Corporate boards need to be better coordinated and more urgent when addressing cybersecurity issues, as malicious actors turn to artificial intelligence (AI) to improve their game.
The primary role of a board of directors is to grow and safeguard the interests of the company alongside its management team. With digital so integrated into many organizations today, cybersecurity must be part of a board’s growth strategy, Clifford Capital Chairman Sanjiv Misra said during a panel discussion at Charter Istari Global’s Asia-Pacific Cyber Congress in Singapore.
Also: Cybersecurity 101: Everything about how to protect your privacy and stay safe online
Without cybersecurity, a board’s ability to grow its business will be severely compromised, Misra said. Lee Fook Sun, another panelist and president of Ensign InfoSecurity, agreed, emphasizing the connection between the physical and cyber domains. The conflicts in Ukraine and Gaza, for example, have increased the number of online threat activities fueled by hacktivism and nation-state attacks.
Boards need to understand how such real-world developments impact online environments and, as such, translate into business risks for the company they are responsible for, Lee said. A successful approach requires knowing what and where the threats are and who the attackers are. Lee said threat intelligence from security vendors such as Ensign, which recently released some of these metrics, can offer insights to boards.
Although boards are increasingly aware of cyber risks, Lee believes there is still a lack of cohesion between boards and the rest of the organization. Attention to cyber risks is often driven by regulatory concerns, with urgency typically only manifesting after the organization suffers its first breach.
Lee urged boards to understand the work of their CIO and CISO and determine how effective these leaders are in their role. For the “well-oiled machine” to work, boards need to be able to have open discussions with the two people responsible for identifying and defending the company against online threats, he said.
Also: The Best VPN Services (and How to Choose the Right One for You)
And since most boards likely have other pressing matters, such as finances, he suggested they delegate cyber risk management to a subcommittee. He added that this unit will then be able to assess the effectiveness of the company’s cybersecurity strategy and cyber resilience, providing some oversight.
Misra highlighted the need for boards to recognize cyber risks and manage their impact on the business. They will then be able to prioritize these risks, to identify which elements need to be addressed more urgently and how these threats need to be managed. And they should undertake this activity soon, because the the volume of cyberattacks continues to rise.
Organizations must adopt essential measures
Interpol, for example, has warned that the biggest threat to security at the upcoming Paris Olympics will be cybercrime. The 2021 Tokyo Olympics saw 450 million cyberattacks, more than double the total for the 2012 London Olympics.
Such attacks can disrupt activities that require the support of IT systems, including ticketing, transportation and administration. The ever-increasing cyber threat highlights the need for countries like Singapore, where digital developments are relatively advanced, to prioritize cybersecurity and strengthen their cyber defense capabilities, according to its Minister of Communications and Information, Josephine Teo.
This prioritization means strengthening digital infrastructure and the resilience of businesses operating in the country, Teo said during his speech to the congress. “They provide the services that people use and define our online experiences,” she said, urging organizations to do more to protect their cyber operations.
Referring to a study conducted by Singapore’s Cyber Security Agency (CSA), Teo noted that the research revealed the need for more businesses to adopt essential security measures.
Also: How AI firewalls will secure your new business applications
On average, surveyed organizations have adopted approximately 70% security measures across five categories, including using secure configuration settings for hardware and software, controlling access to data and services, and updating update software on devices and systems. Partial adoption of these key measures is “inadequate”, Mr Teo said.
The study surveyed more than 2,000 organizations across 23 industry sectors and seven charity sectors. Most respondents have experienced at least one cyber incident, such as ransomware or phishing attempt, in the past year.
Also: How AI can improve cybersecurity by leveraging diversity
“We are only strong at the weakest link. If all these essential measures are not adopted, organizations will remain exposed to unnecessary cyber risks,” said the Singaporean minister. “In the CSA’s view, the ‘pass mark’ should be set high enough to provide assurance – to your senior management, employees, suppliers and customers. This means adopting the full set of essential measures in each of the five categories.”
Only a third of organizations have adopted all measures in at least three categories, she added. Nearly 60% recognized a lack of expertise or experience in effectively implementing cybersecurity.
“Cyber risks have increased and continue to evolve rapidly. This has contributed to the shortage of cyber professionals, (where) even the most sophisticated organizations struggle to keep up,” Teo said. She noted that Singapore was working to strengthen its cybersecurity talent pool through programs such as the CyberSG Talent, Innovation and Growth Plan (TIG Plan).
Also: Do you want to work in AI? How to pivot your career in 5 steps
Generative AI can also be a great equalizer in the global context skills shortage In cyber security, according to Alvaro Garrido, CISO of the Standard Chartered group. People who hadn’t set up a system before can now do so through prompts, Garrido said during a convention roundtable.
He said generative AI improves productivity and also provides a way to translate complex threat intelligence into information that can be universally understood. Emerging technology has made it easier for professionals to join the cybersecurity industry, even if they couldn’t before, and close the skills gap.
His team is experimenting with generative AI and applying it to certain tasks where they see an average increase of 30% in productivity.
Daryl Pereira, Asia Pacific CISO at Google Cloud, cited similar gains from his team’s use of generative AI, including a 70% improvement in detecting malicious scripts.
Also: Employees enter sensitive data into generative AI tools despite risks
The American publisher works on threat detection and sorting security incidents. Pereira said AI, powered by the cloud, can analyze data faster than humans and deal with potential threats.
He also highlighted the possibility of arming non-security professionals to take on certain SecOps (security operations) tasks, using generative AI as a guide with natural language prompts. For example, they can manage day-to-day operations at the SOC (security operations center), such as reviewing logs, freeing up the core cybersecurity team to focus on more advanced defense functions.
Threat Actors Use Generative AI
Companies that have not yet used generative AI to strengthen their cybersecurity capabilities will face online adversaries who are already doing so.
In particular, threat actors are using generative AI to create more convincing phishing emails messages, noted Simon Green, president of Palo Alto Networks APAC Japan, at the security vendor’s Ignite on Tour event in Singapore this week.
Citing the results of an internal test, Green said the company’s SOC team achieved a 25% click-through rate for a phishing email created using generative AI. The email was sent to all employees who have worked in Palo Alto for at least three years, containing a request that they update their employee records after reviewing the company’s recently updated personnel handbook. business.
Also: The Best VPN Services for iPhone and iPad (Yes, You Need to Use One)
Noting that the click-through rate for the test will likely be higher for non-security companies, he said generative AI fixed a problem that previously made it easier to identify phishing emails. Emerging technology has allowed hackers to produce these messages without grammatical errors, quickly and at scale.
Access to these cloud-based tools and information has also enabled threat actors to quickly simulate attacks, modify and refine ineffective attacks, and establish new attack vectors with higher success rates. .
Additionally, the growing adoption of AI is leading to new category of vulnerabilitieslike poisoning large language models and deepfakes.
This shift requires a shift in how cybersecurity is developed and deployed, according to Green, who said Palo Alto is looking to apply AI capabilities across its product portfolio and integrate a “co-pilot” of AI.