Special Reports
A special report is content that is edited and produced by the special reports unit within The Irish Times Content Studio. It is supported by advertisers who may contribute to the report but do not have editorial control.

Dealing with turbocharged cyber threats

As if the cyber threatscape weren’t bad enough, hacking has become an easier endeavour thanks to AI, writes Sandra O’Connell

Cybersecurity is no longer solely an IT issue – it is now a core business resilience issue for firms of all sizes
Cybersecurity is no longer solely an IT issue – it is now a core business resilience issue for firms of all sizes

Fraudsters are now using AI to identify vulnerabilities in targets, as well as to automate and enhance their attacks, making them faster and harder to detect.

Anthropic’s Claude Mythos, an unreleased frontier AI model capable of hacking operating systems, web browsers and critical infrastructure, has demonstrated its ability to autonomously identify and exploit so-called zero-day vulnerabilities.

These are security flaws in software or hardware that even the vendor is unaware of. Such is its power that the company is holding back public release of the technology.

For SMEs without the deep pockets of global corporations, the question is clear: how do they protect themselves in this new and more dangerous environment?

“Cybersecurity is no longer solely an IT issue – it is now a core business resilience issue for firms of all sizes,” says Stephen Browne, head of public affairs at Dublin Chamber.

Yet a recent survey from Technology Ireland ICT Skillnet and AI Ireland found that more than 60 per cent of Irish business leaders feel low or no confidence in their organisation’s AI capabilities.

The level of uncertainty out there is what prompted tech expert Karen Murphy to set up Kamu Consulting earlier this year, filling the gap between the large-scale enterprise AI conversation owned by big consultancies and tech vendors, and what growth-stage Irish businesses actually need.

“It’s about helping leadership teams identify where and how AI can help their business from a growth, efficiency and organisational point of view, cutting through all the noise,” says Murphy.

While the advent of AI-powered scammers is a concern, the good news for SMEs is that their defence doesn’t have to rely on souped-up and expensive cybersecurity solutions. It’s about behaviour, not software.

Karen Murphy, Kamu Consulting
Karen Murphy, Kamu Consulting

“It’s less about spending lots of money on technology to stay protected, and all about governance,” says Murphy. “Unfortunately, there are very many SMEs who are adopting AI fast but not putting actual rules around it.”

For example, one of the biggest risks to any company right now is that their employees are putting data into chatbots without realising the risks associated with that. “Luckily, that’s quite an inexpensive issue to fix. You don’t need to spend lots of money to set up a one-page AI policy.”

Currently organisations of all sizes are encouraging staff to play around with AI, to get a sense of how it might best be used.

That’s fine, as long as that does not include commercial or sensitive information. “It’s about being really cautious and not putting anything in that you would not want to appear externally, whether that be your own company P&L information, proprietary information, or data that you hold on customers and clients,” says Murphy.

After that, it’s all about ensuring good security hygiene is practised, such as the use of strong passwords, two-factor authentication, ensuring that software and patches are kept up to date, and that rules are adhered to around the sharing of data. “It’s all the simple things that don’t require additional budget.”

That includes being alert to the possibility of deepfake calls and videos, and having a protocol in place to verify them.

Dani Michaux, EMA cyber security lead, KPMG
Dani Michaux, EMA cyber security lead, KPMG

“No chief financial officer is going to blame anyone for saying ‘I’m uncomfortable with this because this is not what I was expecting from you, let me call you back’,” says Murphy. “Again, it’s the basics which are not going to cost money but will require training.”

That goes for everyone in the organisation. “This is not the CTO’s responsibility; this is about organisational behaviour. Everybody is putting data in, using information to create things and work up plans, so it’s everybody’s responsibility.”

Ensuring everyone understands the risks, and that clear policies are communicated, is even more vital given the fact that many employers might not even be aware their staff are using chatbots.

Such unsanctioned use, often called “shadow AI”, and the blind spots it creates for employers is something Dani Michaux, EMA cyber lead at KPMG Ireland, has flagged. It’s not just a large corporate problem either, she points out, but goes right throughout supply chains, which means it’s an SME problem too.

Part of the challenge facing organisations of all sizes is the speed at which AI is developing.

“At a high level AI is going to change the game, but maybe not in the way headlines suggest. It’s less about entirely new types of attacks and more about two very simple things happening at the same time – attacks getting faster, and attacks getting more convincing,” says cyber expert Sam Glynn of consultancy Secure And Assure.

Sam Glynn, cyber security expert
Sam Glynn, cyber security expert

“AI isn’t just going to create completely new threats. It’s taking what already works for attackers and making it faster, cheaper and far more believable.”

Until recently, phishing emails were relatively easy to spot, whether as a result of bad spelling or slightly “off” tone. Thanks to AI, that’s no longer the case.

“Now you’re looking at emails that read perfectly, phone calls that sound like your colleague or boss and videos that look real enough to make you panic,” says Glynn.

He points to a recent case in the UK where a school’s posting of a girls’ sports team resulted in a scammer using the girls’ faces to create deepfake videos, and demand a ransom to prevent them being released, as a case in point.

“Authorities are now warning schools and clubs to rethink publishing images of minors online. It looks like us data privacy nerds were right all along – we’ve been telling people that if you publish usable data, someone will eventually weaponise it. AI just makes that easy and fast,” says Glynn.

AI also helps attackers find and exploit technical weaknesses more quickly.

“If you haven’t fixed vulnerabilities that were known and patched 100 days ago, worrying about AI finding a brand new one today is missing the point. The door is already open.”

So how worried should organisations be? “Worried enough to change behaviour,” says Glynn.

“That sounds dramatic but think about how people already behave with phone calls. Years ago, if your phone rang, you answered it. Then we stopped answering unknown numbers. Now plenty of people don’t answer calls even if a number is displayed, because they don’t trust that the number is real. We are heading the same way with email and digital communication generally. If something is high value, sensitive or urgent, then you verify it properly.”

He likens the advent of an AI-powered threatscape to climate change. “In Ireland, we’re used to rain. So we carry umbrellas and stand under trees. That works in a normal climate. But in a lightning storm, that behaviour gets you into trouble. Right now, it feels like we’re moving into a permanent lightning storm. The environment has changed, so our behaviour has to change with it.

“For SMEs, the slightly boring answer is still the right one. The basics still apply, more than ever. So, keep systems up to date, fix known vulnerabilities, use multi-factor authentication on everything important, train and maintain awareness among staff, have backups that work and can’t be wiped, and ensure large payments require human review and double checking.”

A few years ago, people were worried about cookies tracking our activity online. Now they are typing the details of their business or their lives into AI tools with almost no thought. That has to stop.

“If you wouldn’t put it on a poster in your local supermarket noticeboard, don’t put it into a free AI tool,” says Glynn.

“At a minimum use paid, business-grade tools where possible, understand what happens to your data, and assume anything you put into a free tool may not stay private. If you’re not paying for the product, you are the product.”

Sandra O'Connell

Sandra O'Connell

Sandra O'Connell is a contributor to The Irish Times