iscover
Malavika SanthebennurShare this article on:
Powered by
MOMENTUM
MEDIA
A CISO finalist at the inaugural Cyber Security Awards has singled out the growing use of AI as a major threat over the next year.
Wayne Williamson — chief information security officer (CISO), ANZ and emerging markets at Equifax — warned that artificial intelligence (AI) could increasingly be used by threat actors as a reconnaissance tool, or worse, an activity generator.
“In saying this, it’s really only a problem if an organisation either limits cyber security investment or doesn’t have a strategy covering future needs,” he told Cyber Security Connect.
“Organisations should invest in the ability to leverage data and analytics along with AI, and constantly seek automation and real-time active defence capability.”
Mr Williamson — who is a finalist in the CISO of the Year award category at the first Cyber Security Awards — said AI could also be used for people exploitation, particularly to deliver more sophisticated and personally tailored phishing attacks.
To combat this, new, innovative simulation methods and in-house training would be required to help staff and customers.
Alongside this, business email compromise could soon become deepfake videos from CEOs or chief financial officers (CFOs) delivering malicious intent messages either targeted internally or externally, Mr Williamson said.
“This could drive stock price changes, impact reputations of the executives or organisations, and impact the economy if utilities and critical infrastructure is targeted,” he said.
Organisations may also require additional resources amid regulatory changes, but accessing them in the face of talent scarcity and global shortages could be challenging.
“This could impact the pace at which organisations adhere to newly defined requirements and remain compliant,” Mr Williamson said.
Multifactor authentication has limits
Addressing current threats facing industries and networks, Mr Williamson said one of the key threats Equifax has been monitoring is multifactor authentication (MFA), which has long been the “go-to” control in a defender’s arsenal.
However, he said cyber criminals have found means to bypass MFA, whether through social engineering tricks or “brute force exhaustion”, testing the limits of the effectiveness of MFA.
“MFA, like many other security control solutions, shouldn’t be the only relied-upon measure or the end ‘tick in the box’, especially when protecting the ‘crown jewels’,” he said.
“In most instances, sure, MFA alone will help, but protecting your key assets needs strategic consideration on all aspects of threat abatement layers. The ‘M’ in MFA means multi — or more than the two-step process we generally see.”
Mr Williamson suggested coupling MFA with biometrics, authenticators, or smart cards, with the latter being deployed across the organisation and ideally within key suppliers who have access to the business’s environment.
“Depending on your use case, leveraging zero-trust principles, including dynamic authorisation (more regular and at certain points) and policy fine-tuning (restricting access even when authenticated for users who don’t need it), will provide added layers of protection,” he said.
CISOs need to collaborate with C-suite
Mr Williamson also pushed CISOs to collaborate with C-suite to understand how the cyber threat landscape aligns with the business’s strategic goals.
“This will enable cyber security expenditure to be calculated in line with business priorities,” he said.
“It will create an environment where entire organisations are primed to operate with an always-on, future-state mindset against threat actors. This would result in better-protected customer data, and a more mature understanding of supply chain risks and the impact a cyber attack can have on customers and the entire business.”
CISOs must drive cyber enterprise risks into the C-suite and company boards to define the continuous investment, strategic direction, and opportunities and help navigate the evolving regulatory landscape, Mr Williamson added.
He urged business leaders and CISOs to invest in cyber hygiene solutions, data and analytics, company training and culture, and opportunities that enable business growth and deliver solutions covering enterprise, regulatory, and customer requirements.
“We need to move away from the idea that the security function sits solely underneath technology as it does, unfortunately, in many organisations today,” he concluded.
To gain more insights on how CISOs can work with their organisation to boost their cyber security posture, come along to the Cyber Security Summit 2023.
It will be held at Hotel Realm, Canberra, on Thursday, 1 June.
Click here to buy tickets to the summit and awards and don’t miss out!
For more information, including agenda and speakers, click here.
Be the first to hear the latest developments in the cyber industry.
