Introduction
It is common knowledge that when it comes to cybersecurity, there is no one-size-fits all definition of risk, nor is there a place for static plans. New technologies are created, new vulnerabilities discovered, and more attackers appear on the horizon. Most recently the appearance of advanced language models such as ChatGPT have taken this concept and turned the dial up to eleven. These AI tools are capable of creating targeted malware with no technical training required and can even walk you through how to use them.
While official tools have safeguards in place (with more being added as users find new ways to circumvent them) that reduce or prevent them being abused, there are several dark web offerings that are happy to fill the void. Enterprising individuals have created tools that are specifically trained on malware data and are capable of supporting other attacks such as phishing or email-compromises.
Re-evaluating risk
While risk should always be regularly evaluated it is important to identify when significant technological shifts materially impact the risk landscape. Whether it is the proliferation of mobile devices in the workplace or easy access to internet-connected devices with minimal security (to name a few of the more recent developments) there are times when organizations need to completely reassess their risk profile. Vulnerabilities unlikely to be exploited yesterday may suddenly be the new best-in-breed attack vector today.
There are numerous ways to evaluate, prioritize, and address risks as they are discovered which vary between organizations, industries, and personal preferences. At the most basic level, risks are evaluated by multiplying the likelihood and impact of any given event. These factors may be determined through numerous methods, and may be affected by countless elements including:
- Geography
- Industry
- Motivation of attackers
- Skill of attackers
- Cost of equipment
- Maturity of the target’s security program
In this case, the advent of tools like ChatGPT greatly reduce the barrier to entry or the “skill” needed for a malicious actor to execute an attack. Sophisticated, targeted, attacks can be created in minutes with minimal effort from the attacker. Organizations that were previously safe due to their size, profile, or industry, now may be targeted simply because it is easy to do so. This means all previously established risk profiles are now out of date and do not accurately reflect the new environment businesses find themselves operating in. Even businesses that have a robust risk management process and mature program may find themselves struggling to adapt to this new reality.
Recommendations
While there is no one-size-fits-all solution, there are some actions businesses can take that will likely be effective. First, the business should conduct an immediate assessment and analysis of their currently identified risks. Next, the business should assess whether any of these risks could be reasonably combined (also known as aggregated) in a way that materially changes their likelihood or impact. Finally, the business must ensure their executive teams are aware of the changes to the businesses risk profile and consider amending the organization’s existing risk appetite and tolerances.
Risk assessment & analysis
It is important to begin by reassessing the current state of risk within the organization. As noted earlier, risks or attacks that were previously considered unlikely may now be only a few clicks from being deployed in mass. The organization should walk through their risk register, if one exists, and evaluate all identified risks. This may be time consuming, and the organization should of course prioritize critical and high risks first, but it is important to ensure the business has the information they need to effectively address risks.
Risk aggregation
Once the risks have been reassessed and prioritized accordingly, they should also be reviewed to see if any could be combined. With the assistance of AI attackers may be able to discover new ways to chain different vulnerabilities to support their attacks. This may be completed in parallel to the risk assessment & analysis, but the organization should ensure this review is included as soon as they reasonably can.
Executive awareness & input
Throughout this process the organization’s executive team should be made aware of the changes to the businesses’ risk profile. This may include lunch & learn sessions discussing what AI is and how it is used, formal presentation of the reassessed risk register, or any other method that is effective. At a minimum the executive team should be aware of:
- Any changes to the organizations identified risks
- Any recommendations related to risk treatment options, or the organization’s risk appetite
- How effective existing controls are against AI-supported attacks
- Immediate or near-term risks that require immediate attention
In light of the recent SEC rulings (please see this blog for additional information) this step is doubly important for any organization that is publicly traded. Ensuring the executive team is properly informed is vital to support the effective and appropriate treatment of risk.
These recommendations are not all encompassing, however. Businesses must ensure they are adhering to industry best practices and have a sufficient foundation in place to support their program in addition to what was outlined above.
Conclusion
In today's rapidly evolving digital landscape, the advent of powerful language models raises new questions and challenges that organizations cannot afford to ignore. These models, and the malicious tools built from them, are reshaping the cybersecurity frontier, offering both advancements and vulnerabilities. Therefore, it is imperative for organizations to actively integrate the understanding of these new technologies into their ongoing risk assessments and governance frameworks. By doing so, they can not only protect themselves from emergent threats but also harness these technologies for competitive advantage. As the saying goes, 'the only constant is change.' In cybersecurity, the ability to adapt to change is not just an advantage—it's a necessity.