Every organisation knows that there is no such thing as a one-size-fits-all definition of risk, especially when it comes to cybersecurity, nor do static plans still have a place in this day and age. In our reality, where new technologies come out in increasing numbers as time passes, this advancement also comes with undiscovered vulnerabilities being brought to light and more attackers appearing on the horizon.
One of these technologies that has had a widespread impact is advanced language learning models (LLMs) such as ChatGPT and other tools that have taken this cycle and turned it up to eleven. This is because of the ease with which they can create targeted malware without any technical training required. In addition to that, they can even guide you through the process of using the malware effectively.
But despite the developers continuously putting new safeguards in place to prevent users from abusing their programs for malicious purposes, there will always be alternatives in the dark web that can easily fill the void. What’s more, many bad actors have now created AI tools specifically trained on malware data and are designed to support other attacks, such as email compromises and phishing.
Although regularly evaluating risk is a well-known best practice observed across industries, it is also important to know how to identify when significant technological shifts have drastically changed the risk landscape. Whether it be having easy access to internet-enabled and low-security devices or the proliferation of shadow IT in hybrid workplaces, there are times when businesses have to thoroughly reassess their risk profile. This is because the vulnerabilities that were deemed to be highly unlikely to get exploited yesterday may suddenly become the new leading attack vector tomorrow.
Businesses can approach how they evaluate, prioritise, and address risks as they are discovered in many ways, and this will largely depend on the particular organisation, industry, and personal preferences. At its most basic, leaders must evaluate risks by multiplying the impact and likelihood of any given event. Similarly, there are numerous methods to determine these factors, and they can also be affected by various elements such as:
● Industry
● Geography
● Skill and motivation of attackers
● Cost of equipment
● Maturity of the organisation’s security programme
In this case, the widespread availability of tools like ChatGPT greatly lowers the barrier of entry or technical skill needed for bad actors to execute an attack and lets them create sophisticated and targeted attacks at unprecedented speeds, all for little to no effort.
This means businesses that previously enjoyed a high degree of security because of their industry, profile, or size now face the real threat of getting targeted all because it is now easier to do so. As such, it is best to assume that all previously established risk profiles are obsolete and no longer accurately reflect the new environment and threat landscape in which businesses operate. Even companies that have a robust and mature risk management process/programme could struggle to adapt to this new reality.
1. Risk assessment & analysis
It is vital to first start by reassessing the organisation’s current state of risk because, as mentioned earlier, cyber risks or attacks that were previously deemed unlikely could now be just a few clicks from being deployed en masse. If a business has a risk register, they should go over it thoroughly and evaluate all identified risks no matter how time-consuming it may be. Doing so ensures having all the necessary information to address new and unprecedented risks effectively.
2. Risk aggregation
Upon reassessing and prioritising all identified risks, the next step is to review whether any of them could be combined. By leveraging AI, hackers can now uncover new ways to chain or aggregate all kinds of vulnerabilities to enhance their attacks. This process may be completed in parallel to the previous step, but businesses should ensure that the review is done as soon as possible.3. Executive awareness & input
The organisation’s executive team must be regularly informed about the re-evaluation and be made aware of any changes in the business’s risk profile, as keeping them in the loop is key to effective and appropriate risk treatment. This may entail holding casual meetings to discuss AI’s current capabilities and how threat actors are using them or making a formal presentation regarding the reassessed risk register. The bare minimum that the executive team needs to be aware of includes:
● Changes to the business’s identified risks
● Recommendations on updates to risk treatment options or risk appetite
● Effectiveness of existing controls (if not yet obsolete) against AI-based attacks
● Immediate or short-term risks that warrant immediate attention
The advent of powerful LLMs in today's rapidly changing digital landscape raises new challenges that no organisation can afford to ignore. Given how these models can be configured to aid in developing malicious tools with unprecedented speed, it is no understatement that they are now reshaping the cybersecurity frontier of tomorrow as they provide not just advancements but also vulnerabilities. Hence, organisations need to stay on top of how these new technologies evolve and where they fit into their ongoing risk assessment and governance frameworks to preserve their cybersecurity posture.
If your business needs futureproofing against the new wave of AI-based cyber threats, GROUP8 is here to help. By leveraging our offensive-inspired Singapore cybersecurity services, like incident response and VAPT services, you can rest assured that your cybersecurity posture will be hardened and ready for known and unknown risks. To learn more about our proven and effective solutions, contact us at hello@group8.co any time.