AI’s Dark Side: The Growing Menace of Cyberattacks

By: | March 14, 2024

Richard DePiero is Sompo’s EVP, Head of Sompo Pro, U.S., which provides solutions for Cyber, Technology, MPL, A&E, MPL and Lawyers Indemnity. In his current role, he is responsible for product development, setting the appetite, creating underwriting standards through assessing risk, industry forecasting, and portfolio management. He brings over 22 years of industry experience both on the carrier and broker side.

With all of the public attention that artificial intelligence (AI) has garnered over the past year, it’s no surprise that AI and its capabilities have captured the attention of cybercriminals as well. As 2024 gets underway, we expect to see AI further weaponized by bad actors as a force multiplier to broaden attack vectors, resulting in increased social engineering attacks across the board.

If there’s one thing that we have seen time and again in cybersecurity, it’s the perpetual need for organizations to stay vigilant to new means of attack. Bad actors are frequent early adopters of new tactics and technologies and are seeking ways to make their attacks more efficient. This is the time to get out in front of the threats.

How Are Threat Actors Leveraging Generative AI?

With the advent of GenAI, bad actors are now able to leverage AI to launch and support hundreds of attacks simultaneously, resulting in a higher “close rate” for their efforts. This weaponization of AI has the potential to greatly broaden these cybercriminals’ attack vector.

Computers don’t replace people, of course, but they do certainly multiply the workload. Take for example, a threat actor who is looking to obtain employee usernames and passwords to gain access to a company’s system. Where once we might have seen a single individual coordinating a few attacks targets at a time, the addition of trained AI now gives that same threat actor the capacity to support hundreds of attacks against an organization simultaneously.

Further, it allows non-native language speakers the ability to “speak” more naturally, thus making it harder for victims to detect the threat. By its very nature, this economy of scale is going to drive more success when it comes to obtaining the desired credentials.

How Should Companies Be Preparing for These Threats?

We hear more often about massive events like ransomware and system outages, so it’s easy for non-Fortune 1000 organizations to believe themselves immune to this kind of attack. In truth, smaller entities are more vulnerable to social engineering tactics leading to funds transfer fraud schemes. While ransomware continues to generate press, social engineering leading to wrongfully transferred funds is now the leading cause of loss for entities under $1B in revenue. No business of any size can afford to remain unprepared.

Whether it’s a bot or a real person contacting your employees, ultimately it takes just one employee to let them in. But the more points of contact made, the higher the likelihood that someone on the team is going to inadvertently provide the credentials or changes that the bad actors are hoping to obtain. That’s why organizations of all sizes must redouble their efforts to deliver employee training in a targeted manner.

Example-based training on SMS phishing or “smishing” and phishing attempts by QR code, or “QRishing,” should be used to educate employees about what they are likely to see and to teach them to question and validate with whom they are communicating. Further, when wire instructions are updated, companies should always reach out via a different medium in which the change was requested. Plan these sessions now and reiterate the messages often.

Training people to make good decisions and instilling good business practices are still the baseline when it comes to combatting cyber risk. In many ways this approach is getting back to the basics that we’ve been preaching in cyber risk management: There is no tool which can fully compensate for lack of proper training to your employees.

How Is the Insurance Industry Responding?

Even when an organization’s security is good, it’s their people who can still be manipulated. As a result of the latest AI-inspired risk trends, underwriters and brokers now need to ask more specific questions about training and validation to ensure that insureds are in the best possible position to protect themselves against threat actors’ latest tactics for leveraging AI.

We’ve seen and responded to similar technology risk scenarios before; when companies migrated to cloud infrastructures, for example, underwriters had aggregation concerns long before we saw the actual losses emerge. Just as we saw then, it’s important to recognize the increased risk factor and prepare for the possibility of more loss now.

The Latest Weapons

As the cyber market continues to mature, it’s perhaps an apt analogy to say that cyberattacks have almost become like hurricanes. While preparation for an event is invaluable, sometimes it simply isn’t enough. Your house is damaged. Your system is breached. Funds are sent to a fake address. And that’s where the insurance industry comes in, to help make you whole again when that happens.

Reputable cyber insurers will have multiple experienced cyber breach response partners on retainer which can be deployed to mitigate an attack and get an organization back up and running. Whether it’s a law firm, a forensic investigation firm, a public relations firm or a technology restoration firm, cyber insurers have experience managing these events and will help navigate an organization through one of their worst-case scenarios as efficiently as possible.

Just as water finds a way, threat actors find a way. &

More from Risk & Insurance