recent blog.

Looking forward to 2025, we hope to see fewer of these common vulnerabilities.

Third-Party Risk Management continues to be a challenge – but management providers don’t necessarily reduce risk

Despite high profile breaches for the past decade, third-party vendors continue to introduce risks for the organizations they support. In 2024 alone, SecurityScorecard reported that up to 30% of organizations experienced breaches due to third-party vulnerabilities, with the healthcare and finance sectors being particularly susceptible. Worse yet, many companies opt to outsource the management of their third-party vendors to Third-Party Risk Management providers. In many cases, doing so inadvertently increases risk, as these management providers themselves can be vulnerable (and, they now have significant information not only about the third-parties active in a given organization’s environment which could be used to better target an attack).  This isn’t a new trend – in fact, Neuvik wrote about this risk in depth back in 2022.

However, the fact that third-parties (and third-party management providers) continue to introduce risk speaks to the fact that Third-Party Risk Management (TPRM) continues to remain a less prioritized function. While collaborations with third-party entities can enhance innovation and operational efficiency, vulnerabilities in their IT ecosystems can pose significant risk. Establishing strong Third-Party Risk Management (TPRM) is essential to evaluate and manage these risks and protect both data and business functions.

This is especially true in 2024, given the increasing prevalence of Artificial Intelligence (AI) vendors across business functions. As the adoption of AI grows, so do risks associated with them, such as the introduction of dependencies on outdated code libraries, a lack of oversight to avoid incorporating hallucinations in Intellectual Property (IP) and limited ability to prevent insiders from manipulating these tools to effectively perform cybersecurity functions. Concerningly, few organizations treat AI vendors as “third-parties” today, leaving them unmanaged by TPRM programs. Looking forward into 2025, it will be critical to treat AI as any other vendor managed via TPRM and to evaluate them for key cybersecurity capabilities, ensure alignment with both organizational and industry ethical standards, and to confirm their compliance with relevant regulations.

Conclusion

As 2024 concludes, it’s clear that cybersecurity has only become increasingly visible to business leadership as a core competency for most, if not all, organizations. Going into 2025, Neuvik expects this to continue – and is prepared to support your organization with our Advanced Assessments and Cyber Risk Management services. Interested in learning more? Visit us at Neuvik.com.