days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
Cyber Hygiene and Compliance in the Age of AI
Cyber hygiene is not a new concept in the slightest, but the advent of AI demands we take a new approach to the cyber hygiene habits and behaviors that employees should follow in order to keep an organization's data and IT systems safe. Let’s discuss the ways that cyber hygiene has changed in the age of AI, and how alternative investment firms can ensure they have the right cyber hygiene measures in place to safeguard both security and compliance.
AI Raises the Bar for Cyber Hygiene
“Cyber hygiene” entered the IT lexicon in 2000, when internet pioneer Vinton Cerf first coined the term in Congressional testimony. Since then, the goal has pretty much remained the same – recognize that employees and other users of computer systems are often the first line of defense against cyberattacks or other security breakdowns, and then ensure their habits and behaviors are optimized to guard against these threats.
Yet while the cyber hygiene mission remains constant, today’s modern era of AI-driven capabilities and processes is forcing organizations to rethink how to carry out that mission. The first step is to understand how AI has significantly amplified the kind of threats that good cyber hygiene practices – such as employee training to help spot social attacks – are designed to guard against.
For instance, social engineering attacks are now more sophisticated and tailored thanks to access to generative AI powered by Large Language Models (LLMs) making it easier than ever to produce a compelling phishing email and AI web scraping tools that discern an employee’s job duties, whom they report to and other details. These AI-powered tools increase the chances employees will be fooled by a phishing attack or related business email compromise scheme. In addition, AI has lowered the barrier to entry for malicious actors – with no-code tools and ransomware-as-a-service offerings that make cyberattacks more widespread and unpredictable. In both of these examples, the employee remains the first line of defense against an AI-augmented threat that increases the chances of a breach, data loss and reputational harm.
Evolving the Cyber Hygiene Playbook
It’s important to avoid any confusion that, even if an underprotected firm is lucky enough to avoid an actual attack, compliance is still compromised if essential cyber hygiene practices like MFA and encryption are not in place. Without them, an organization can’t get cybersecurity insurance. And especially in the heavily regulated financial sector, the absence of these basic cyber hygiene measures will lead to a failed audit – and potentially even the loss of status as a regulated entity.
There’s also a misconception that, since AI has given malicious actors the power of algorithms and automation to spread their attacks, the response must be equally reliant on advanced technology to guard against these attacks. While this is partially true, the human factor remains a critical line of defense. The best cyber hygiene playbook is therefore built from a combination of traditional and advanced protections.
For all the novelty and power of today’s AI threats, many of the tried-and-true cyber hygiene basics like MFA, encryption and employee training to spot suspicious emails remain effective. Beyond those basics, financial sector firms should also fight fire with fire by employing AI in their defense. This includes using AI-driven behavioral analysis to help SOC teams flag suspicious patterns, such as late night logins or impossible travel. AI can also analyze “known” threats and extrapolate patterns to identify variations of those threats that are active but not yet “known” to the threat hunting community.
The good news is that, with the advent of advanced public cloud ecosystems like Microsoft 365, many of these defenses are available as affordable subscription services. And with the right MSP partner to optimally configure and manage these capabilities, financial sector firms can achieve better security and compliance in the age of AI. Learn more about how ECI is helping clients ensure strong cyber hygiene in the face of today’s threats.