-optimized.jpg){kind=avatar}
Artificial Intelligence (AI) has become an indispensable part of our daily lives. While virtual personal assistants and personalised recommendations are no longer novel solutions, the more recent introduction of generative AI platforms such as ChatGPT have truly opened the eyes of many to the technologyโs potential, driving a surge in adoption, writes Sam Peters, Chief Product Officer at ISMS.online.
In August 2023, Deloitte revealed that 61% of computer users were already leveraging generative AI programmes in their daily tasks. Then, in May 2024, Microsoft similarly reported that AI usage had nearly doubled in the previous six months, with 75 per cent of global knowledge workers using such solutions. Such statistics speak volumes. Indeed, this widespread use will only serve to ensure that AI solutions become more quickly and deeply integrated into critical business processes spanning predictive analytics, process automation, and personalised customer experiences. And the potential for enterprises is significant.
According to the McKinsey Global Institute, generative AI has the potential to add between $2.6 trillion and $4.4 trillion to global corporate profits annually. Meanwhile, an additional study shows that AI can improve employee productivity by as much as 66 per cent. To harness these potential benefits, companies must strive to stay ahead of the curve. Conversely, neglecting to adopt AI risks lagging behind.
The dark side of AI
Itโs not all good news and opportunities, however. Despite the exponential opportunities that AI offers, organisations equally face increasing risks that must not be ignored.
From a security standpoint, itโs vital to keep a finger on the pulse of AI developments. Indeed, weโre already seeing cybercriminals leveraging AI to automate and scale their attacks, create more sophisticated malware, enhance advanced persistent threats (APTs) and exploit deepfake technologies for social engineering. Our State of the Information Security report found that deepfakes are now the second most common information security incident encountered by businesses in the past year trailing only behind malware infections.
Further, the situation is not helped by the fact that companiesโ AI programs are becoming increasingly vulnerable to various attacks, which can lead to incorrect, biased outcomes or even the generation of offensive content. Weโve already seen instances of threat actors using model inversion techniques to alter sensitive training data, risking breaches and privacy violations. Similarly, data poisoning has been observed, using malicious or biased data used to corrupt training sets, compromising AI model predictions and behaviours.
Implementing biases within AI models can pose a variety of problems, potentially amplifying adverse outcomes in decision-making processes like hiring and lending. Further, instances have also been observed in which threat actors are using Trojan attacks to embed malicious behaviours in AI models, triggering harmful actions under specific conditions. In addition, weโre also seeing evasion attacks being used to manipulate input data in an effort to evade AI-based security systems, as well as model stealing in which AI models are reverse-engineered to create competing versions or exploit weaknesses.
The role of standards
Such a novel series of attack methods being directed towards AI programs themselves highlight the need for robust, modernised security measures designed specifically to protect AI systems from being compromised and misused. The impending introduction of the EU Artificial Intelligence Act, published on 12 July, aims to take this one step further. It prohibits certain uses for AI and sets out regulations on โhigh-riskโ AI systems, certain AI systems that pose transparency risks, and general-purpose AI (GPAI) models. Similarly, during the Kingโs recent speech he stated that the Government will โseek to establish the appropriate legislation to place Requirements on those working to develop the most powerful artificial intelligence models.โ
Organisations should, therefore, look to ISO 42001and ISO 27001 for guidance โ particularly when it comes to complying with this new EU law and any upcoming regulations and legislation that the UK is likely to put in place.
Specifically, ISO 42001 provides guidelines for managing AI systems, focusing on risk management, roles, security controls, and ethical practices. In this sense, it can help organisations identify AI-specific risks, develop mitigation strategies, and enhance AI security continuously. ISO 27001, meanwhile, provides a comprehensive framework for managing information security risks through regular assessments, controls, incident response plans, and compliance measures. Similarly, it can be used to safeguard sensitive data and AI models from unauthorised access, ensuring confidentiality and integrity using encryption, and fostering a security-conscious culture.
By embracing and combining the benefits of these two key standards, companies will be well placed to create a robust security framework for AI systems. Not only will they be able to integrate AI-specific risk management with broader information security practices, but they can also use these guidelines to establish governance structures, develop continuous improvement strategies, and ensure compliance with key and new regulations and ethical standards.
Education and compliance
Itโs not just a case of security professionals adhering to these standards, however. Equally, cybersecurity best practices should be embedded into the very culture and fabric of the business to ensure maximum effectiveness. To achieve this, firms must prioritise training and education throughout the employee base, equipping all staff members with the knowledge and skills to identify and respond to risks, bolstering the organisationโs overall cybersecurity resilience.
Not only should training encompass more traditional aspects such as identifying phishing emails and proper data handling practices, but they should also evolve in tandem with AI to address emerging risks and challenges. Here, ethical considerations such as bias detection and mitigation, as well as training on the threat of deepfakes, stand as relevant examples that the modern firm should be working to include.
The key point is that continuous learning is essential. By regularly updating training programmes to reflect the latest threat landscape and technological advancements, organisations will be well placed to enhance their cybersecurity posture and better protect their AI assets on an ongoing basis. This forward-looking approach must be a primary focus. Indeed, establishing stronger security frameworks aligned with industry standards and best practices is vital for preparing against current and future threats.
Neglecting to do so can lead to operational inefficiencies, higher costs, challenges in decision-making, and AI systems vulnerable to adversarial attacks. Moreover, with increasing regulations around AI ethics and data protection, non-compliance can result in legal penalties, fines, and a loss of customer trust. Therefore, compliance must take priority to safeguard both the organisationโs operations and its reputation.
