CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the first blog post in a series of four for 2023.
There’s little doubt that 2023 will be remembered as the year that generative AI platforms like ChatGPT took centre stage. Using highly sophisticated algorithms that simulate human cognitive processes, these platforms or “chatbots” can analyze large amounts of data, generate responses to human input, make decisions, solve problems, and even write computer code. It’s hard not to be impressed, and just a little bit alarmed, when we see the impact this technology has already had in almost every field of human endeavour in just a few short months.
For all its benefits, generative AI has a dark side
But for all the benefits that generative AI provides, there’s also a dark side to its powerful capabilities. In one set of hands, AI-powered tools can help improve cybersecurity preparedness; in another, bad actors can use the tools to identify and exploit network vulnerabilities. For Canadian cybersecurity professionals, this is a major cause for concern. According to the 2023 CIRA Cybersecurity Survey, almost 7 in 10 organizations (68 per cent) are worried about potential cyber threats from generative AI.
Among specific concerns, respondents identified data gathered by AI tools (61 per cent), improved phishing emails and texts (58 per cent), and deepfake images and videos (40 per cent) as their top three.
Are these concerns well founded? Based on the emerging evidence, the answer is a resounding yes. Almost from the moment ChatGPT became available to the general public, hacktivists began demonstrating how it could be hacked and weaponized, despite the security protections put in place by the platform’s developers. By devising ingenious prompts, they were able to use ChatGPT to create sophisticated phishing emails, automated cyber attacks, and deepfake content.
Today, it’s not hard to imagine an aspiring hacker with very little skill using ChatGPT in this manner to generate a persuasive phishing email that could easily be used to steal sensitive information. At the other end of the spectrum, professional cybercriminals have amassed an in-depth knowledge of the illicit uses of generative AI and continue to refine the tools at their disposal to inflict maximum damage on their targets.
Canadian organizations must prepare for the worst-case scenario
The data from the Cybersecurity Survey shows that despite their concern with the new breed of cyber threats they’re facing, most Canadian organizations are not well prepared to defend themselves against them. Only a few have adequate policies in place to prevent, protect and educate their teams about the nature of these attacks. In fact, only 3 in 10 organizations (32 per cent) reported having an AI policy in place, despite the rise in automated attacks and data breaches. This is especially concerning when we consider the extent to which organizations rely on remote work and cloud computing to conduct their day-to-day operations.
The use of outdated cybersecurity technologies is another troubling finding with over one-third of organizations (37 per cent) reporting that they are still using technology released prior to 2010.
Fortunately, as hackers continue to devise new ways to create havoc, cyber-defense technologies are also getting upgrades from the power of AI. From user and entity behavioural analysis to large dataset graph analysis, cybersecurity teams are harnessing the power of advanced algorithms to spot malicious behaviour amongst the increasing volume of noise.
As an industry leader with a mission to build a trusted internet for Canadians, CIRA helps organizations prepare and protect themselves against threats by offering a suite of enterprise-grade cybersecurity products – made by and for Canadians. These include the CIRA DNS Firewall and CIRA Anycast DNS.
Launching an effective cybersecurity awareness training program is another critical step for protecting your organization from the full range of rapidly evolving cyber threats. To learn more, check out these tips for implementing continuous cybersecurity awareness training.
