As threat actors turn to artificial intelligence (AI) to improve their strategies, corporate boards need to be better aligned and increase urgency when addressing cybersecurity issues .
The main role of the board of directors is to work with management to grow and protect the interests of the company. With digital becoming essential to many organizations today, Sanjiv Misra, chairman of Clifford Capital, said cybersecurity needs to be part of a board's growth strategy.
Related article: Cybersecurity 101: All about how to protect your privacy and stay safe online
Speaking during a panel discussion at Istari Global's Charter Asia-Pacific Cyber Conference in Singapore, Misra said that without cybersecurity, boards' ability to grow their businesses will be severely compromised.
Fellow panelist Lee Fook Sun, chairman of Ensign InfoSecurity, agreed, pointing out the connection between the physical and cyber realms. For example, the conflict in Ukraine and Gaza has increased the number of online threat activities from hacktivism and state attacks.
Also: The best VPN services (and how to choose the right one for you)
The challenge is for boards to understand how these real-world developments impact the online environment and how that impacts business risk for the companies they serve, Lee said. Stated.
A successful approach requires being aware of what and where the threats are and who the attackers are. Lee said threat intelligence provided by security vendors such as Ensign, which makes some of these metrics freely available, can provide insight to boards.
He said that while awareness of cyber risks is increasing among boards, there is still a lack of cohesion between boards and the rest of the organization. Concern about cyber risk is often driven by regulatory concerns, and typically only becomes more urgent after an organization suffers an initial breach.
Lee asked boards to understand the jobs of CIOs and CISOs and determine how effective these executives are in their roles. He said that to keep a “well-oiled machine” running, the board needs to be able to have open discussions with the two people responsible for identifying and defending the company from online threats.
He suggested delegating cyber risk management to a subcommittee, as most boards likely have other pressing issues to address, such as finance. He said the department can assess the effectiveness of the company's cybersecurity strategy and cyber resilience and provide some oversight.
Also: Best VPN services for iPhone and iPad (yes, you should use them)
Misra emphasized the need for boards to be aware of cyber risk and frame its impact on the business. These risks can then be prioritized, so you can identify which elements need to be addressed more urgently and how these threats need to be managed.
And as the volume of cyber-attacks continues to increase, they should start doing this now.
Organizations must take mandatory measures
For example, Interpol has warned that the biggest security threat to the upcoming Paris Olympics is cybercrime. The 2021 Tokyo Olympics saw 450 million cyberattacks, more than double the total for the 2012 London Olympics.
Such attacks can disrupt activities that require support from IT systems, such as ticketing, transportation, and management. According to Communications and Information Minister Josephine Teo, the ever-growing cyber threats highlight the need for countries with relatively advanced digital development, such as Singapore, to prioritize cybersecurity and strengthen their cyber defense capabilities.
This prioritization means strengthening the digital infrastructure and resilience of businesses operating in the country, Mr Teo said in his speech in Parliament.
“They provide services that people use and define our online experiences,” she said, urging organizations to do more to protect their cyber operations.
Related article: How AI firewalls protect new business applications
Mr Teo pointed to a study conducted by Singapore's Cyber Security Authority (CSA), which revealed the need for more businesses to adopt critical security measures.
On average, organizations surveyed have approximately 70% more security measures in place across five categories, including using secure hardware and software configuration settings, controlling access to data and services, and updating device and system software. It was being introduced.
Mr Teo said partial adoption of these mandatory measures was “insufficient”.
Related article: How AI can leverage diversity to improve cybersecurity
The research surveyed more than 2,000 organizations across 23 industries and seven philanthropic sectors. Most respondents have experienced at least one cyber incident, such as ransomware or phishing attack, in the past year.
“We are only as strong as our weakest link. Unless we adopt all of these important measures, organizations will continue to be exposed to unnecessary cyber risks,” the Singaporean minister said. Ta.
“In CSA's view, a 'passing point' should be set high enough to provide assurance to executives, employees, suppliers, and customers that a complete set of required measures in all five It means adopting the package category.
Only a third of organizations have adopted all measures in at least three categories, she added. Almost 60% admit that they lack the expertise or experience to implement cybersecurity effectively.
“Cyber risks continue to grow and rapidly evolve, leading to a shortage of cyber professionals. [where] Even the most sophisticated organizations are struggling to keep up,” Teo said.
He noted that Singapore is working to strengthen its cybersecurity talent pool through programs such as the CyberSG Talent, Innovation, and Growth Plan (TIG Plan).
Also: Want to work in AI? How to pivot your career in 5 steps
Generative AI can also be a great leveler amid the global skills shortage in cybersecurity, according to Alvaro Garrido, group CISO at Standard Chartered. People who have not previously configured the system can now configure it through prompts, Garrido said during a panel discussion at the conference.
He said generative AI increases productivity and also provides a way to transform complex threat information into information that is universally understandable. New technology has made it easier for professionals to enter the cybersecurity field and fill skills gaps where they weren't able to before.
His team has been experimenting with generative AI, which has seen an average productivity increase of 30% when applied to some tasks.
Darryl Pereira, Asia Pacific CISO at Google Cloud, said his team has seen similar results using generative AI, including a 70% improvement in detection of malicious scripts.
Also: Employees enter sensitive data into generating AI tools despite the risks.
U.S. vendors are working on threat detection and security incident triage. Pereira said cloud-powered AI can process data and respond to potential threats faster than humans.
He also mentioned the possibility of using generative AI as a guide with natural language prompts and letting people other than security experts take on some SecOps (security operations) tasks. For example, a security operations center (SOC) can manage day-to-day tasks such as reviewing logs, freeing up core cybersecurity teams to focus on more advanced defense functions.
Threat actors are using generative AI
Companies that are not already using generative AI to enhance their cybersecurity capabilities will have to contend with online adversaries that already do.
In particular, attackers are using generative AI to create more convincing phishing email messages, said Palo Alto Networks APAC Japan president at the security vendor's Ignite on Tour event in Singapore this week. As one Simon Green pointed out.
Citing internal testing, Green said phishing emails created by the company's SOC team using generated AI had a 25% click-through rate. The email was sent to all Palo Alto employees who have been with Palo Alto for at least three years, asking them to update their employee records after reviewing the company's recently updated staff handbook.
He noted that test click-through rates are likely to be higher for non-security companies, and said generative AI has fixed issues that previously made it easier to identify phishing email messages. Thanks to new technology, hackers can now create these messages at scale and quickly without making grammatical errors.
Access to such tools and information on the cloud also allows attackers to quickly simulate attacks, modify and fine-tune ineffective attacks, and establish new attack vectors with higher success rates. It's now possible.
Additionally, the increasing adoption of AI introduces new categories of vulnerabilities, such as large-scale language model poisoning and deepfakes.
This change will require a shift in how cybersecurity is developed and deployed, Green said, and Palo Alto is looking to apply AI capabilities across its product portfolio and integrate AI “CoPilot.” Stated.
