Early this year, there was a reported case in Hong Kong that scammers tricked one organization out of HK$200 million, about US $26 million, by impersonating the groups C Suite using advanced AI-enabled deepfake technology. This was said to be one of the first deepfake video conference scams where the victim was given instructions in the group C Suite’s speech, but unknown to the victim the video conference and the speech was a pre-recorded deepfake video.
This is one example where the rapid development of new technology, such as AI is being used to execute high technology fraud. As we navigate through an increasingly digital era, the importance of robust cybersecurity measures cannot be overstated. The cybersecurity landscape is continuously evolving, with new threats emerging almost daily. This article provides an overview of the current trends, future forecasts, and practical recommendations for those individuals and organizations looking to prepare for the next big threat to protect their "crown jewels" in the digital world.
Firstly, the cyber-attack surface is increasing significantly. With organizations moving their data to the cloud, when employees are connecting to the corporate network at any time, at any place and using any device, where there is greater integration of partners or suppliers in the product and service chain, and when clients feel more convenient and do more engagement with the business online. All these shifts are increasing the digital touch points which in return increase the size of the potential cyber-attack surface.
Secondly, cyber-attacks are becoming more sophisticated. Ransomware attacks, where attackers encrypt an organization’s data and demand payment for its release, have seen a significant increase. According to recent studies, such attacks have escalated by over 150% in the past year alone. Additionally, the expansion of the Internet of Things (IoT) has opened new avenues for cybercriminals to exploit vulnerabilities in connected devices. Phishing attacks also continue to be a major threat. These attacks, which trick individuals into providing sensitive information by masquerading as trustworthy entities, are becoming more sophisticated, leveraging AI to create highly convincing fake messages and websites.
Thirdly, authorities and regulators globally are catching up and raising the bar on the expectation on governance, risk and compliance including areas such as cyber security, data privacy, and operational resilience. A good cyber security leader should also be an expert to understand clearly what the obligations and expectations are, what the corresponding impacts on the cyber security framework, and what are the new technologies, such as AI and automation and planned enhancements to support cyber defense.
Cyber security is indeed the top priority across industry globally. As per World Economic Forum (WEF)’s Global Risks Report 2023, “Widespread cybercrime and cyber insecurity” has been listed as 8th in top 10 global risks and it has been further rated as 4th in top 10 global risks in WEF’s Global Risks Report 2024. The discussion of cyber security topics has now become embedded into senior management forums’ agenda and even board meetings’ agenda across all industries.
People are the weakest link of the whole cyber security defence. No matter how many layers of defence that have been put in place, how much advanced security technology you have implemented, do not forget about people. A simple phishing email click of an attachment from one of your staff might open the initial penetration point for the bad guys. Those bad guys intent to hunt for the lowest hanging fruit. Training, awareness and even phishing exercise are needed.
With AI evolving in the past few years, especially Generative AI in the past year and a half, the real benefit of AI is coming closer for CISOs. From cyber intelligence collection & analysis to the automation of malicious code scanning, there are many opportunities for AI to be used in cyber security defence. Organisations should start to explore more or even invest more in AI to raise the bar of cyber defence by materializing the real benefits of AI in terms of productivity, efficiency, knowledge management, and content personalization, etc.
The CISO role is not a separate silo when it comes to responding to evolving cyber threats. In the past, CISO might be part of the IT function in many organizations, where security problems are used to being considered as an IT problem only. The perception and reality have significantly shifted in the past few years as people start to acknowledge cyber risk is no longer purely an IT risk, and should be considered an enterprise risk to manage. As a result the CISO’s voice is no longer purely heard in IT management meetings, but is becoming more and more influential and vocal in business meetings and even board meetings.
Coming together is a beginning, keeping together is progress. And working together is a success. Let us work together -- learn, share and shape the future of cyber security and prepare for the next Big Threat together.