There is no doubt that the advent of artificial intelligence (AI) technology brings positives and negatives, not least in the security sector, where attacks are becoming more sophisticated by the day. But are AI threats the only things that companies need to worry about in the future? In short, the answer is no.
According to market watcher Grand View Research, the global AI market was estimated at $136 billion in 2022 and is expected to surpass $196.6 billion in 2023.
With AI content creation tool, ChatGPT, a key discussion topic right now – and AI applications on the rise overall – companies must not take their eye off the very basics of security, and need to make security a proper focus for the entire organization from the top down, according to cybersecurity experts during a panel debate chaired by Alison Wakefield, professor of criminology and security studies at the University of West London at the recent PrivSec event in London.
During the panel entitled “The Future of Cybersecurity: Emerging Threats an Innovative Defense”, Mark Brown, cyber awareness, behavior and culture consultant at Psybersafe, said there is little doubt that ChatGPT and other AI technology will impact how future threat activity happens.
“Looking at the human aspect, a lot of people will play with ChatGPT and see an opportunity, but equally it creates a lot of risk,” he said. “I think you can be far more creative around social engineering and phishing type attacks that you might get, whether that be misinformation, social engineering or deep fakes.”
Fellow panellist Alex Yong, technical lead software engineer at Next DLP, said AI has its good and bad points. “It is terrifying the scale of phishing it is going to allow, but on the flip side the good guys can do a lot with it too – for example I’ve used it for generating test cases against my software and it generates things that we would struggle to think of. In terms of testing and development it is a good tool, so there is a ray of hope on the other side,” he said.
Read more about ChatGPT
A Constantly Evolving Landscape
Panellist Tim Burnett, head of cyber security and compliance at the Science and Technology Facilities Council, said the pace of change is frightening.
“Security is now big business—we are seeing state-sponsored and organized crime attacks growing in number. The fact that you can buy a ransomware kit with an SLA and support contracts says it all,” he said. “You can buy a ransomware kit pack that comes with a 12-month warranty. The old image of an attacker being a chap in a hoodie on a laptop wearing gloves is utterly wrong. We now have to worry about attackers who are very serious. It is all organized.”
He added, “In the past, spearfishing involved a lot of research and finding your target audience—but now, what if your machine can do that and target an entire C-level in about half an hour thanks to AI? It really is terrifying, and they only have to hit you once. If these attackers can hit multiple organizations all at once with a similar attack, they are going to beat you purely on numbers.”
Psybersafe’s Brown claimed that even the hackers will not be safe in the future.
“This dark industry has become so sophisticated that the hackers are now hacking the hackers,” he said. “The people who are selling this ransomware kit are building in back doorways so they can also get all the information. It is an industry that has a risk reward structure that is always in their favor.”
Drive Security Up the Agenda and Remember the Basics
One thing the panel agreed on is that security is still not being taken seriously enough by many companies.
Chief information security officers (CISOs) are still not being heard at the board level by those who set security strategies and those who sign the checks, according to panellist Chris Culligan, divisional director of cyber at GAWS of London.
Communicating these upcoming threats in a way that the board will understand is going to be a crucial defence in the battle against sophisticated cybercriminals.
“Too often CISOs understand the risk exposure that they are facing, but perhaps they have a limited time at board meetings and can’t get their points across,” Culligan said. “The key is to drive security up the agenda and to find the means for the laymen on the board to understand and take action.”
Burnett added that if the language used is one the board doesn’t understand, then the CISO might as well not be there.
“Turn it into a risk story, explain the financial impact, use something that is understood at the C-suite level, then you are more likely to be able to carry on the conversation and actually get somewhere,” he said.
Brown said that if the CISO doesn’t sit at a board level, it means security is not viewed importantly enough by the company to be a regular focus, which leaves a company ‘horribly lacking’.
“Any security policy comes from the top, if it is not believed up there, you are going to struggle to get traction lower down in the company,” he said.
But he added it is important not to lose sight of the basics in this ever-complicated threat landscape.
“Remember that 85% to 95% of attacks are started with human error. Bring the click rate down in your organization,” he said. “Look at what you do with social media, how you move information outside your organization and back in, how you handle passwords—other metrics cause the biggest risks. Train your employees in a way that is remotely interesting or relevant to them. Use your own people as part of your defense.”