One of the most surprising findings from this year’s Nash Squared Digital Leadership Report is that the number of major cyberattacks reported is falling.
In its 25th year of publication, the report found that across more than 2,100 technology/digital leaders surveyed globally, the proportion experiencing a major cyberattack in the last two years has fallen to 23% – down from 28% in 2022. A higher proportion – 44% – of large organisations reported a major incident this year, down 56% last year.
Our perspectives on cyberattacks are changing. There are so many attacks now that cyber and technology professionals have become hardened to them, and what they class as ‘major’ has changed. A few years ago, a short DDoS (Distributed Denial of Service) or small data breach might have sparked a midnight call to the CEO, now it’s seen as ‘routine’.
More organisations are strengthening their cyber defences. Some sectors like financial services and central government continue to raise their game, investing in sophisticated protection systems, threat detection and response capabilities, and continually reminding the whole workforce of the importance of good cybersecurity protocols. We can’t say that businesses are ‘winning’ the cyber battle. It’s more nuanced and complicated than that.
Raising the stakes: new threats from generative AI
New threats are coming that could dwarf anything we have seen to date. Generative AI has become today’s hot ticket. But while generative AI holds enormous positive potential, it could also be a gift to the cyber criminals. A communique signed by attendees in advance of the UK government’s AI summit of world leaders warned that AI systems could be used to launch cyberattacks and create bioweapons, and that it is “especially urgent” to address the risks.
The success of cyberattacks is often dependent on their ability to scale – swamping and overwhelming an organisation’s defences – and their ability to mimic real humans (as in a phishing campaign). We are already seeing instances of incredibly convincing, tailored phishing emails that appear to have been generated with AI. In time, some predict that the success rate of phishing campaigns could leap exponentially, from the present level of about 0.1% to anywhere around 20%.
Phishing would only be the start. Cyber criminals are also engaging in what’s been termed as ‘AI poisoning’, infecting the content that is subsumed into the learning process of an AI algorithm so that it becomes untrue, biased or downright malicious. This could then be replicated and multiplied across systems and networks with terrible consequences.
There is also malware. So far, generative AI’s coding abilities have been relatively basic. But AI is improving at exponential rates – much faster than a human can learn. It may not be long before generative AI can develop malicious code that is almost impossible to block. Malware potency could hit new levels, and the cyber industry will need all its skill and investment (and some help from ‘good’ AI) to combat it.
The quantum risk
We are already beginning to see Quantum as a Service (QaaS) being offered where quantum mainframes are made available to users. It may not be long before the networking challenges of quantum being solved so that quantum computing becomes available on a mass scale. Users, including cyber criminals, could have access to thousands if not tens of thousands of qubits. This will put almost unimaginable computing and processing power into peoples’ hands.
Quantum computing poses a risk to encryption. Customers’ secure transactions to their bank or all the data transmitted over a VPN may no longer be protected. Adversaries may be able to go back and decrypt historic financial communications. The underlying basis of blockchain could be undermined, permitting the ability to rewrite financial records.
That kind of quantum scenario may be a little way off – and hopefully defences and mitigations would be invented at the same kind of speed.
There is no doubt that, with the new and emerging technologies that are coming, the cyber challenge could be massively amplified.
That’s why organisations have to keep on investing in their defences and get used to the thought that the battle is never over, and never won.
Jim Tiller is CISO, Nash Squared. The Nash Squared Digital Leadership Report 2023 is based on the world’s largest and longest running annual survey of technology/digital leadership