AI is changing cybersecurity and businesses must wake up to the threat
Corporate boardrooms must become better coordinated and urgent when they address cybersecurity issues, as threat actors turn to artificial intelligence (AI) to improve their game.
A board's primary role is to grow and safeguard the company's interests alongside its management team. With digital so integral in many organizations today, cybersecurity must form part of a board's growth strategy, Clifford Capital chairman Sanjiv Misra said during a panel discussion at Istari Global's Charter Asia-Pacific Cyber Congress in Singapore.
Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online
Without cybersecurity, a board's ability to grow the business will be severely compromised, Misra said. Fellow panelist Ensign InfoSecurity chairman Lee Fook Sun concurred, noting the connection between physical and cyber realms. The conflicts in Ukraine and Gaza, for example, have pushed up the number of online threat activities, driven by hacktivism and nation-state attacks.
Boardrooms need to figure out how such real-world developments impact online environments and, as such, translate into business risks for the company under their charge, Lee said. A successful approach requires awareness of what and where the threats are and who the attackers are. Lee said threat intel provided by security vendors such as Ensign, which recently published some of these indicators, can offer insights for boards.
While awareness of cyber risks has increased among boardrooms, Lee said there still is a lack of cohesion between boards and the rest of the organization. Attention to cyber risks is often driven by regulatory concerns, with more urgency usually exhibited only after the organization has suffered its first breach.
Lee urged boards to understand the work of their CIO and CISO and determine how effective these executives are in their roles. To have "well-oiled machinery" running, boards need to be able to have open discussions with the two people responsible for identifying and defending the company against online threats, he said.
Also: The best VPN services (and how to choose the right one for you)
And as most boards likely have other pressing issues, such as financials, he suggested they delegate cyber risk management to a sub-committee. He said this unit can then assess the effectiveness of the company's cybersecurity strategy and cyber resilience, providing some supervision.
Misra underscored the need for boards to recognize cyber risks and frame their impact on the business. They will then be able to prioritize these risks, so they can identify what elements should be addressed with more urgency and how these threats should be managed. And they should undertake this activity soon, as the volume of cyberattacks continues to climb.
Organizations must adopt essential measures
Interpol, for one, has warned that the biggest security threat at the upcoming Paris Olympics will be cybercrime. The Tokyo Olympics in 2021 experienced 450 million cyberattacks, more than double the total during the 2012 London Olympics.
Such attacks can disrupt activities that require the support of IT systems, including ticketing, transportation, and administration. The ever-growing cyber threat highlights the need for nations such as Singapore, where digital developments are relatively advanced, to prioritize cybersecurity and boost its cyber-defense capabilities, according to its Minister for Communications and Information, Josephine Teo.
This prioritization means bolstering digital infrastructures and the resilience of companies operating in the country, Teo said during her speech at the congress. "They provide the services that people use and define our online experiences," she said, urging organizations to do more to safeguard their cyber operations.
Pointing to a study conducted by Singapore's Cyber Security Agency (CSA), Teo noted that the research revealed the need for more companies to adopt essential security measures.
Also: How AI firewalls will secure your new business applications
On average, organizations surveyed had adopted about 70% of security measures across five categories, including using secure configuration settings for hardware and software, controlling access to data and services, and updating software on devices and systems. Partial adoption of these essential measures is "inadequate", Teo said.
The study polled over 2,000 organizations in 23 industries and seven charity sectors. Most respondents had experienced at least one cyber incident, such as ransomware or phishing attempts, over the past year.
Also: How AI can improve cybersecurity by harnessing diversity
"We are only as strong as the weakest link. Unless all these essential measures are adopted, the organizations are still exposed to unnecessary cyber risks," the Singapore minister said. "In CSA's view, the 'passing mark' should be set high enough to give assurance -- to your C-suite, to employees, to suppliers, and to customers. That means adopting the full package of essential measures in all of the five categories."
Just one-third of organizations had adopted all measures in at least three categories, she added. Almost 60% acknowledged a lack of expertise or experience in implementing cybersecurity effectively.
"Cyber risks have increased and continue to evolve quickly. This has contributed to the shortfall in cyber professionals, [where] even the most sophisticated organizations struggle to keep up," Teo said. She noted that Singapore has been working to boost its cybersecurity talent pool through programs such as the CyberSG Talent, Innovation, and Growth Plan (TIG Plan).
Also: Want to work in AI? How to pivot your career in 5 steps
Generative AI can also be a great equalizer amid the global skills shortage in cybersecurity, according to Standard Chartered's Group CISO Alvaro Garrido. People who previously have not configured a system can now do so through prompts, said Garrido during a panel discussion at the congress.
He said generative AI enhances productivity and has also provided a way to translate complex threat intel into information that can be universally understood. The emerging technology has made it easier for professionals to join the cybersecurity sector, even if they couldn't before, and plug the skills gap.
His team is experimenting with generative AI and applying it to some tasks where they see an average 30% increase in productivity.
Daryl Pereira, Google Cloud's Asia-Pacific CISO, referred to similar gains from his team's use of generative AI, including a 70% improvement in finding malicious scripts.
Also: Employees input sensitive data into generative AI tools despite the risks
The US vendor is working on threat detection and triage for security incidents. Pereira said AI, powered by the cloud, can crunch data quicker than humans and address potential threats.
He also noted the possibility of arming non-security professionals to take on some SecOps (security operations) tasks, using generative AI as a guide with natural language prompts. For instance, they can manage daily operations at the SOC (security operations center), such as reviewing logs, freeing up the core cybersecurity team to focus on more advanced defense functions.
Threat actors are using generative AI
Companies that have yet to use generative AI to beef up their cybersecurity capabilities will have to contend with online adversaries that already are.
In particular, threat actors use generative AI to craft more convincing phishing email messages, noted Simon Green, Palo Alto Networks' APAC Japan president, during the security vendor's Ignite on Tour event in Singapore this week.
Citing the results of an internal test, Green said the company's SOC team obtained a 25% clickthrough rate for a phishing email created using generative AI. The email was sent to every employee who has been with Palo Alto for at least three years, containing a request for them to update their employee record after reviewing the company's recently updated staff handbook.
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
Noting that the clickthrough rate for the test will likely be higher for non-security companies, he said generative AI has rectified a problem that previously made it easy to identify phishing email messages. The emerging technology has enabled hackers to produce these messages without grammatical errors quickly and at scale.
Access to such tools and information on the cloud has also allowed threat actors to simulate attacks quickly, change and finetune ineffective attacks, and establish new attack vectors with higher success rates.
In addition, the growing adoption of AI brings a new category of vulnerabilities, such as large language model poisoning and deepfakes.
This shift calls for a change in how cybersecurity is developed and deployed, according to Green, who said Palo Alto is looking to apply AI capabilities across its product portfolio and integrate an AI "copilot".