Innovation or a vulnerability: Is AI a threat to Cybersecurity?

Artificial intelligence (AI) is revolutionising the world as we know it. AI has silently been underpinning most of our technology since the early 2000s, so we’ve been enjoying the benefits of it for a while now. But as AI evolves, it is inevitable that cyber criminals would leverage this sophisticated technology to their advantage. 

We spoke to two Sure Business professional services consultants, Grant Mossman and Malcolm Mason, and asked what their opinion on the rapid evolution of AI was and if this poses a threat to cybersecurity.

What are your initial thoughts on the emergence of AI technology? 

Grant: The technology itself is not entirely unfamiliar to us, but the outstanding difference is that the hardware is now catching up with the algorithms. We know that the public might be concerned about generative AI taking over, but I don’t think it will.

There’s always an element of risk with anything new, and we are still trying to understand how this technology will fit into our environment. We are all adapting to more unique ways of working.

Malcolm: I agree; since it’s emergence in the 1950’s, mainstream deployment of machine learning for linear tasks such as anti-virus, and the inception of deep artificial neural networks in the 2010’s, people have only just taken a keen interest into the deeper learning and the algorithms of this clever technology. The difference today is that the speed of computing has drastically improved making these big budget models and huge amounts of data readily accessible to small and medium businesses.

Should businesses be worried about implementing AI?

Malcolm: They should be worried about not implementing an AI strategy. AI is a natural evolutionary step, and we’ve seen that the people who developed a data strategy have thrived, but others without a strategy haven’t. We would recommend that for 90% of businesses, a data strategy is vital.

Grant: It depends on whether the AI in question is a publicly available version or an in-house segregated version for only internal use. It matters where it originates from, as this is where your data will be held. For example, ChatGPT is a public location, so any data inputted becomes public domain.

What are the key concerns around AI and cybersecurity?

 Grant: Well, I think two key concerns stand out for me at the moment: 1: People don’t fully understand the concept of where their data is going or how that data is being used, and I don’t think enough is being done to highlight the implications of putting sensitive data into these AI chatbots. A few large-scale corporations have been blocking the use of these AI chatbots, like ChatGPT, as it poses a risk to sensitive company information. 2: How threat actors now use this same technology to launch sophisticated attacks against us. Phishing and Social engineering, as we have known it, is about to get a lot harder to spot and deter.

Malcolm: Another big concern is the grey area around PII (personal identifiable information). Think about how often we use both personal and publicly visible data to create accounts to identify ourselves, such as with online banking. The accuracy of AI models to identify and impersonate individuals  using publicly accessible data for malicious activities are now blurring how we categorise as personally identifiable information.

Can AI software be taken advantage of and if so what are the risks?

Grant: Yes, it can. Not long after ChatGPT, FraudGPT became prevalent. Cybercriminals are using the large language model and simply asking it to learn criminal data to create phishing emails and malware applications.

Malcolm: People have quickly learnt how to leverage the applications to influence prediction and output generation through creating bias in self-learning models to suit their own deviant needs. When people feed in bad data, this gives bad outcomes, and in turn manipulates other outputs. It is becoming very easy to train any program and model to produce fraud.

How can you use AI responsibly?

 Grant: It comes down to user responsibility and education. In the wrong hands, any program can be manipulated to be destructive or malicious, and it’s about what the users’ intentions are and how informed they are about where that data will go.

Malcolm: This is a new technology, but humans are still the experts. Having a full understanding of your business processes, how you employ data models and AI, and making sure a safety policy is in place is essential.

In your opinion, does AI software pose a data protection threat and why?

Grant: The short answer is yes, I am very concerned. At this point in time, we don't know enough to say how much of an issue this may be.

Malcolm: All the major free office tools we have all have AI built in to create content. AI is learning from something and it’s learning from YOUR data. We would advise caution with what the regulations say and always keep in mind if this aligns with your customer promises. It’s a real grey area as there’s not much software that doesn’t have an AI function embedded now.

How can organisations best mitigate cyber threats posed by AI?

Grant: We can’t stop it, but we can attempt to control it. We should be educating our staff on the importance of data protection. We should also implement a data classification model to make it easier for staff to know whom data can be shared with. From a threat standpoint, follow the basics as usual, say no to unwanted software, and ensure you have deployed excellent EDR software.

Malcolm: Data protection is paramount. It has become easy to exploit cloud services employed by the business now and criminals would likely go for users first and then the businesses that they are working with.

What advice would you give organisations to stay secure?

Grant: Make sure all your systems are patched and updated accordingly. Be smart and layer the latest AI prevention solutions over your existing stack. Review and test your solutions to ensure they are configured and working correctly. Consider acquiring the Cyber Essentials Plus certification, as this will highlight to all your partners/business suppliers, etc., that you take security seriously.

Malcolm: Our main priority is giving our customers control of their data, so they know exactly where it is and that it is in safe hands.