Just a few years ago, AI still seemed to be a distant, futuristic concept which hadn’t yet taken on a recognisable form. Fast forward to 2024 though, and it is being used by organisations all over the world, within every sector. From art, music and filmmaking, to trading, investment and security, there are aspects of AI which make it attractive for a wide range of organisations.

A report published by IBM looking at 2022 figures revealed that 77% of businesses were either already using AI or were exploring its possible uses within their operations; and today these numbers will undoubtedly be much higher.

The advancement of AI, although exciting, also poses cybersecurity risks for today’s digitally enabled businesses. Not only does AI give attackers more sophisticated tools, but it also makes it easier for them to target businesses indiscriminately.

The dangers of AI

According to the latest Government Cyber Breaches Survey, Phishing is by far the most common type of attack experienced by businesses, and AI can play a massive role in these types of attacks. AI can help attackers draft emails which take on the tone and format of a company or individual, making it much more difficult to spot scams. On top of this, AI allows attackers to fully automate their attacks, making them increasingly dangerous and widespread.

A malicious cyber group or individual can now purchase a data set from the dark web, perhaps of personal information relating to a bank’s customers. They can then ask an AI system to analyse the data set and export names and email addresses to a separate mailing list.

It can then draft an email which copies the tone of that bank’s customer communications, asking each customer to click a link to sign in or cancel a suspicious payment, all while using language patterns which are known to instill a sense of confidence in the reader, making them more likely to follow the instructions outlined in the email.

The AI system can then broadcast this email to the mailing list, respond to customers, and even send targeted follow-ups. This can all be done with minimal input from the attacker, allowing them to massively increase the number of attacks they can perpetrate.

The latest Cyber Breaches Survey also revealed that half of businesses (50%) have experienced some form of cybersecurity breach or attack in the last 12 months. However, in reality this number will be much higher. Every business with any form of online presence will be a target for malicious groups, and the automation of attacks almost guarantees that attacks will come their way eventually.

As with many other types of cyber-attack, when a business falls foul of phishing, they often experience financial, reputational and operational damage. AI is unfortunately making it easier for attackers to inflict this damage.

Mitigating cyber risk

For a long time, there has been a mindset among businesses that cyber-attacks were something which ‘wouldn’t happen to us’, because ‘why would we be targeted’? However, this is a way of thinking which no digital business can afford to fall into. That’s why, amid the fact that no company is off limits to an attacker, it is critical that proactive action is taken to ward off a cyber threat.

This all starts with cyber hygiene. Due to most attacks being low-skill phishing attacks, even basic cyber controls and training should halt most breach attempts. But what do these practices look like?

Cybersecurity strategies will look different for every business and should ultimately be driven by its needs. However, there are a few key aspects which will help all organisations to improve their cyber posture:

Cyber training

The number one cause of cyber breaches is humans. In fact, a recent report by IBM revealed that the percentage of attacks which succeed due to human error is as high as 95%. This is why staff training is so important. Employees must know what attacks look like, what their responsibilities are should an attack occur, and what they can do to both reduce the risk of an attack, as well as minimise damage if a breach does happen. Giving your team basic knowledge of the threats they face is crucial.

Understanding your risk

As with any type of problem solving, it is impossible to fix what you don’t know is broken, and cybersecurity is no different. Most businesses have things they could be doing to improve their cyber posture, however it’s all about knowing what those are. Recent figures suggest that just 45% of medium sized businesses and 35% of large businesses have sought cybersecurity information and guidance from external consultants or providers in the last 12 months. This is worryingly low.

Seeking advice from an expert is the first step in understanding your cyber risk, and to doing something about it. Now, more than ever, businesses must act.

Implementing basic controls

Due to the importance of cybersecurity and the scale of the industry, it is easy for businesses to be drawn to highly technical, expensive products and protections. However, base level solutions and a focus on processes will help to ward off most attacks.

A key example of this is Two Factor Authentication (2FA). 2FA is a process which requires a user to provide two levels of authentication to access a network, device or programme. The most common type is email and password, followed by a code sent to a mobile device or email. The reason this is so effective is that if an attacker manages to steal your log in credentials, it is still impossible for them to access your physical mobile device, stopping them from being able to gain entry using your details.

Cybersecurity is all about risk-appropriate response, meaning businesses should base their level of protection on their level of risk. If businesses can do this, then their chances of being impacted by a serious breach reduce significantly. However, there isn’t a silver bullet, and remaining cybersecure requires constant improvement and monitoring, whatever that looks like for each business.

Tom Kidwell is the Co-founder of Ecliptic Dynamics, an internet infrastructure security specialist that provides security, privacy, and data protection through its web isolation platform and virtual desktop infrastructure.