Production Perig - stock.adobe.c

AI is no silver bullet for cyber security

A security expert has called for businesses to manage the risks of adopting new technologies and improve their cyber hygiene, rather than see artificial intelligence as a panacea for their security woes

Business leaders put too much faith in using artificial intelligence (AI) to solve their cyber security problems, and should instead focus on educating users on cyber hygiene and managing risks, according to a cyber security expert.

Speaking at the Cloud Expo Asia conference this week, Daryl Pereira, partner and head of the cyber security practice at KPMG Singapore, cited the consulting firm’s research, which found that 86% of CEOs believed AI will be the silver bullet for cyber security challenges.

“I would say that they are overly optimistic, and there is a danger there,” said Pereira, noting that although AI can detect anomalies and security issues much more quickly than humans can through techniques such as behavioural analytics, the same tools are also available to cyber criminals to carry out attacks.

He said there is also a lack of understanding about how AI applications learn, which could lead to the exploitation of weaknesses in an organisation’s cyber security set-up.

“AI is not a silver bullet – when you look at the technology, you have to make sure that senior management is aware of its risks and you don’t invest in it unless you already have good cyber hygiene – starting with people,” said Pereira

User education is crucial, he said, because successful cyber attackers often exploit human weaknesses and emotions through social engineering and spear phishing to penetrate a system.

“Those who don’t know how phishing attacks work will fall prey to them,” he said. “The panacea and antidote for phishing attacks is cyber education, which, when tailored for a person or function, is more effective than technology in stopping such attacks in many cases.”

In deciding when and how to adopt AI to improve cyber security, Pereira said organisations should start with projects that address human and people risks, followed by processes and technology.

“And when you get to the technology part, AI shouldn’t come first, but rather look at it as a way to enhance security processes, such as making it faster to review logs,” he said.

Besides delivering cost and time savings, cloud services are also inherently more secure than traditional enterprise IT systems, said Pereira.

Read more about cyber security in ASEAN

“Trying to build things in-house is sometimes counterproductive, because the investments you can afford are not going to give you the same level of security offered by cloud providers,” he said.

“The antidote is to embrace cloud technology, provided you have taken due diligence on your provider’s cyber hygiene and security controls.”

In evaluating technologies such as cloud computing, cyber security professionals should not put up walls that could hamper adoption, said Pereira.

“If you do that, you will lose the respect of senior management and they will bypass you in new digital transformation projects,” he said, calling for cyber security experts to position themselves as internal consultants to the CISO (chief information security officer) and adopt a business-driven risk management approach to cyber security.

“Educate senior management that there are risks to be addressed when adopting new technologies – and do something to mitigate those risks based on your security maturity level and business profile.”

Read more on IT risk management