Human insight - or artificial intelligence?

Don’t be blinded by the AI arms race, warns Nick Dyer at Arctic Wolf; employees are still the most important defence

 

The cyber-security landscape has been transformed in recent years; powerful artificial intelligence (AI) and machine learning (ML) advancements available on the open market are enabling today’s cyber-criminals to deploy increasingly sophisticated attacks at the ease of pressing of a button.

 

Whether they’re aware of their responsibility or not, this has forced business leaders and their employees to be more aware of the threats targeting their organisation’s cyber-defences. 

 

It is essential for organisations to understand that focusing more on their human risk in 2025 ––e.g. through continually training employees to spot key signs of an attack –– will be one of the most important steps they take toward strengthening their resiliency.

 

While this is not an overnight task, improving cyber-hygiene within the organisation is a skill that anybody can learn, regardless of their knowledge of technology and cyber-security. 

 

Good vs bad actors: a fine line

Cyber-security has always been an arms race, with practitioners in a constant battle of identifying and patching system vulnerabilities, and using the latest technology to defend against attacks faced from external threats.

 

The rise of AI-powered attacks has caused this to evolve into a competition for which side has the fastest, most efficient model powering their security platform or, for cyber-criminals, crafting their threats. With bad actors often not deterred by rules or regulations, the shift toward AI-based security has made the margins between attackers and the defenders thwarting them even smaller than they were previously.

 

Due to the slim technological margins between attackers and defenders, it is now organisations with a deeply engrained positive culture of cyber-security – employees who are empowered to spot and proactively report suspicious behaviour – which make the difference between falling victim to a ransomware attack and business as usual. For example, two of the largest recent breaches –– MGM Casino and MOVEit –– were carried out via clever social engineering tactics on unsuspecting employees. 

 

All employees are responsible

Arctic Wolf research has found that nearly two-thirds (64%) of IT executives have fallen for phishing links themselves, suggesting that human risk isn’t just an employee problem, but also a leadership one.

 

Actions like reusing account credentials, disabling security measures like multi-factor authentication (MFA) and not checking to validate the email link or messaging request put organisations at a significant cyber-risk, regardless of the sophistication of their security environment. The overall security of organisations relies on all employees continually putting the work in to ensure they aren’t undermining security. 

 

Buy-in and commitment from the C-suite to entry-level employees is fundamental to mitigating human risk. Despite the majority of IT leaders falling victim to phishing scams, 80% reported they were “confident” their organisation won’t fall for a phishing attack. This disconnect means that, in some cases, the most effective change an organisation can make to lower human risk is to make security measures like MFA, network segmentation/VPNs and password managers mandatory. 

 

Fostering a culture of cyber-security

As AI-based threats become more prevalent, employees should also be well-versed in the policies and procedures of verifying someone’s identity or reporting suspicious activity–– as well as knowing what to do if a malicious link is clicked. While many organisations conduct background checks on employees, monitor work devices for suspicious traffic and require periodic password updates or a password manager, vigilance is the key differentiator in this new age of threats.

 

Of course, none of the above tactics can be effective in boosting resiliency without an underlying foundation of trust. Employees need to feel empowered to share their security concerns without fear of reprimand, as updating and patching systems immediately is essential to a resiliency plan. 

 

Preparation is key

The reality is, running a forward-looking business inherently brings security risks. If employees aren’t prepared for them, they can be easily missed. Background checks, people screenings, tools to mitigate phishing, shadow AI and more are just a few examples of opportunities for hackers that if left unchecked could easily lead to a breach and the stealing of business-critical information.

 

It’s fundamental for security leaders to prioritise employee security culture as a key defence against attacks, or else no amount of technological investment will keep their organisation secure.

 

---

 

Nick Dyer is a Cybersecurity Expert at Arctic Wolf

 

Main image courtesy of iStockPhoto.com and Kindamorphic