AI turns up the heat for cyber risk management

In our recent whitepaper, The Cyber Arms Race, we highlighted the long term risk to businesses from narrow AI based on large language models, and the systemic reliance on employees to increase their cyber security aptitude. Before the explosion of interest in ChatGPT (OpenAI’s chatbot) in 2022, AI driven cyber-attacks were considered a ‘bogeyman’ in cyber security. The potential threat from AI tools to conduct increasingly efficient and effective cyber-attacks was a futuristic scenario that prompted many cautionary tales of allowing the technology to advance unchecked. However, the rise of ChatGPT has promptly reminded the cyber security industry that it is not just a future amorphous threat.

For businesses, this means their level of risk has cranked up a notch. Tools like ChatGPT offer the capability to more efficiently craft phishing and spear-phishing emails, without the obvious clues (such as poor spelling or grammar). This puts much more pressure on employees using their intuition to spot (spear)phishing emails, and therefore more pressure on business leaders to engage with their staff and provide them with the tools to make the right decision every single time.

Phishing is just one area that AI could impact: ChatGPT can also write malicious code. The UK’s National Cyber Security Centre warns that, as AI tools based on large language models continue to learn and develop, they will rapidly become more effective at writing better malware. The barrier to entry for cybercrime is currently relatively high compared to physical crime, as potential attackers need the requisite knowledge and capabilities. A fear often cited is that ChatGPT will lower the barrier to entry, creating opportunities for the development of new malware and generally increased insecurity. However, currently the capability to write effective malware is low, and therefore much of the focus on generative AI is the threat from phishing, which it arguably has lowered the price of entry for.

This has created a pseudo-AI arms race. As attackers use more sophisticated tools to conduct and launch cyber-attacks, the cyber security industry has embedded AI, machine learning and automation into its products to help organisations defend against this greater volume and complexity. Machine learning is particularly useful for security monitoring, enabling analysts to identify, respond to and remediate attacks more effectively. It can also be used in cyber threat intelligence to analyse, classify and triage data, analyse malware, identify patterns in emails that may signal phishing, and much more.

The threat to businesses has prompted some, but perhaps not enough, of a response from policymakers. Jen Easterly, the Director of the US’ Cybersecurity Infrastructure and Standards Agency, warned of grave threats to national cyber security from AI tools such as ChatGPT. She cautioned against the proliferation of AI without the correct checks and balances, such as regulation, and the downstream risks that this could pose to national security. However, this may have arrived too late, as China’s substantial investments into AI indicate that US regulation simply may not be enough to stem the tide of AI driven cyber-attacks.

Unfortunately, organisations cannot wait for governments to develop regulation that ensures security is embedded in the development of AI tools, as they pose a serious increase in cyber risk today. Instead, fighting fire with fire is the best option for businesses right now, by increasing their defensive toolset with products that adopt automation, machine learning, and AI where possible. Coupled with an arsenal of effective defences, employee training must become more frequent and effective, underpinned by a positive security culture.

If you want to find out more about the future cyber threats businesses should be cognisant of today, read our recent whitepaper on The Cyber Arms Race.