With rapid advancements in Artificial Intelligence (AI) pushing boundaries and the regulatory environment in constant flux, achieving cyber resilience is becoming more difficult for enterprises.
A PwC survey that sought to understand the state of global digital trust found only two percent of the participating organizations have implemented “cyber resilience actions across the organization in all areas surveyed.”
As Matt Gorham, leader of PwC’s Cyber & Privacy Innovation Institute noted, this owes greatly to the growing complexity of cybersecurity fueled by the adoption of modern AI technologies such as generative AI.
“As organizations adopt Gen AI, they face more complex and unpredictable attack vectors. This complexity makes it harder to secure systems effectively,” Gorham said. “GenAI can be used for both cyber defense and offense. While it can enhance threat detection and response, it can also be exploited by threat actors to craft sophisticated phishing attacks and deepfakes at scale, reducing barriers to entry for less sophisticated attackers.”
This duality of GenAI has ignited many speculations over the role of this technology in revolutionizing cybersecurity.
GenAI adding to dipping preparedness
The study found that the top four cyber threats observed as most concerning by the enterprises, which include cloud-related threats, hack-and-leak operations, third-party breaches, and attacks on connected devices, are the ones they admitted to be the least prepared for.
Almost all of these threats have been spurred by growing reliance on cloud and AI, the study noted. The growth of AI, specifically Gen AI, has had many implications on an organization’s cyber preparedness.
“The use of Gen AI raises significant concerns about data integrity, privacy, and compliance,” Gorham said. “Companies must navigate evolving regulatory obligations, which can complicate the deployment and governance of Gen AI.”
Incorporating Gen AI into existing systems and processes can be difficult too, introducing new vulnerabilities if not managed properly, he added. Thirty-nine percent of surveyed organizations expressed concerns over incorporation.
Sixty-seven percent of surveyed security executives said that Gen AI has increased their attack surface over the last year. At the same time, almost four out of every five (78%) organizations have increased their investment in Gen AI over the last 12 months.
While organizations jump to leverage Gen AI for threat intelligence, malware or phishing detection, and response, lack of trust still looms over 39% of internal stakeholders, leading to inadequate internal controls (38%) and poor risk management (38%).
The C-suite fallout
While organizations face extreme headwinds in terms of tackling an AI-fueled attack surface, there is a noticeable divide within the C-suite over the intensity of the situation.
Around 13% of the organizations pointed out a gap in confidence between their CISOs, CSOs, and CEOs regarding compliance with AI and resilience regulations, painting a rather grim picture of the likelihood of their collective response to it. Less than half (approx. 49%) of CISOs are involved to a large extent in key business activities, which means fewer cybersecurity-driven business decisions.
While executives acknowledge the importance of measuring cyber risk, the study pointed out that only 15% were able to measure the financial impact of cybersecurity risks to a significant extent. Nevertheless, organizations are quickly waking up to this potential catastrophe and bringing in steps to prevent oversight.
Seventy-two percent of them have increased their risk management investment in AI governance. Ninety-six percent said their cybersecurity regulations have spurred them to increase their cyber investment in the last 12 months, even as 78% believe doing so has improved their cyber security posture.