(844) 627-8267
(844) 627-8267

What CEOs Need To Know About AI And Cybersecurity In 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


When people claim AI will replace jobs, they likely weren’t referring to the CEO’s position.

That was exactly what happened to LastPass earlier this year when a deepfaked version of their CEO, Karim Toubba, reached out to the firm’s employees via WhatsApp.

Thankfully the attack was thwarted by sufficiently suspicious staffers, but it’s only a matter of time until we gather here to analyze the results of an attack that worked, largely thanks to advances in AI.

One problem with AI is that it empowers bad apples just as much as it does the good ones, which is why we’ll soon look back at the $28 billion worth of damages cyber attacks caused last year as just the beginning.

That is, unless CEOs get serious about countering AI-powered cybersecurity threats today.

The Evolving Trifecta Of Threats: Phishing, Social Engineering and Network Penetration

The cybersecurity landscape is undergoing a dramatic transformation right under our eyes.

The barrier to becoming a hacker is lower than ever before,” Rinki Sethi, CISO at BILL, reflected on the current situation where the tools for circumventing everything from parental controls to corporate-grade security can be generated with a few prompts.

As a result, traditional attack vectors such as social engineering, phishing and network penetration now all have an AI-powered counterpart that can do more harm to more victims, faster than ever before.

Although the attack vectors have grown more potent, our vulnerabilities have remained the same.

Most attacks start with someone tricking your staff to click on something,” Hed Kovetz, CEO of identity security company Silverfort explained in our recent discussion on the rapidly evolving cybersecurity landscape and how easy it’s becoming for hackers to access a network and move laterally.

One feature of AI-driven phishing attacks is the use of machine learning to tailor phishing campaigns to the individual, adjusting messages based on what proves most effective at deceiving users in real-time.

This means that phishing attacks are no longer static, and sending a suspicious email to IT will do nothing to deter the same attacker from catching their prey moments later. What’s worse, the way we currently raise awareness about phishing by gotcha-emails sent by IT might create an unfounded sense of confidence in employees’ ability to react appropriately.

At the same time, social engineering attacks are becoming increasingly difficult to detect and deter.

Just like with LastPass’ deepfaked CEO, cybercriminals can use AI to craft highly personalized and convincing scams. Everything a hacker needs to create a detailed replica of any CEO is typically available on social media and public platforms. More poignantly, all a hacker needs to have success with their replica is one employee who can’t tell the difference or simply doesn’t have the time to.

We’ve found the human element in security systems to be the most vulnerable,” Aaron Shilts, CEO of cybersecurity company NetSPI, explained in our recent discussion on what makes cyber attacks work.

Whether it’s executive assistants opening the server room door to a crew in safety vests or a CEO logging into a spoofed WiFi network , the fundamental issue is often a lack of knowledge, awareness or time to act in a safer manner,” Aaron added.

And if knocking on employees’ doors won’t work, malicious actors have a number of other entry-points ready to be exploited.

On the network penetration front, it is safe to assume that AI algorithms actively scan for vulnerabilities at speeds and accuracies far beyond human capabilities already today.

Once a weakness is identified, attacks can be deployed at a scale and precision that traditional hackers could never achieve manually. “The walls around companies need to get more sophisticated, and fast,” Rinki added as we explored the second-order consequences of AI-powered penetration attacks.

Start By Making Cybersecurity Accessible To All

Apart from going back to pen and paper, there’s no way for a CEO to avoid cybersecurity threats.

Making the right preparations is key, and the best place to start is by making cybersecurity accessible as a topic of discussion to everyone in your organization.

CISO’s can’t fix everything on their own. We need everyone in the fight against these threats, and getting there means that we need to start talking about cybersecurity in more accessible terms,” Bronwyn Boyle, contract CISO of TSB Bank, explained in our chat about what companies can do to stand up against AI-powered malicious actors.

The cybersecurity field is not known for being particularly diverse, meaning that your message is unlikely to reach, or resonate with, the entire target audience as well as it could.

We need more folks to enter the field, this means people with marketing, legal and every other kind of experience that is material for how our organizations operate in the cybersecurity landscape,” Rinki explained.

Leverage Context To Deter AI-Powered Social Engineering Attacks

Malcolm Gladwell’s 2019 book Talking With Strangers is built on his observation that as a species, we tend to default to trust.

We’re fast approaching a time where we might need to rethink our collective approach, given that everyone you have ever met can now be impersonated with a few careful prompts.

Zero trust is a concept that cybersecurity experts use to describe frameworks and implies no one should trust anyone, inside or outside the network, without verification. “Zero trust doesn’t mean that there is no trust. Instead, it means that I should only trust you after I have verified you,” Hed explained how the concept is put into practice today and where there needs to be a mindset shift within the industry when it comes to enabling trust.

The context in which we communicate, and how we do so, provides incredibly valuable information that CEOs and their staff must learn to leverage as a defense against social engineering attacks.

Knowing that the CEO only sends emails when it comes to finances and never uses emojis can be all the ammunition your staff needs to deter even the most sophisticated social engineering attack. The more context we have the easier it becomes to verify and trust each other.

Recognize That This Is An Arms Race

The arms race against malicious actors is on whether you are defending yourself or not. Unless you’re keen to sail forward with only luck in your sails, continuous learning and dedicated frameworks for deterring AI-powered cybersecurity risks is the way to go.

Having CISOs that are empowered to challenge and push the organization’s ways of working is one tested and true approach. Another is leaning on the vast number of service providers that can shore up your defenses in ways you couldn’t on your own.

Whatever steps you end up taking, it’s important to realize that they will be outdated at or shortly after deployment.

——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW