AI and cybersecurity: Think like a thief to catch a thief

1. Know AI’s capabilities and strengths so they can’t be used against you

Audio and video deepfakes can be used for fraud, phishing, and reputational damage. Executives should do two things to avoid being victimized:

• Learn about what’s possible with the latest digital technologies and AI.
• Have a secret codeword in place as an analog check in case of any doubts.

The basic lesson here is that, before launching their attacks, bad actors can gather a lot of information on your company and employees to find and exploit vulnerabilities. Prepare for this by putting some kind of multimodal authentication in place. The aim is twofold: to verify information that could be used to do harm, and keep that verification secret.

2. Know AI’s shortcomings and weaknesses so they can’t be used against you

Knowledge is power again here. There are all sorts of biases in AI (such as facial recognition technologies that recognize white faces with a higher degree of accuracy than black faces, and GenAI systems that read CVs differently depending on whether they are associated with male or female names.) Fix such biases by:

• Paying close attention to the training-data curation process.
• Putting carefully crafted governance mechanisms in place to mitigate the risks.

The lesson here is that even the most sophisticated GenAI tool is not foolproof. Companies must keep human beings in the loop to detect AI biases and blind spots, and have human oversight in their responsible AI governance processes.

3. Know that AI itself can be attacked

We are now seeing data-poisoning attacks where AI models are tricked into behaving badly. (This is a type of cyberattack in which an adversary intentionally compromises a training dataset used by an AI or machine-learning model to influence or manipulate it.) Hackers are also using “jailbreaking mechanisms” to evade the guardrails put in place to limit GenAI’s potential for harm. Two measures are useful to understand how AI systems can be attacked:

• Attend hackathons to equip yourself with the latest cyber-security measures.
• Invite digital experts to try to break your systems to find their vulnerabilities before actual cyber criminals do.