Why businesses need to up their AI security nowIn partnership withIt’s crucial businesses step up their cyber security while implementing better AI practice.Kate CalacourasGenerative AI isn’t just changing the way we work. It’s changing the cybersecurity threats we all face.For example, a few years ago it was relatively easy to spot a phishing attack in your email.Today, AI is supercharging social engineering – with phishing attacks much more convincing (and a lot more scalable).To counteract the threat, business and IT leaders are having to completely change the way they operate, including continually stress-testing their systems to spot and fix any security flaws.Fortinet chief information security officer Australia Cornelius Mare said business leaders are just starting to realise the scale of the threats that are already here, and what they need to do to counteract them.He said there are things in common that companies with strong security systems share.“We’ve seen organisations creating their own internal AI academies,” he said, explaining that this helps internal teams become literate not only on the possibilities that AI creates, but also the security threats it brings.He added stronger policies around “shadow AI” (AI systems that are freely available, but may not have been approved by the IT team) are also critical.“Sometimes those tools are brought in with good intent,” Mr Mare said, “but they’re not approved by the organisation (and) they can increase the (cybersecurity) risks.”HOW AI CAN SUPPORT CYBERSECURITYBut AI isn’t just amping up the threats. It’s also giving us new opportunities to identify them and nullify them if we use the tools wisely.“Instead of looking for the needle in the haystack, you can actually collect a bunch of needles to help you make better-informed decisions,” Mr Mare said.He said businesses really have to think of security in an AI-powered environment using a 360-degree lens, and use AI for security but also develop security systems for AI.One step that many organisations are taking is simulating different security threats to see where any vulnerabilities may be.These test environments (often using real-life examples of security breaches in other companies) will reveal everything from who is responsible for each problem to how they will respond to each new level of threats that arise.“It comes back to who’s accountable? What actions should they take? Do I have visibility if that threat happens to us?,” Mr Mare said.He said these simulated “tabletop exercises” are best worked through with an expert, such as Fortinet, so all blind spots are highlighted and can be worked through.“We’re seeing more and more customers asking for these, and we’re working with both the technical teams and the executive teams.”PROTECTING AGAINST AI THREATSThe reality is however, that AI has advanced social engineering to a point where it is scalable and much harder for average people to detect.“Our reality is being blurred,” Mr Mare said. “We once could detect a phishing email very simply from the way it was written, but now it’s really important for users to ask themselves if it’s real. If something feels urgent, pick up the phone and check.”He said AI can also be used to help identify phishing emails that could be suspicious.“AI can actually help us to identify when something is not normal. For example, I don’t always get an email from my CEO saying, ‘Hey, can you buy gift cards?’”Because of this advanced social engineering, Mr Mare said it’s critical businesses invest further in key cybersecurity methods.“Regular patching is critical,” he said. “It’s not sexy, and it’s not a new tool, but it still makes a big difference because that’s fixing the vulnerabilities that are there.”Phishing-resistant multifactor authentication is another cybersecurity tool that can prevent potential data breaches.“The third one is doing regular tabletop exercises (i.e. simulating scenarios),” Mr Mare said. “Bringing all those things together makes a really big difference.”WHERE TO INVESTWith AI advancing at a rapid pace, one critical piece of the cybersecurity puzzle is to continuously invest in it and ensure it has strong guardrails and governance.“We need to look at the horizon at what’s coming,” Mr Mare said. “It’s not just bringing in AI for the sake of AI because a business doesn’t want to be left out. It’s how do we use AI to speed things up and see to the jobs that were difficult before. For example, can we use AI to identify specific risks?”He warned it was also important to invest in each person within a business at the same time.“We need to focus on humans, so we can bring in AI with intent. That’s going to be important,” Mr Mare said.He said as AI becomes more integrated within organisational processes, it was more critical than ever that humans are involved to avert the risk that AI will execute bad instructions at scale.“As AI becomes a co-worker, that is where the true value comes in. So bring it into the priorities, but also bring it in with an organisational perspective. How do we want to use it? What are the ethics around it? How we use AI within our business is going to be important.”Fortinet is a driving force in the evolution of cyber security and the convergence of networking and security. Our mission is to secure people, devices, and data everywhere, and today we deliver cyber security everywhere you need it with the largest integrated portfolio of more than 50 enterprise-grade products. Learn more at fortinet.com, the Fortinet Blog, and FortiGuard Labs.