Dive Brief:
- IT leaders say increased AI investments have made their organizations more vulnerable to cyberthreats, according to a Flexential survey published last week.
- More than half of executives credit the complexity of AI applications for weakening their company's cybersecurity posture by expanding the attack surface, according to the survey of 350 IT decision-makers at organizations with annual revenues of more than $100 million.
- Around 2 in 5 IT leaders say their security teams lack the skills needed to protect AI applications and workloads.
Dive Insight:
As AI has become more interwoven in the fabric of IT strategy, concerns around security have grown among enterprise leaders.
So far, AI-driven attacks have been minimal in the context of overall threat activity, according to Chris Novak, senior director of cybersecurity consulting at Verizon.
“I try to be careful about saying it because we’re not saying that it can’t happen or there aren’t any instances,” Novak told CIO Dive earlier this summer. “But what we’re seeing is that if you look at it from a statistical perspective, in the grand scheme of cyberattacks, AI is probably one of the lowest risks.”
Part of what’s driving the status quo is threat actors’ ROI. Cyberattacks that exploit human error are so successful that adding an often costly new technique wouldn’t change much, Novak said. More than two-thirds of data breaches this year involved a non-malicious human element, such as a social engineering attack or a worker making an error, according to Verizon’s annual Data Breach Investigations report.
“Threat actors don’t necessarily need to try very hard,” Novak said. “For many of them, it’s already working just really, really well and the paydays are typically very fast.”
Organizations should continue investing in employee training to curb mistakes, but leaders can also take advantage of the lag in AI attacks.
More than one-third of C-suite leaders pointed to cybersecurity and AI as top investment areas for upskilling this year, according to a Skillsoft survey published in June. Failing to mitigate skills gaps can exacerbate risks. More than 2 in 5 cyber pros admitted to having little to no experience in securing AI, according to ISC2 research.
Infusing security into AI adoption plans is critical.
“This is an opportunity for us to actually be ahead of the threat actors where normally, we’re waiting to see what they’ve done,” Novak said. Understanding how organizations can mitigate AI’s risks and protect the business from AI-driven attacks is key.