AI’s impact on cybersecurity

Cybercrime is the dark underbelly of the digital world. Hacking, phishing, and planting malware attacks are just some of the activities criminals engage in to illicitly access information and funds from both companies and individuals.

And as technology improves, so too do the cyberattacks. Artificial intelligence is a case in point, as this hot technology is not only enabling a significant increase in the number of scams, but also improvements in the sophistication of attacks. The scale of cybercrime is enormous. In 2024, cybercriminals earned USD1 trillion¹, and this number is only set to grow alongside the digital economy.

The most obvious costs of a cyberattack on a company are financial, with the average cost globally of a data breach at USD4.9 million². But beyond the monetary costs, a successful attack can result in a reputational loss, as well as money being spent on implementing security measures to prevent a further attack.

Take ransomware for example. The ransom itself is only part of the financial damage: “Let’s say a threat actor asks for USD1 million, the repercussions across the company could be at least USD5 million,” said Isabelle Meyer, Co-CEO and Co-Founder, ZENDATA.

She also highlighted the growing range of bad actors online. There are not only organised criminal gangs, but also large-scale attacks conducted by governments. The effect of AI is making criminal activity more accessible, as people with relatively little technical expertise can buy a hacking toolkit from the dark web and use it to launch an attack.

There are two broad categories of cybersecurity threats. The first are vulnerabilities in the legacy software that many large enterprises rely on. The other is social engineering where phishing attacks attempt to acquire sensitive information.

What AI has done is significantly reduce the time it takes for criminals to exploit an opening, said Stuart Riley, Group Chief Information Officer, HSBC.

“If you go back a few years, it would have taken a threat actor days – or even months – to organise themselves to take advantage of a newly discovered vulnerability,” he said.

“The availability of hacking kits has shortened the time to just seconds, and in some cases almost instantly. AI can generate an attack code extremely quickly, which has changed the game completely.”

A large legacy system could have vulnerabilities that number in the thousands, with more being discovered all the time. There are so many potential issues it is difficult to even prioritise how to even start plugging the gaps. At the same time, there is also a global shortage of cybersecurity professionals that can engage in this kind of work, which makes the people who are already in the market expensive to hire.

The good news is that AI is an effective tool to defend against cyberattacks. One of the main sources of system vulnerabilities is human error made in the original programming. AI can help programmers write software that is safe from attack.

“We are not going to replace software developers, but help them build codes that are by default resistant and without vulnerabilities,” said Ms. Meyer. She added that this kind of AI assistance complements the work of programmers by also helping to remove large amounts of manual work.

The financial industry for example, holds sensitive client data, yet each company only a finite budget for cybersecurity. The problem is more acute for smaller businesses, which will have a much smaller capacity to invest in defending their networks. AI will therefore play an increasingly important role by cost-effectively automating protection against cyberattacks.

AI also highlights the need for robust data policies. This is because in order to deploy AI at scale, large data has to be centralised in one place, providing the models the training information they need. The drawback of bringing a company data’s together is that it can all be stolen in a single attack, whereas attacks on older legacy systems, where data is held in a more fragmented manner, only result in a partial loss of information.

A comprehensive data policy can help protect a company’s information – covering everything from who has access to data and how long they can hold it.

The panel discussed whether regulation is necessary to ensure that companies have the right policies in place. On the one hand, there was some agreement that excessive rules could impede innovation, but at the same time pointed out that sectors lacking regulations governing how data is stored are subject to more attacks than sectors that do have regulations.

Mr. Riley said that although the financial industry is highly regulated, with clear guidelines on data management, the third parties that a bank partners with may well lack rules that require an adequate data policy.

“We like to make sure our third-party partners have raised the bar themselves to take care of cybersecurity,” he said. “But there is also a need for a level playing field for how companies tackle cyber security, and regulation could play a part in creating one.”