It’s a tale as old as time; an employee receives an urgent email with improper grammar from a suspicious looking sender, some misspelled words and a request for money or gift cards on behalf of the CEO. Or maybe the ask is for sensitive data or information that will ultimately compromise company security. Undoubtedly, the message includes a link the employee is then prompted to click, likely with instructions to provide credentials or further information. There may also be a tight deadline to prompt panic and minimize any second thoughts on responding.
Historically, these key characteristics made phishing emails easy to identify and properly flag. But we’ve entered a new frontier when it comes to cybersecurity and the world of generative artificial intelligence (AI). Tools like automated chat and generative programs have become two of the strongest weapons in the arsenal of cybercriminals everywhere. A cybercriminal can now generate an impeccable email, devoid of spelling or grammatical errors. This leaves even the most cautious, eagle-eyed employee or organization more vulnerable to an attack.
Although not exhaustive, here are five ways you can help to protect your business from AI-honed cyber attacks:
1. Require employee training programs
When it comes to cyber security, organizations are only as strong as their weakest link, or their least-trained employee. So, employee training programs are vital to have any chance of protecting against attacks. Yet, according to the 2023 Hiscox Cyber Readiness Report, a shocking 59% of small businesses neglect to conduct security awareness training, leaving themselves susceptible to risk.
An adequate training program should include in-depth coverage of topics like phishing trends for email and phone, ransomware, and tips for password protection. It can include online courses or webinars, along with simulations and quizzes to test information recall. For instance, many organizations test employees by sending practice phishing emails. This gives the team a chance to identify and properly flag or report a suspicious email. It also gives businesses the opportunity to collect real data that will allow them to identify any process improvements or areas for increased training.
In the age of remote and hybrid working, employees should also be educated on how to work safely remotely. For example, if an employee works from a coffee shop or coworking space and joins the “free” available Wi-Fi network, they could be opening a back door to cyber threats.
2. Implement robust protection tools
Phishing emails are the leading entry point for ransomware attacks, as per the Hiscox Cyber Readiness Report. Unauthorized actors are getting savvier and savvier, thanks to digital developments, such as AI. However, the tools defending against these types of attacks are also becoming more advanced. Protection tools that block unwanted or suspicious emails before they ever hit your inbox are available. They have capabilities to scan an email for suspicious content or links and will remove anything that is perceived to be a threat.
There are other tools that can also serve as a shield to your system, such as two-factor authentication (2FA) or multi-factor authentication (MFA). These tools provide an additional layer of security by requiring two or more forms of identification to access an account, resources, or data. Most 2FA systems will use a passcode generator to verify the identity of an account holder and are also more efficient than traditional passwords, as no two passcodes are the same.
3. Practice callback verification
While remote and hybrid working come with flexibility, they also eliminate some face-to-face time with colleagues. In the past, you’d be able to turn to someone in the office sitting next to you and ask if they had sent you a request. Now there is a bit of extra effort required to authenticate messages. But it is worth taking that extra time to make sure the request is legitimate.
One of the most effective and low-cost tactics you can use to protect your inbox is callback verification and authentication. When you receive an email, confirm with the sender by phone that the email actually came from them, and that it is an authentic note or request. When you have that second layer of physical confirmation, it lowers the risk of acting on fraudulent emails and allows you to quickly identify if something is awry.
4. Incorporate a human element behind AI
While AI creates additional risks, it also creates plenty of opportunities. There are many ways that businesses can benefit from the power of AI, such as copywriting, customer service, graphic design, or time management. Particularly if a business is just getting started, AI can be efficient and extremely cost-effective support for areas the business simply can’t afford a dedicated employee for.
But let’s face it – nobody’s perfect – not even AI, as it can malfunction and produce errors within your system. For example, if you use AI to set up code for your website, you may not be aware of known vulnerabilities within the code generated. If there is a malfunction or a bad string of code, it could have detrimental consequences for your business. More worrisome, if there is a critical vulnerability, threat actors can exploit that weakness within the AI generated script, which could trigger a data breach or even a shutdown of your website. AI is combing through millions and millions of pieces of data but lacks the reasoning to always make correct assumptions, recognize bias or factual inaccuracies in the inputs and outputs, including data quality and accuracy. AI also isn’t likely to recognize copyright or other intellectual property protections, but the legal system certainly does.
Always be sure to incorporate a human checkpoint with any AI use – it is your best chance to catch mistakes and ensure things are accurate and to ensure you are not putting in business sensitive / confidential information or personal information that cannot later be retrieved. If you don’t implement comprehensive checkpoints, you may be exposing your business to potential negligence and a myriad of claims. Further, you should ensure that your business is compliant with any AI regulations that apply if you are using the technology.
5. Ensure you have proper cyber and insurance coverage
The 2023 Hiscox Underinsurance in Small Business Report revealed that 75% of small businesses in the U.S. do not possess sufficient insurance coverage. This means that small business owners could be left with potential financial liability for any claim over and above their insurance limit, or anything that does not fall within the scope of their policy. Importantly, many owners assume their standard coverage applies to cyber events, which is usually not the case. Specific cyber insurance is recommended for businesses of all sizes, which helps protect against the costs associated with a data breach or hack.
Although risk exists, AI is a groundbreaking tool that has the potential to take any business to the next level – that is, if it is being used properly. As a business owner, it is crucial to harness the opportunities while staying up to date on potential risks, so you can always stay one step ahead and protect your company.
Chris Hojnowski is the Head of Technology and Cyber at Hiscox USA, a leading insurer for more than 600,000 U.S. small businesses, freelancers, contractors, and others.
Cyber attacks stock image by Pungu x/Shutterstock