teissTalk: Leading your cyber defence in an era of AI-driven ransomware extortion

Views on news

In April, the UK AI Security Institute (AISI) published an independent evaluation of Claude Mythos Preview, assessing its cyber security capabilities ahead of any wider release. In controlled testing, AISI found that the model could autonomously chain multiple stages of cyber-attack activity, – from reconnaissance through to vulnerability exploitation, significantly reducing the human effort required. AISI is explicit about the limits of these findings. The evaluations were conducted in controlled, weakly defended environments, and AISI states it cannot conclude that the same performance would translate to hardened, well monitored enterprise systems. 

The same capabilities that raise concern can, in principle, be used defensively. Both AISI and NCSC highlight the potential for AI to help suppliers and defenders identify vulnerabilities earlier and at greater scale. These approaches are still maturing and require careful governance, appropriate data access and skilled human oversight. Organizations that adopt defensive AI prematurely, without assurance or auditability, risk creating new blind spots rather than closing existing ones. Panellists think that behind Anthropic’s move there is a very clever product but also some very effective PR activity too. Although Anthropic is still in control of the technology, sooner or later it’ll be used against businesses to find their vulnerabilities and attack them faster and cheaper than previously.

However, even with this new and scary technology on the horizon, the old mantra remains – you must get the fundamentals right.  

Anthropic has also released Claude Security for scanning code for vulnerabilities.

 

Do old controls work against new threats?

AI adoption without security measures is just as much of a problem as generative AI tools in the hands of criminals. Because of the rush to get the next innovation on the market, AI products are often half-formed with functionality taking precedence over security. In response to intensifying threats, there is a growing trend to keep data on-prem alongside with proper identity and access control measures in place. There is also an overall preference for open-source models not just for data security but also cost reasons.  We also see some conflicting shifts: while the NHS pulled its open-source software repositories from GitHub and made them private in response to security concerns related to advanced AI models, European countries are increasingly moving to open source. The rising interest in data and model sovereignty is also demonstrated by the tagline "made in Europe, for Europe.” 

People are about 4.5 times more likely to click on a phishing link created by AI, which will further increase the pressure on staff to think twice before they click on anything. However, it’s time now to build better systems rather than blaming users for vulnerabilities. An annual 15 minute learning session in cyber security has failed to fundamentally change user behaviour and move the dial on security awareness. 

With the speed and volume that generative AI allows, cyber security must be proactive to be able to keep up. Agentic AI is already being used, and should increasingly be used, for triaging risk –eight AI agents can do about the job of a team of 20 humans. 

The panel’s advice

• Every new security tool will be used both defensively and offensively.
• The main task of CISOs is not to prevent all cyber attacks but to make sure that the organisation can quickly recover from any incident.
• The best line of defence is to detect your vulnerabilities before cyber criminals do and AI can play a central role in that.
• Classics like the DoD Orange Book from the 1980s have lost their relevance and can still be applied in our day and time.
• Many businesses today are over-reliant on encryption.
• Stay versatile and flexible with your architecture and your strategies.