Skills shortage and unpatched systems soar to high-ranking 2030 cyber threats

The following top ten list includes a revised line-up of the emerging cybersecurity threats to have an impact by 2030:

1. Supply Chain Compromise of Software Dependencies
2. Skill Shortage
3. Human Error and Exploited Legacy Systems Within Cyber-Physical Ecosystems
4. Exploitation of Unpatched and Out-of-date Systems within the Overwhelmed Cross-sector Tech Ecosystem [New in Top Ten]
5. Rise of Digital Surveillance Authoritarianism / Loss of Privacy
6. Cross-border ICT Service Providers as a Single Point of Failure
7. Advanced Disinformation / Influence Operations (IO) Campaigns
8. Rise of Advanced Hybrid Threats
9. Abuse of AI
10. Physical Impact of Natural/Environmental Disruptions on Critical Digital Infrastructure [New in Top Ten]

EU Agency for Cybersecurity Executive Director, Juhan Lepassaar highlighted that “Persistent observation and assessment of the current threats and trends is key to achieve a higher level of cybersecurity. In this way, we better withstand today’s challenges and enhance our mitigation plans for the years to come.” 

Despite a slight decline compared to past years' results in the overall score of impact and likelihood, ‘Supply Chain Compromise of Software Dependencies’ still remains the highest-ranking threat. This is considered as an after-effect of the expanding integration of third-party suppliers and partners in the supply chain, leading to new vulnerabilities and opportunities for attacks. ‘Cross-border ICT Service Providers as a Single Point of Failure’ threats have significantly moved up due to growing concerns that can emanate from the growing ICT interconnectedness in critical infrastructure between Member States.

It is also notable that ‘Skill Shortage’ threats have significantly moved up the ladder to the top threats, moving from the end of the list to the second place. While efforts have been focused on fulfilling the skills shortage challenge, organisational willingness to develop talent and bridge the educational gap still remain a concern in cybersecurity. This appears to be closely connected to threats related to unpatched systems, as it interferes with the familiarisation of staff with the multitude of tools at hand to update unpatched services that are vulnerable to exploitation.

Other key takeaways of the threats review are the addition of the ‘Exploitation of Unpatched and Out-of-date Systems within the Overwhelmed Cross-sector Tech Ecosystem’ and the ‘Physical Impact of Natural/Environmental Disruptions on Critical Digital Infrastructure’, as a result of a shift in perceived impact and likelihood score.

Likewise, the rise of the ‘Abuse of AI’ threat can be considered an expected outcome of the widespread emergence of AI models in our lives and the relevant concerns regarding the growing reliance on AI. This led to the exclusion of the ‘Lack of Analysis and Control of Space-based Infrastructure and Objects’, and ‘Targeted Attacks (e.g. Ransomware) Enhanced by Smart Device Data’ threats from the top ten list.

In line with ENISA’s strategic objective to provide expertise and insights on future cybersecurity challenges, the foresight report can work as a tool that facilitates a comprehensive understanding of the current cybersecurity threat landscape. The participation of designated experts and stakeholders in the study is an added value that enables better informed actions and improves preparedness. Overall, this study is a step along the way of our efforts to build strong cybersecurity frameworks and best practices that remain up-to-date and adaptable to the ever-changing ecosystem.

Further information

Foresight 2030 Executive Summary

Foresight — ENISA (europa.eu)

Contact

For press questions and interviews, please contact press (at) enisa.europa.eu

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS