Nash Squared CISO, Jim Tiller, talks about the surprising cyberattack data in our 2023 Digital Leadership Report, what might be behind it and what to look out for in the future. This article first appeared on ComputerWeekly.com.
Every week, we continue to read in the press or hear from our networks about another major cyber incident somewhere. On the face of it, therefore, one of the most surprising findings from this year's Nash Squared Digital Leadership Report is that major cyberattacks are falling.
In its 25th year of publication, the report found that across more than 2,100 technology/digital leaders surveyed globally, the proportion experiencing a major cyberattack in the last two years has fallen to 23%, down from 28% in our 2022 report. Amongst large organisations specifically, a higher proportion report a major incident - nearly half, at 44%. But there has been an even bigger fall here from 2022 when it was 56%.
I believe this shows that our perspectives on cyberattacks are changing. Quite simply, there are so many attacks now that cyber and technology professionals have become hardened to them, and what they class as 'major' has changed. Whereas a few years ago, a short DDoS (Distributed Denial of Service) or small data breach might have been a major crisis that sparked a midnight call to the CEO, now it's become much more 'routine'.
Our view of cyber risk is changing. The bar has been raised on what constitutes a major attack. It's another example of how humans are quick to recharacterise the environment around them.
There could be a positive deduction to draw out of this, too. It may also be the case that more organisations are strengthening their cyber defences and heading attacks off.
Certainly, some sectors like financial services and central government continue to raise their game (while others continue to lag), investing in sophisticated protection systems, threat detection and response capabilities, as well as continually reminding the whole workforce of the importance of good cybersecurity protocols.
However, even the most advanced organisations continue to be attacked. Hackers aren't going to give up because they haven't got through. If anything, it makes them try harder. It's a numbers game, after all. And their tools and techniques are shifting and becoming more sophisticated all the time. No organisation can afford to let up on their cybersecurity posture for even a moment.
Unfortunately, we can't take the headline finding as a sign that businesses are 'winning' the cyber battle. It's more nuanced and complicated than that. And the very moment you tell yourself you are winning is probably the moment you open yourself up to fail!
There's another reason why we can't become complacent: new threats are coming that could dwarf anything we have seen to date. Generative AI has become today's hot ticket, with seemingly every business trying to work out how to leverage its incredible capabilities. But while generative AI holds enormous positive potential, it could also be a gift to cybercriminals.
The communique signed by attendees in advance of the UK government's AI summit of world leaders warned that AI systems could be used to launch cyberattacks and create bioweapons and that it is 'especially urgent' to address the risks.
The success of cyberattacks is often dependent on their ability to scale - swamping and overwhelming an organisation's defences - and their ability to mimic real humans (as in a phishing campaign). It doesn't take long to see how generative AI could help a cyber attacker with both of these.
We are already seeing instances of incredibly convincing, tailored phishing emails that appear to have been generated with AI. In time, the success rate of phishing campaigns could leap exponentially, from the present level of about 0.1% to anywhere around 20%. The implications are sobering.
Phishing would only be the start. Cybercriminals are also engaging in what's been termed as 'AI poisoning', infecting the content that is subsumed into the learning process of an AI algorithm so that it becomes untrue, biased or downright malicious. This could then be replicated and massively multiplied across systems and networks with terrible consequences.
There is also malware. So far, generative AI's coding abilities have been relatively basic. But it is improving at exponential rates - much faster than a human can learn. It may not be long before generative AI can develop malicious code that is almost impossible to block. Malware potency could hit new levels, and the cyber industry will need all its skill and investment (and some help from 'good' AI) to combat it.
Then there is quantum computing. We are already beginning to see Quantum as a Service (QaaS) being offered where quantum mainframes are made available to users. It may not be long before we see the networking challenges of quantum being solved so that quantum computing becomes available on a mass scale. Users, including cybercriminals, could have access to thousands if not tens of thousands of qubits.
This will put almost unimaginable computing and processing power into users' hands. From a cybersecurity perspective, most encryption would instantly be rendered useless. All of a sudden, customers' secure transactions to their bank or all the data transmitted over a VPN would no longer be protected. In fact, every secure interaction anyone has ever made would be likely to be collected, allowing adversaries to go back and decrypt all those communications. The underlying basis of blockchain could crumble, permitting the ability to rewrite financial history. That kind of quantum scenario may be a little way off - and hopefully, defences and mitigations would be invented at the same kind of speed.
There is no doubt that, with the new and emerging technologies that are coming, the cyber challenge could be massively amplified. That's why organisations simply have to keep on investing in their defences and get used to the thought that the battle is never over, and never won.
The author is Jim Tiller, CISO, Nash Squared. The Nash Squared Digital Leadership Report 2023 is based on the world's largest and longest-running annual survey of technology/digital leadership. Over the last 25 years, the research has taken in the views of over 50,000 technology leaders. To register to receive a copy of the report, click here