Businesses need clever strategies to counter the cyber security challenges arising from the emergence of artificial intelligence, writes Puneet Kukreja
The enormous power of generative artificial intelligence (GenAI) and large language models (LLMs) is just beginning to be understood. Its capacity to automate and accelerate business processes is only starting to be explored fully.
As is the case with the deployment of any new technology, however, GenAI brings with it new cyber vulnerabilities.
Cyber security matters are emerging as a key concern for technology leaders in Ireland amid the surge of AI-enabled cyber attacks.
According to the EY Ireland Tech Leaders Outlook Survey 2024, the percentage of respondents who identified elevated cyber risks and the management of data protection and data flows as critical challenges has risen to 61 percent, up from 53 percent in 2023.
Like the move to the cloud over a decade ago, the technology will create new cyber exposures and increase the attack surface for cyber criminals.
For example, consideration needs to be given to securing the LLMs that gather and analyse data from various departments within the organisation. Ensuring the secure collection and transmission of this data is paramount, as is the fortification and security of the model itself.
Monitoring emerging vulnerabilities closely
This is not a reason to shy away from the technology. It is simply a reminder that it must be treated in the same way as any new IT investment from a cyber security point of view.
Few organisations would risk connecting an unsecured PC or laptop to their network and the same approach should apply to AI.
AI in cyber security is a double-edged sword. Where it empowers organisations with enhanced security capabilities, it also equips cyber criminals with similar tools by enabling individuals lacking advanced coding skills to leverage GenAI and create malicious code efficiently.
With just a few prompts, GenAI can quickly generate code to identify and exploit vulnerabilities within an organisation's network, a task achievable within minutes.
Change approach, not budget
The good news for organisations and for Chief Information Security Officers (CISOs) is that they do not necessarily have to make significant new cyber security investments to restore the balance. The first step is to focus on what you already have.
It is not a question of a new investment in cyber security, rather a new approach.
In the same way as the cloud changed the shape of organisations’ networks and cyber defences had to be extended to cover the new expanded perimeter, existing defence systems will need modification to bring GenAI models within their orbit.
Stolen credentials present a grave peril to organisations. To bolster security beyond passwords and multi-factor authentication (MFA), organisations can deploy AI-driven solutions that monitor user behaviour for unusual login patterns or atypical actions. These systems scrutinise user interactions with critical infrastructure and can swiftly detect unauthorised access attempts or transactions.
Adopting this strategy enhances cyber security defences by integrating AI technology that can strengthen existing measures and counter new threats with speed and efficacy.
Procurement processes will also play an important role. Organisations must ensure that they are not buying trouble when they invest in GenAI. They need to interrogate vendors very closely to ensure that the systems they are acquiring are secure and do not bring increased vulnerabilities with them.
Of course, organisations will need to invest in upgrades to guard against the AI-driven increased sophistication of phishing and other cyberattacks, but this can be accommodated within normal cyber budgets.
Finally, it cannot be emphasised enough that GenAI will not offer a silver bullet to organisations seeking to bolster their cyber defences.
Humans: the last line of defence
While organisations exploit the potential of advanced AI, they need to be mindful of the advent of new cyber vulnerabilities.
Using existing cyber security measures to protect AI systems and applying rigorous due diligence to the purchase of such systems will help deal with the heightened threat, as will increased awareness of the new environment.
While it undoubtedly offers the ability to further automate certain elements of cyber defence and to enhance threat detection, this will not replace any of the existing cyber security systems in place or the human as the last line of defence.
Puneet Kukreja is Cyber Security Leader at EY