In the contemporary technological landscape, the allure of advanced artificial intelligence (AI) systems often captivates the collective imagination of the tech industry and beyond. Stories of deepfakes, such as the recent incident where a CEO appeared to say compromising things during a virtual call—engineered through sophisticated AI—fuel anxieties and fascinations. However, while such scenarios grab headlines and provoke fears about the future of digital security, they distract from a far more mundane and immediate threat: the lack of basic cyber hygiene.
Based on the latest Verizon 2024 Data Breach Investigations Report (DBIR), the percentage of breaches directly attributable to AI was 0%. That’s right. Zero. The percentage of breaches directly attributable to exploitation of vulnerabilities was 15%, having grown by 180% over the previous twelve months. The other two big contributors: credential theft and phishing. Looking beyond just data breaches, the Ponemon Institute found that 57% of cyberattack victims stated that applying a patch would have prevented the attack. 34% say they knew about the vulnerability before the attack. This statistic reveals a critical disconnect in organizational priorities and resource allocation. Companies are so enthralled by the specter of high-tech AI threats that they overlook the foundational practices that protect against most cyber threats: patch management. While the DBIR doesn’t have data related to the percentage of C-Levels keenly interested in credential loss or patching compliance, I doubt it matches the risk.
Patching isn’t glamorous. It doesn’t involve cutting-edge technology or revolutionary algorithms. Instead, it requires diligent, ongoing allocation of resources and a disciplined commitment to routine. In other words, it’s a grind. But despite its lack of allure, patching is one of the most effective defenses against cyber-attacks. Regular updates close security holes and fix bugs that could be exploited by attackers. Even those leveraging AI. Patching is the equivalent of changing the oil and rotating tires of your car. While discussing the latest car hack from Black Hat might make for good dinner conversation, the two conversations must not be mutually exclusive. “Honey, I’ve upgraded our garage with metal mesh fencing to prevent OTA updates.” “That’s great, dear. Did you change the oil? It’s been 30,000 miles.” “That’s not going to stop the OTA updates!”
The emphasis on the dangers of AI steals time and focus from the real risks threatening organizations. Take, for example, the recent deepfake incident involving a CEO in an AI-generated virtual meeting, including fake speech and virtual attendees. Although such an event is sensational and its implications on misinformation and security are profound, it is a very rare, hard-to-scale attack compared to the daily occurrences of data breaches and hacks facilitated by unpatched systems. Diverting attention from foundational cybersecurity to the threat du-jour misses a core tenet of risk management. Risk is likelihood multiplied by impact. Currently, the likelihood of a direct AI incident is nearly zero while the likelihood of a breach due to unpatched vulnerabilities is significantly higher.
To focus on real, rather than imagined risk, senior leaders should assign themselves to a committee dedicated to the fundamentals of cybersecurity. This committee would prioritize developing and enforcing policies that ensure regular updates and patches are applied promptly. It would ensure sufficient resource allocation. It would support planned business disruption like maintenance windows. It would champion asset lifecycle investments. It would ask questions like, “how are we securing our SaaS applications?”, “are we evaluating our third parties?”, and “are our products secure?”. This committee would also oversee the training of staff to recognize the signs of an attack and understand the importance of updates, creating a culture of security that permeates every level of the organization.
By focusing on practical and immediate improvements in cyber hygiene, companies can significantly reduce their vulnerability to most cyber threats, business disruption, investor concerns, and regulatory peril. This shift in focus does not mean ignoring the potential risks posed by AI and other emerging technologies, but it does mean addressing the risks that can have a material impact in the here and now. Consider all the recent discussion about the SEC rules about reporting incidents or the lawsuits against CISOs for misreporting risks. Those potential pitfalls are rooted in real risks, present in the everyday operation of organizations.
The tale of the deepfake CEO serves as a stark reminder of the dual threats facing modern organizations: the tangible and the theoretical. While it is necessary to prepare for the future and innovate to stay ahead of potential threats, this should not come at the expense of addressing present and pervasive risks. Patch management may not be headline-grabbing, but it is a fundamental aspect of maintaining security in a digital world. Organizations must stop chasing the AI squirrel and focus on the essential tasks at hand. By doing so, they can better protect their organization, ensure stakeholder value, and create a more resilient digital environment.
About the Author
Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Global Security, and Oracle Web Center. Craig can be reached online at LinkedIn and at our company website http://www.inversion6.com.