According to Chief Revenue Officer of Hackuity, Pierre Samson, AI tools can help boost your productivity at work. But do they also make life easier for cyber attackers? A Salesforce survey of senior IT leaders showed that while two-thirds (67%) are prioritising generative AI for their business in the near future, a similar majority (71%) also believe it will introduce new security risks to data.
Attackers are already using ChatGPT and generative AI to write malicious code (and are boasting about it on developer forums). While ChatGPT advocates may downplay the risk, researchers have found that ChatGPT can be tricked into producing viruses and spyware.
Stronger control and laws must first be put in place, according to AI specialists, who have urged a six-month moratorium before training more potent AI systems. The usage of AI is also being regulated by governments throughout the world, with Europe leading the way with the first AI Act and the Philippines following closely after talks with the European Union (EU) and the Association of Southeast Asian Nations (ASEAN) on how to start regulations for AI.
Don’t slam the panic button just yet. These latest "advancements" are not entirely new developments; they are simply accelerating traditional hacker tactics. Likewise, AI tools are agnostic, meaning they can also be leveraged by security teams for defensive tasks, from identifying cybersecurity anomalies to creating evasion codes.
Where to start?
As with any new threat, organisations should be evaluating what potential risks ChatGPT poses to their specific attack surface. That isn’t a call to completely rethink cybersecurity. But companies need to double down on their cyber hygiene to ensure a robust defence.
Most organisations are still struggling to identify, prioritise, and remediate the most basic threats. Only 15 percent are cyber “mature,” according to a recent Cisco study, and more than half are still in the “beginner” or “formative” stages. There are plenty of fundamental security gaps that need to be addressed first before diverting resources to the latest AI threats. Or to put it another way, don’t rush to bake a cake when you’ve been missing the recipe for years.
Headlines would have you believe that generative AI and ChatGPT are radically new forms of cyber threats when, in reality, they’re just magnifying the age-old attack classics. Where AI changes the game is enabling these same attacks at an unprecedented scale. Still, none of that matters if you don’t have the right fundamentals in place.
How can I protect myself?
Zero Trust, which authenticates users in a modern security architecture, is a framework that addresses many of the modern challenges of today’s businesses. It helps secure remote workers, protects hybrid cloud environments, and shields the company from ransomware threats.
Many organisations have adopted some form of Attack Surface Management (ASM) to discover and analyse vulnerabilities and potential attack vectors. Zero Trust likewise looks beyond traditional security perimeters. It’s not sufficient on its own, but it is necessary.
The principle is simple: never assume identity, and implement least privilege access to reduce the attack surface. This applies equally when confronting generative AI.
What's the right process?
Effective vulnerability management begins with knowing which vulnerabilities you need to prioritise and then automating your team’s remediation workflow to tackle them systematically. Eliminate any blind spots in the cybersecurity perimeters and focus on what matters to your organisation.
To achieve cyber hygiene, intelligent solutions are capable of aggregating data from dozens of siloed security tools that most firms already have in place and analysing more than 200,000 common vulnerabilities and exposures. AI can help with that.
Start with the basics. Conduct analysis to know the critical risks specific to your business and how they translate in terms of your technical assets. You cannot protect what you do not know. Have clear accountability, identify the stakeholders in charge of cybersecurity: from top to bottom and, yes, including the board. Employees can be your first line of defence or your attacker’s point of entry based on your investments.
Implement a step-by-step approach. Cybersecurity is a journey of continuous improvement. Adopt the 80:20 rule: Start with the 20 percent of actions that cover 80 percent of your risks. Secure your quick wins and basic protections, then take your Vulnerability Management program to the next level.
Should we invest more in technology?
Start by adopting detection tools and practices to protect your network and endpoints. (For smaller enterprises that don’t have the bandwidth and funds to invest in technology, consider managed service providers that can cover an extensive range of security services.) From there, ensure those data flows are contributing to the same bigger picture for your security teams.
What we observe is that 80 percent of breaches still come from a lack of basic cybersecurity hygiene that could have been prevented with steady investments, top-down willingness, and awareness of the risks. Investing in not only people and processes but also the right technologies can make the difference. AI can be a great ally, but only if you get the cyber defence fundamentals right first: gain visibility, secure and protect, monitor, respond, and evaluate.