By Oseloka Obiora, below, CTO, RiverSafe
Over the past few years, AI has been working its way into the software and digital services we use every day, without most of us even noticing. But even as our devices were getting smarter, few could have predicted the explosion in AI usage that’s taken place recently.
The door to AI has been thrown open, with generative AI services like the much-discussed ChatGPT now accessible to everyone. Developers, schoolchildren, pub quiz masters: it seems that everyone is finding a use for AI—and unfortunately, cyber criminals are no exception.
This democratisation of AI is already shaking the foundations of cybersecurity. As well as scaling waves of existing attacks to unprecedented levels, AI is also being used by criminals to develop new ways of tricking potential victims and breaching digital defences.
As cybersecurity experts, RiverSafe decided to find out how UK businesses are preparing for this new era of cybersecurity threats by asking 250 cybersecurity leaders to share their thoughts. Let’s unpack some of the most startling data from the AI Unleashed: Navigating Cyber Risks report.
80 per cent of the security leaders believe AI to be the biggest cyber threat to their business
Though organised cybercrime remains a booming industry and state-sponsored hacking is on the up, it’s AI that’s keeping the majority of cybersecurity leaders awake at night.
The sheer opportunity that AI offers bad actors to scale the scope and sophistication of their attacks is worrisome. With AI at their fingertips, cybercriminals can execute all their existing tactics faster and on a much larger scale; massively increasing their potential success rate.
Whether they’re conducting simple tasks like password cracking and searching for vulnerabilities in websites and software, or developing stunningly convincing social engineering scams with tech like deepfakes, AI algorithms are the ultimate power-up for cybercriminals.
20 per cent say their business was potentially compromised this year by a cyber-breach
The fact that AI will make cyber-attacks more frequent is troubling given the already high numbers of businesses that are falling victim to breaches. A fifth of the CISOs we spoke to believe their business had experienced a cyber-breach in the past year, with another 18 per cent admitting that they’d been the victim of a serious breach.
The increased capacity that cyber criminals will have thanks to AI is likely to push those percentages even higher in the near future, as businesses put additional defences in place to protect themselves against new threats. In fact, security leaders are resigned to a rise in attacks, with 63 per cent expecting a rise in data loss within their organisation this year.
22 per cent of CISOs have banned staff from using AI chatbots due to security concerns
Many security leaders are already pushing back against the infusion of AI into their organisations, with almost a quarter banning the use of openly accessible generative AI tools such as ChatGPT.
These third-party tools are incredibly difficult to secure within a business, as the user has no control over where their inputted data goes or what it’s used for. This gives rise to a major challenge for CISOs; controlling what employees enter into these Large Language Models (LLMs).
Some of the world’s biggest companies have already banned the use of generative AI tools among employees, and judging from our survey data, many businesses are following suit by taking a zero-trust approach to keeping their data secure.
76 per cent say their AI implementation has been halted due to cyber risk
With the huge market for AI tools making the security posture of many third-party apps difficult to gauge, two-thirds of organisations have put the brakes on their AI implementation plans due to security risks.
New AI apps are materialising constantly, and as businesses rush to exploit the potential benefits of autonomous tools, CISOs are left scrambling to ensure that these products don’t pose a threat to the digital environment.
Given the extent and intricacy of this undertaking, a huge number of companies have had to pause the rollout of their AI strategy due to fears around cybersecurity, potentially impacting their competitiveness and ability to innovate.
Until the availability and effectiveness of defences against AI-powered threats improve, we could see such obstruction of AI adoption become more widespread—currently, 81 per cent of security leaders believe the risks of implementing AI outweigh the benefits.
61 per cent of CISOs said they’d seen an increase in cyber-attack complexity due to AI
It’s not just the quantity of attacks that AI has the power to increase, but also the ‘quality’. AI tools are becoming more sophisticated every day, and so are the tactics and algorithms they’re creating for malicious use.
According to our survey results, the majority of security professionals are already seeing more complex and cutting-edge attacks being fired at their businesses. Using AI to root out common scam red flags like poor spelling and formatting, the ever-popular phishing method is more convincing and effective than ever.
Proving that the devil really is in the details, these social engineering attacks are also being bolstered by AI’s ability to quickly scrape personal information from the web. Adding in such specific information allows criminals to create increasingly targeted and credible emails that are far more likely to fool victims into giving over information like log-in credentials.
85 per cent of security leaders expect that AI advancements will outpace cyber defences
Since the dawn of informational technology, malicious actors and security professionals have fought for the upper hand—and AI is firmly becoming one of the most impactful tools ever to emerge in this constant arms race.
With AI technology developing at a shocking pace and new tools hitting the market every day, the majority of cybersecurity leaders are expecting a major struggle to get ahead of the curve. Although 69 per cent are proactively investing more cash into defences against AI, the bulk of the industry expects that the development of cyber defences will fall behind that of AI advancements.
So what are these security leaders doing to protect their environments from these risks? High on the agenda was anticipating attacks, with 48 per cent saying they’ve conducted a security risk assessment this year to account for new threats.
The same percentage states that they’ve developed new policies to protect their organisations financially in the event of a breach. And 39 per cent have created a formal incident response for dealing with ransomware attacks; an increasingly common type of attack that’s expected to cost businesses over $30bn this year.
What you can do to protect your business
Despite the risk it poses, AI isn’t going anywhere. If organisations want to reap the benefits AI offers while mitigating the significant risk involved, they need to take action to shore up their cybersecurity posture with AI in mind.
Firstly, make sure cybersecurity is a priority at all levels of your business. Defending your digital environment shouldn’t be something that comes up at the end of a project or implementation, nor should your employees’ awareness of it be limited to changing their passwords every other month.
AI will change a lot of what we’ve come to expect from cyberattacks. Existing cybersecurity training won’t be up-to-date enough to make employees aware of the dangers or let them know what to look out for. Robust, relevant training must be conducted for every employee to reduce the risk of them falling victim to an AI-powered scam.
Invest in your defences. An ounce of prevention is worth a pound of cure, and with the average cost of a cyber breach rising every year, it’s a far better plan to invest in additional security measures now than wait until the inevitable happens.
Although AI is fuelling new and more powerful threats, it’s also being employed to great effect by cybersecurity experts and vendors. If you haven’t already implemented cybersecurity tools bolstered by AI technology, then it’s time to fight fire with fire. Adding smarter tools to your cybersecurity stack, such as AIOPs platforms and next-generation SIEM and UEBA products, can greatly increase your ability to detect and prevent threats of all kinds before they impact your business.