Amid the excitement of the AI boom, security leaders are gearing up to address the paradigm shift ahead, driven by bad actors using generative AI for more sophisticated and targeted attacks. Alongside an increase in breaches, it’s becoming clear that the old security methods are no longer cutting it in today’s landscape.
The data on increased breaches is alarming: A staggering 80% of hacking-related breaches in 2023 stemmed from compromised passwords, exposing a fundamental weakness in our online security habits – both from individual and enterprise levels. These threats will not only persist but grow in size and scale, making it critical for organizations across industries to prepare accordingly.
This threat isn’t exclusive to enterprise-size organizations, like Okta and MGM, whose breaches have grabbed headlines this year. Attackers are finding just as much, if not more, success in breaching small and medium-sized businesses (SMBs) due to their limited security resources, with minimal effort promising maximal payout.
Navigating the nuanced landscape of cybersecurity and evolving threats is increasingly challenging – which is why security professionals at organizations of all sizes must identify AI-driven threats as we head into 2024 and then look to fortify their digital defenses accordingly, both getting back to the basics and leveraging emerging technology to bolster their security posture.
AI has been at the forefront of the global consciousness in 2023, from ChatGPT’s meteoric rise and fierce competition among tech giants to global government bodies grappling with regulation. However, as generative AI capabilities advance, so do AI-driven cyberattacks, posing a serious threat to the security and data of organizations worldwide – SMBs and enterprises alike.
Cybercriminals are now able to make their phishing attacks more credible and frequent – even impersonating the voices of family members in call scams – by leveraging the power of generative AI, such as WormGPT. Not only does this lower the bar for entry to becoming a cybercriminal, but it also equips experienced hacker groups with the tools to make their attacks even more catastrophic.
With the frequency of these attacks expected to increase, everyone from individuals to corporations needs to take note. And, as cyberattacks targeting small businesses hit record highs in 2023, this is especially true for SMBs, who tend to lack the necessary tools, resources and expertise to protect themselves commonly found within larger organizations.
The consequences are also more dire for SMBs: Corporations like MGM can survive a ransomware attack – the mom-and-pop shop or locally-owned car dealership chain often cannot. To be clear, the stakes are high across the board, with the average cost of a breach at over $4 million, a 15% increase over three years. Now is the time for every organization, large and small, to protect their exposed attack surfaces and implement proper safeguards.
As the uncertain macroeconomic environment forces companies to tighten budgets in the coming year, security investments will continue to face cuts even as threats rise – highlighting the importance of getting low-cost security basics right. Organizations with any budget size can take simple action now to effectively defend against increasingly costly AI-driven cyberattacks.
Enforcing company-wide password management, multi-factor authentication and employee education all go a long way for little investment. These fundamentals thwart a significant portion of attacks today, many of which rely on exploiting weak credentials and deceiving users. Unique, strong passwords across company accounts significantly lower the risk of compromised credentials, as the biggest security vulnerability every company faces is its employees, with 74% of all breaches including a human element. For example, a Pittsburgh-area water system was recently accessed by hackers by guessing the default password of “1111” that an employee failed to change.
Ultimately, educating employees on how to spot AI-generated phishing emails, practicing good password habits (like minimizing reused passwords), and fostering a blame-free culture of reporting suspicious activity greatly reduces the chance of successful attacks – and nailing these security fundamentals provides a solid foundation of basic, low-cost security hygiene for SMBs and enterprises alike.
Some organizations that have the appetite to go beyond security basics will start looking to emerging technology. One key tool they’ll look to implement is passkeys, a phishing-resistant replacement for passwords that provide faster and more secure sign-ins to websites and apps. In the past year, passkeys became more commonplace across platforms, and big tech – from Google to Amazon – began offering various levels of passkey support. While a truly passwordless future remains far on the horizon, passkeys are increasingly serving as a proactive defense against AI-fueled threats lurking in the shadows – and will ultimately surpass passwords as the status quo technology once the debilitating consequences of not adopting a more secure, phishing-resistant form of authentication become clear to organizations of all sizes.
Additionally, although generative AI is driving a spike in attacks, it can also serve as another line of cybersecurity defense. Company leaders can look to automate aspects of cybersecurity, such as threat intelligence and real-time detection – and industry experts are off to the races on other ways that generative AI can combat automated threats this year.
Predicting exactly what this year will look like is nearly impossible, but there’s no doubt that AI will continue to evolve both in its benefits and threats.
As budgets tighten across industries, organizations must take action to master the basics of security – the cost of inaction is far steeper and often detrimental. The adoption of passkeys, generative AI for defense, and a more proactive security posture will prove to be beacons of hope this year against the tumultuous cyberthreat landscape.