As generative artificial intelligence is being rapidly adopted across every area of life and work, cybercrime is no exception, triggering what experts describe as a fast-moving arms race between attackers and defenders.

A survey conducted by the business technology analyst firm IDC found that 76% of New Zealand organisations have encountered at least one AI-powered attack in the last year, and just 14% are very confident in their ability to defend against them.

The Fortinet-sponsored research asked cybersecurity leaders across the country about their perspectives on defending against AI-powered threats.

Glenn Maiden, Fortinet’s chief security officer in Australia and director of threat intelligence operations at FortiGuard Labs Australia and New Zealand, says the use of AI for cyber attacks is rapidly evolving.

“Attackers can use AI to help them in a number of different ways. Obviously, there are deepfakes where you’re trying to trick the end user, but it could even be things like attackers with English as a second language using AI to craft realistic scripts.”

But defence practices are also evolving, with new approaches helping alleviate cybersecurity challenges.

Overconfident, underprepared

Almost half (43%) of the surveyed cybersecurity leaders said that AI threats are outpacing their detection capabilities and 14% said they have no ability to track them at all.

Furthermore, academic research has found that people are generally no better at detecting deepfakes than just guessing, and they overestimate their ability to detect them. They are also becoming harder to detect and easier to tailor to specific targets, Maiden says.

“AI will scrape the internet to know what you post on social media, what you care about, what's on your LinkedIn, what you do for your job and your job history. It's going to know a fair bit about you before it even opens its virtual mouth.”

This familiarity is especially used in social engineering attacks, where that knowledge is used to manipulate people into offering up sensitive information, or even transferring money directly.

Exploit acceleration

While deepfakes may be the most high-profile form of AI threat, the most insidious is AI-enhanced vulnerability discovery and weaponisation. 

Maiden says it used to take months for an attacker to reverse-engineer a vulnerability patch and find a way to weaponise it. With AI, they can do it in a matter of days.

“Our research indicates it’s an average of 40 days for most big organisations to roll out a patch because they've got to do testing to make sure it doesn't break anything,” he says. “When the bad guys are weaponising a vulnerability in days and it's taking us weeks to patch, obviously it makes it really easy for a bad guy to hit a system.”

Maiden says that good processes and people can help mitigate these and other threats, AI-powered or not.

Too few people, too little money

Fifteen per cent of Kiwi organisations have a standalone chief security officer, and just 6% have a purpose-built team for specialised security functions. More than half said they were overwhelmed by the volume of threats and had difficulty retaining talent.

While nearly 80% reported an increase in security spending, only an average of 9% of annual revenue went to IT, and just 15% of that IT budget went to cybersecurity.

Maiden says the talent shortage in the field is a perennial concern and that spending doesn’t always reflect risk, especially as being hit by an attack is almost an inevitability.

His advice is to see where efficiency gains can be made, such as taking simple and routine tasks off experienced people or assessing the services you might be buying through a managed services provider.

“Sometimes it might be just looking at your own people and processes and optimising them. I'd be looking at doing that alongside or even before a new technology spend.”

Fortunately, the research found that many organisations were already looking at streamlining their technological approach to reduce complexity.

Convergence and consolidation

While the rate of change in cybersecurity may be turbocharged by AI, the volume and types of security threats have been growing for decades, and so too has the number of tools needed to combat these threats.

The IDC research found that 44% of respondents said tool sprawl was a top three challenge organisations were facing.

To combat this, 90% of the organisations had converged networking and security, and 63% were working toward vendor consolidation. This trend is about moving toward a single platform where an organisation can manage all of their security needs.

This saves time and money by reducing certification needs or doing away with manual data transfer between systems.

Maiden says this is a change of philosophy in the industry as previously, best practice was getting the best product in each category from as many vendors as was needed.

“Then they came up with the idea of fabric, and then that morphs into this platform idea. The idea is that there's savings to be made, both financial but also operational and better dividends by reducing it to the smallest and most efficient number of tools possible.”