Even cybersecurity companies can fall victim to artificial intelligence (AI) scams these days. Take KnowBe4, a prominent cybersecurity training company. The company decided to hire a team member for its internal IT team. Through four interviews, the hiring team found nothing amiss.
As soon as the employee was hired, he started installing malware onto his work computer. KnowBe4 later realized that the team member had used AI to disguise his identity during the job application process, and likely faked his interview as well. KnowBe4 now believes the employee was actually a mole from an IT farm in North Korea.
AI threats like these are exacerbating an already difficult cybersecurity landscape. It is harder than ever before to detect threats, and easier than ever to fall for scams. What should companies do? Most importantly, they should recognize that humans are still the weakest link in the cybersecurity ecosystem, and make sure their employees are trained to pause before taking action on anything unexpected.
The Dawn of AI Cyber Threats
We are just at the precipice of a revolution in artificial intelligence which will make cybersecurity far more challenging than it ever has been before. Cybersecurity threats have existed as long as the internet has been around, but AI is making it more possible than ever before to effectuate scams and interfere with business. To take just a few examples:
- Human Resources: As with KnowBe4, fake job applicants are increasingly seeking to fill real positions; if they get hired, they can install malware, collect confidential information, or otherwise interfere with business operations;
- Legal: An AI-generated law ‘firm’ has been sending real-looking legal threats to companies.
- Marketing: AI-enabled spam is flooding the internet with poor search results, making it hard for legitimate businesses to stand out from the crowd.
- Finance: Deepfake scams are increasingly enabling scammers to impersonate corporate officials and vendors, increasing the risk that companies will be scammed out of funds.
As AI gets better and deepfakes become more realistic, the risks to companies will continue to grow. And increasingly threats will combine the personal and professional; extortion scams involving high-profile executives are for instance on the rise.
To Combat AI Scams, Put Humans First
What can businesses do to respond to this new threat landscape? To start, they should realize that humans remain their biggest vulnerability—and the biggest defense against bad outcomes.
Here are some approaches that companies should consider implementing to mitigate the risk of AI-based cybersecurity fraud.
Take A Pause. AI is particularly effective at social engineering: using fear or urgency to convince employees to click on something they shouldn’t. Campaigns like PauseTake9, initiated by Craig Newmark of Craigslist, encourage people to take a moment before clicking on unfamiliar or unexpected asks. Incorporating efforts like PauseTake9 into the corporate culture can help workers shore up their defenses, which in turn can help shore up cyber defenses as a result.
Make Training Active. Most companies require cybersecurity training. And most of these trainings are wildly ineffective. It is easy to guess the answers to the tests, or to meet the requirements just by having the videos playing in the background with sound off.
Businesses need to invest in real, interactive trainings to help employees spot AI-generated risks. Give employees real and generated videos and help them spot the differences. Send fake phishing scams on a regular basis and give employees who fail them remedial assignments. Create a contest for the most phishing scams reported—and give the winner a big prize. By making training interactive and unavoidable, you have a better chance of preparing employees for success.
Share What You See. Companies also should make sure employees understand the risks that are occurring in the real world. Share newsworthy examples of AI phishing scams and deepfake attacks on a regular basis with employees, both to keep the risk top of mind and to make sure they know what to be looking for.
Make Systems Harder To Game. Businesses should also work to make their systems harder to game. Require multifactor authentication. Increase the complexity of passwords. And when in doubt, make sure that you compartmentalize sensitive systems; that way, even if one system gets breached, the malicious actor does not get the keys to the kingdom. KnowBe4 prevented serious harm because they did not give their new ‘employee’ access to sensitive systems in his probation period.
Prioritize Cybersecurity Despite Uncertainty. This is a particularly difficult moment at which to invest in cybersecurity, given broader market and political insecurity. But at root, prioritizing cybersecurity is always a good investment. Given the growth of AI threats, this is a moment in which it makes sense to be prepared. Today’s investments are the best way to prevent tomorrow’s hacks.
