Cybersecurity and Artificial Intelligence: New Threats, New Defenses
Cybersecurity today is more crucial than ever. Attackers and malicious actors are constantly improving and increasing their attacks, and cybersecurity and artificial intelligence make a potentially dangerous combination. No one is immune. So it’s essential to be proactive to safeguard our data and improve our digital defenses.
See AI: A Double-Edged Sword for Cybersecurity with Vincent LaRocca for a complete transcript of the Easy Prey podcast episode.
Vincent “Vinny” LaRocca is the CEO of CyberSecOp, a cybersecurity and security compliance consulting organization. When he started his security career at IBM thirty years ago, there was no such thing as cybersecurity. He did network security there. About six years ago, he was working at a managed service provider company when he realize that a lot of organizations are trying to do both IT and security for organizations. That’s a conflict of interest – these organizations are basically checking their own homework. So with CyberSecOp, he made it security-only. Other companies can put up the defenses, and then CyberSecOp comes in and provides an independent check for vulnerabilities.
Scams Happen to Everyone
To the best of his knowledge, Vinny hasn’t fallen for a scam. But he once had a fraud issue where his checking account was breached. It ended up being internal fraud at the bank. Someone at the bank knew what his last check number was and forged the next one. They also forged the signature, although not close enough that Vinny couldn’t win a legal battle.
The important point is that scams and fraud can happen to anyone, no matter who you are. Even 100% perfect protection can’t stop a bank employee from forging a check. Because Vinny works for a cybersecurity company, they have a ton of controls in place to keep him from making an error. If that wasn’t the case, he would probably have a much longer list of scams and fraud that caught him. Vinny has seen people who you’d assume would be the last person on the planet to be scammed get scammed. You shouldn’t assume it’s not going to happen. The opposite, in fact – you should assume it’s going to happen to you at some point.
Current Trends in Cybersecurity: Artificial Intelligence
You’ve probably already heard people talking about artificial intelligence and cybersecurity. It’s a hot topic right now. Much of that is because cybercriminals are already using AI to enhance their attacks. The number of potential and actual breaches has grown exponentially over the last six months, and we’re going to see more of that trend.
Those that are looking to exploit our vulnerabilities and take advantage of it have started to use AI to automate their attacks and … extend their reach.
Vincent LaRocca
On the opposite side, though, we’ve also started to integrate artificial intelligence into cybersecurity. It can enhance monitoring, detection, and response capabilities to spot and stop these attacks. More and more industries are prepared to look at AI and understand how to use it.
One other trend of note is more organizations using AI tools like ChatGPT and Copilot. These systems are using and manipulating your data. You can’t just feed them what you have and let them have free reign. It’s important to put parameters around both your and your clients’ data so it’s not out there on the dark web. Almost every state now has some kind of data privacy protection law, and if you don’t understand how an AI tool is using the data you give it, you could get in trouble.
Companies Using Artificial Intelligence
We’re seeing a lot of growth not just in cybersecurity, but in companies using artificial intelligence for all sorts of things. On the low end, many businesses use it to summarize things like meetings. But there are also more sophisticated uses. A lot of AI integrators are taking data and creating access to things like applications.
One example would be an organization that uses AI to move their data out of their Customer Relationship Management software and move it into Quickbooks, an accounting program. The original location in the CRM had a set of rules and users with access. Quickbooks likely has a different set of rules and different users. And the AI had the data between the two. To really protect that data, you need to make sure you’re encapsulating it and being very careful about the rules and limits.
AI isn’t perfect yet, but it’s going to get there. About three hundred companies across the planet have said they’re going to collectively spend about a trillion dollars on AI research in 2025. With that kind of investment, it’s not going to go away – it’s just going to grow. If you’re using these tools, you need to understand what you’re doing and what the risks are.
Artificial Intelligence and Cybersecurity for Companies
There is a concern in cybersecurity that artificial intelligence will grow the attack surface so security people and systems can’t keep up with the quantity or complexity of the attacks. There’s a lot of conversation around that. AI is still largely an unknown, and we aren’t sure where we’re going to go from that. The threat actors are using AI a lot and they’re expected to grow. Generally, attackers are a step ahead of us. On the other hand, we can also use that to prevent their attacks.
If we know they’re using [AI] as an attack tool, we’ve got to use it as a defense tool.
Vincent LaRocca
For most companies Vinny works with, there’s a little bit of costs, but the real issue is hesitation. A lot of industries are just hesitant to implement artificial intelligence for cybersecurity. Is there a regulation that’s going to come down tomorrow that means you just spent a lot of money on something you can’t use? It’s hard to know.
Everybody and their brother is now touting that their tool or app uses AI. Vinny isn’t sure how many of those claims are accurate. But he does know that we’re going to see it used more and more until someone says we can’t do that anymore.
How Attackers are Using Artificial Intelligence
For the most part, artificial intelligence isn’t helping attackers come up with many new cybersecurity threats or new types of attacks. It’s mostly just letting them do the attacks they’re currently doing better and faster. There’s lots of sophistication these days. In the past, you could read a phishing email and get a feel for if it was written with a certain intent, or if the grammar indicated a non-native speaker wrote it. Now with AI, it’s more sophisticated and harder to detect. Spear phishing can also be done much faster now – the number of attacks per day has gone way up. This is the next level.
Everyone should assume it’s going to happen to them. Cybercrime is an industry, and that industry is growing. When you add artificial intelligence and the amount of money threat actors are getting from some of these attacks, it’s just a great incentive to attack more and more companies. In the past, small companies have had the mindset that nobody wants their data and they don’t have that kind of money anyway. But it doesn’t work that way. With these automated attacks, they’re just looking for any vulnerability. If you’re a smaller business, they’ll just get less money from you than from a bigger target, but they’ll still exploit you.
[If] you’re a smaller business, they’ll just take less money from you, but they’ll still attack you.
Vincent LaRocca
The good news is that Vinny is seeing much less of that mindset today. With the frequency of big publicized breaches, cybersecurity topics are on everybody’s mind. And there are regulations out there that require businesses to be protected, whether they want to or not.
Security and Compliance Aren’t the Same
When Vinny is talking about cybersecurity and compliance with artificial intelligence in the picture, he’s talking about two different things. Compliance is following the rules and the laws and any standards, like HIPAA, NIST, or ISO, that your company has to follow. One of the services CyberSecOp offers is a fractional CISO. They come in and look at where a company is today, where they should be, and create a roadmap to get there. This can be an overwhelming process for smaller businesses.
But just because you’ve checked all the regulatory boxes doesn’t mean you’re necessarily secure. You may be required to have an incident response plan or do a risk assessment on your infrastructure, but if you’ve never tested your plan or your risk assessment was done by the same people who set up your infrastructure (and therefore might not want to tell you all the ways it could fail), you might be leaving some huge security gaps open.
That’s the difference between security and regulation. … you checked all these boxes. That doesn’t mean you’re secure.
Vincent LaRocca
Common Gaps in Cybersecurity
When looking at cybersecurity, regulatory compliance, artificial intelligence use, the technological environment of the company, and other factors, Vinny has seen a lot of different companies in a lot of different states. But he’s noticed some common gaps that companies tend to miss.
Patching and Hardening
Patching and hardening refers to keeping operating systems and software applications up to date and patched. Every once in a while, things called zero-day vulnerabilities come up. These are vulnerabilities within a program that security personnel weren’t aware of, but criminals found and started exploiting. Zero-day vulnerabilities are resolved with patches. But if you’re not patching, that app or operating system is now vulnerable – which could give criminals a back door into all of your systems. Vinny has seen companies that do patching once a quarter or every six months, and that’s not nearly often enough.
Password Policy Problems
Many companies have controls to maintain secure passwords. But the problems happen when they leave vulnerabilities open intentionally. Vinny has seen organizations explain how they require strong passwords, they have to be twelve or more characters long, and need to be changed every sixty days, etc. But someone at the top, often a C-suite executive, is exempt from that policy because they keep forgetting their password or just got mad and refused to do it. That’s almost always where the breach is. So many people think cybersecurity and defending against artificial intelligence attacks is expensive. Often the monetary cost is very small. The important part is just paying attention to the little gaps.
There’s a lot of things you can do which are very little cost, if any. It’s just a matter of paying attention to it.
Vincent LaRocca
Logging and Audit Trails
A final common cybersecurity gap Vinny sees is issues with the logging and audit trail. When he deals with organizations who think they may have had a breach, most of them have audit trails overwritten every day or two. By the time they become aware there may have been a breach, the logs are overwritten and there’s no way to know. In that case, the company has to act as if there was a breach, and that can get expensive.
Being able to monitor and know what’s going on with your data is important. Vinny tells companies up front that if they’re going to pay his team to do forensics and try to figure out what happened, they could end up paying a lot of money to find out there’s no real way to know. In many cases it’s just better to act like it did happen. If you have a data loss prevention solution in place, that can solve many of these problems.
Cybersecurity is Good for Business
More and more organizations are understanding the risks of artificial intelligence-driven attacks and the importance of cybersecurity. They’re getting sophisticated in security and have made the investment. But you’re only as strong as the weakest link in your supply chain. If one of the vendors you work with or share data with has security vulnerabilities, that can affect you.
Your [cybersecurity is] only as strong as your weakest link.
Vincent LaRocca
Many companies are recognizing that, as well. If you’re not taking the proper steps towards better cybersecurity, other organizations may decide not to use your product or service or partner with you – and existing partnerships may dissolve as current partners’ audits realize you are a security risk. We’re seeing more and more of that now.
Many people feel that protecting their data is pointless because it’s already out there somewhere. If it’s out there already, why worry? But even if that’s the case, as a business owner you don’t want to hear that kind of attitude from someone you’re doing business with. And if you assume it’s out there, you can take precautions so it’s not used maliciously.
Especially for small and midsize businesses, it’s important to pay attention. But it’s equally important to do a risk assessment and vulnerability testing before you start spending money on cybersecurity and artificial intelligence tools. It doesn’t do you much good to put a fancy lock on your front door if there’s no door there. And locking the door isn’t super helpful if the window next to the door is wide open. Once you know where your glaring vulnerabilities are, you can address those first. This is an especially helpful strategy if your cybersecurity budget is limited.
Cybersecurity is Part of Life
The landscape of cybersecurity and artificial intelligence has changed drastically over the last few years. This is just the beginning of the AI revolution, and Vinny won’t pretend to be an expert on what it will do in other areas. But in cybersecurity, artificial intelligence will make threat actors more sophisticated and identify vulnerabilities we’re not aware of yet.
The tools are getting better, though. Security is becoming a way of life. Nobody loves doing two-factor authentication every time they log in, but it’s becoming the norm. Even if you don’t have a big budget for boosting your cybersecurity, pay attention. Don’t turn a blind eye, and don’t assume it’s going to be costly. It may take time, but many of the solutions with the biggest impact are pretty cheap. Protect your customers, employees, vendors, partners, and data. And don’t assume it’s not going to happen to you. Assume it is and plan accordingly.
Don’t make the assumption it’s not going to happen to you; you should make the assumption that it is going to happen to you.
Vincent LaRocca
Learn more about CyberSecOp at cybersecop.com. You can also connect with Vincent LaRocca on LinkedIn.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Your Online Order Never Arrived? Here’s What to Do Next
We’re getting into the holiday shopping season, and that means that you’re probably buying at least some…
[Read More]The Ultimate Privacy Gift Guide for 2024
The holidays are rapidly approaching – which means it’s time to think about holiday shopping. If you…
[Read More]How to Identify a Scammer Online: Spotting Digital Deception
Everyone is vulnerable to scams and fraud online, especially if you’re distracted or in a hurry. That…
[Read More]VPN Update: Is it still important to use a VPN?
Using a VPN (Virtual Private Network) when you’re online is still very wise and important and that’s...
[Read More]The “Red Flags” of a Scam Can Alert You to Pending Danger
We’re used to hearing “red flag” conditions. Hopefully, we know they indicate a dangerous situation or risky…
[Read More]Windscribe VPN
Windscribe VPN provides the ultimate privacy, security, and simplicity with an easy-to-use website interface.
[Read More]