IRONSCALES founder & CEO Eyal Benishti is a pioneering security software engineer & executive leader with 15+ years of industry experience.
getty
Cybersecurity has always been a dynamic field. Malicious actors work tirelessly to devise new types of attacks, while tech vendors and security professionals work round the clock to develop new strategies and solutions to stop them. However, with the recent emergence and rapid evolution of generative AI (a.k.a. GenAI), this age-old game of cat and mouse has reached a fever pitch—and the good guys are struggling to keep up.
But, as we all know, no one likes to admit they’re struggling. A recent study by Osterman Research, in collaboration with my company, revealed a disconnect between security professionals’ confidence in defending against advanced email-based attacks and their actual success in doing so; we couldn’t help but feel for them. The modern cybersecurity landscape is awash in novel threats, with new, more sophisticated and more formidable attacks emerging at a dizzying pace.
To survive in such a landscape, security professionals and the organizations that employ them must first come to terms with how they’re truly faring in this new reality. Then, and only then, will they be able to accurately assess the efficacy of their existing approach, and adopt the kinds of tools, technologies and strategies needed to survive in this new era of security and AI.
As Traditional Attacks Fade, Novel Threats Emerge In Their Wake
The age of traditional phishing—with its pervasive linguistic errors, thinly veiled malicious payloads and outlandish pretexts—is quickly receding in the rearview. And in its place, more advanced, sophisticated threats are beginning to emerge.
In the handful of months from Q1 to Q3 of 2023, our data analysts saw a massive 215% increase in phishing emails incorporating images. Image-based phishing attacks, such as quishing, use malicious QR codes or other images in emails to sidestep AI-based language processing. In the aforementioned study, over 90% of respondents were aware of image-based attacks being sent to people in their organization, and just shy of 80% were aware of the same happening with QR code phishing attacks. What’s more, 60% of respondents said they believe the number, sophistication and evasiveness of these image-based and QR code attacks will only get worse over the coming 12 months. In fact, our study suggested that awareness of image-based and QR code phishing attacks has surpassed that of general email phishing overall.
When Knowing The Enemy Isn’t Enough
Even though most security professionals are acutely aware of this new class of image-based threats, the overwhelming majority appear helpless to stop them. In the same study, we found that over three-quarters (75.8%) of organizations had been compromised by image-based and QR code phishing attacks within the past 12 months.
That’s a worrying statistic to say the least. But, perhaps even more worrying is the apparent refusal among these professionals to recognize the difficulties they’re having defending against these threats. Despite the overwhelming majority of respondents reporting that their organizations had indeed been compromised by these attacks, over 70% still assessed their current email security stack as “highly effective at detecting image-based and QR code phishing attacks.”
At first blush, this disparity is almost as puzzling as it is startling. However, as expressed earlier, it’s not always easy to recognize one’s own shortcomings. It’s also important to remember that, over the past year or so, the cybersecurity landscape has been fundamentally transformed by the arrival of GenAI and other technologies. And it isn’t always easy to connect all the dots when you’re in the middle of a sea change.
It’s High-Time To Reassess The Status Quo
So what’s the cybersec community to do? Unfortunately, there is no silver bullet for the tsunami of threats currently being unleashed by artificial intelligence. However, as we mentioned earlier, resolving this cognitive dissonance is an essential first step. In order for an organization to establish an AI-resilient approach to cybersecurity, they must first reassess their existing strategy.
That includes auditing one’s existing security stack to determine its efficacy against novel threats; and in 99% of cases, adopting new tools and technologies better suited for the age of AI. Unsurprisingly, the most effective solutions are by and large those that make use of artificial intelligence themselves. Not only are AI-powered security tools typically better at detecting malicious emails, they are also adaptive—as AI models are able to learn, evolve and adapt to the threat landscape as it changes over time. What specific solutions are best will depend upon your organization and its unique needs. The only element that should be treated as absolute across all organizations is the reassessment process itself. What comes from that assessment will be up to you.
The other universally advantageous move organizations can make is to ensure a robust, dynamic training program for employees. At the end of the day, no cybersecurity solution is perfect. Some malicious emails will make it through and find their way into employees’ inboxes. At that point, the outcome for your organization will be wholly dependent on how security savvy that employee happens to be. Don’t leave it up to chance. Invest in robust and regular security awareness training (SAT) and phishing simulation training (PST) to ensure your employees recognize the latest threats, and have policies in place to minimize both their impact and efficacy.
In A World Defined By Flux, Flexibility Is Key
As the threat landscape continues to change and evolve at breakneck speed, organizations will have to learn to adapt with equal speed and fervor. The rules of the game have changed, and before you know it, they will have changed again. Burying one’s head in the sand and refusing to recognize a failing security posture isn’t going to cut it. Moving forward, the organizations that remain clear-eyed, critical and adaptive will be the ones with the best chances of avoiding compromise in the age of AI.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
