What keeps cybersecurity professionals up at night? It’s not AI… yet


Emerging technology like artificial intelligence (AI) and quantum computing raise legitimate cybersecurity concerns, but experts say that the real issue is still phishing and ransomware.

As “unsexy” as it sounds, phishing is at the top of the list of the most pressing cyber threats out there, according to Graham Cluley, an award-winning cybersecurity speaker and podcaster.

“It's an elementary thing, but it's taking advantage of our human weakness. We can roll out patches onto a network. We can't roll out a patch for people's brains, so we're still making the same mistakes we always make,” Cluley said.

ADVERTISEMENT

As a co-host of Smashing Security, a popular cybersecurity podcast, he was one of the speakers at Shieldcon, an annual app security conference in Oslo organized by Promon, a Norwegian cybersecurity firm.

Speaking at the city’s opera house to a room full of cybersecurity professionals, Cluley argued for treating all data as if it were the “crown jewels” of every organization, which means multiple layers of security and a proactive approach to boosting cyber defenses.

"Sure, we can worry about that, but we've got to get the basics right first," Cluley said after his talk when asked about emerging cybersecurity threats like AI and, further down the line, quantum computing.

Recent fines slapped on major companies, including T-Mobile and Marriott, show that fundamental security is often overlooked and may be ignored even after a cyberattack. With AI seen as democratizing cybercrime by making it accessible to more people and quantum computers threatening traditional encryption, this could be a dangerous mix.

jurgita vilius Ernestas Naprys adi
Don’t miss our latest stories on Google News

"I don’t think we’re well prepared at all,” Cluley said.

A sentiment shared by Charlie McMurdie, former head of the Police National Cyber Crime Unit in the UK and senior crime advisor to PwC.

“It's bad enough at the moment with current ransomware attacks that are happening,” she said. “They started off relatively simple, straightforward, just locking everything down. Now, they're harvesting the data. They're going after the backups.”

ADVERTISEMENT

While the industry “really stepped up” in terms of improving cybersecurity measures, the general awareness of threats is still lacking. “It's still the general population, us users, that are the biggest threat sometimes, other than the organized crime groups,” McMurdie said.

cluley_1030
Graham Cluley. Image by Promon

Costly mistakes

According to the annual Internet Crime Report released earlier this year by the Federal Bureau of Investigation (FBI), phishing was the most frequently reported cybercrime in 2023. At more than 298,000, phishing scheme reports accounted for about 34% of all complaints.

Phishing is also one of the top initial infection vectors for ransomware, with some of the most high-profile cyberattacks last year, including those that targeted Las Vegas casino giants MGM and Caesars, a result of sophisticated social engineering campaigns.

According to a recent report from Microsoft, which said it handles 600 million cyberattacks daily, ransomware attacks increased almost three times year over year. However, there was also a threefold decrease in ransom attacks that reached the encryption stage.

Exploiting human nature – commonly referred to as the “weakest link” in every organization’s security network – and the willingness of some targeted companies to strike a deal with threat actors could explain the continuous growth of the global cybercrime economy.

Projected to be worth about $10.5 trillion in 2025, cybercrime remains the world’s third-largest economy, after the US and China, according to Cybersecurity Ventures. Easy access to a black market galore of ransomware-as-a-service and malware also drives this growth.

So does state-sponsored hacking, which exploded in recent years and can cause great damage to the national infrastructure and security of the countries it targets.

“We’re constantly having defenses probed by Russians, North Koreans, China, and they’re finding ways into critical infrastructure so they could do real damage with those cyberattacks,” said Andrew Whaley, senior technical director at Promon.

ADVERTISEMENT

“That’s only going to increase as the world gets more polarized into authoritarian and democratic regimes,” he said.

oslo_opera_1030
Oslo opera house. Image by Naina Helén Jåma/Bloomberg/Getty Images

Cybercrime’s new tools

While AI is not just a buzzword anymore and is being deployed across industries, including cybersecurity, it is still largely seen as an emerging threat – something that bad actors have yet to fully exploit.

“I think we will undoubtedly see AI being used more and more by cyber criminals. They're already doing it, but I think they're just feeling their way at the moment as to exactly what's possible. It's probably going to get worse,” Cluley said. “So it's going to always be a bit of an arms race, which, frankly, is the whole story of cybersecurity anyway.”

For McMurdie, it’s also about the speed at which the technology develops and how it “can be used to cause so much harm in such a fast time when we’re not prepared for it.”

With the rise of nation-state threat actors, cybersecurity experts must now contend with a broader range of attack motivations, while AI introduces even more uncertainty by making it easier for anyone to launch sophisticated attacks.

“We've got the zero-one models now, which have reasoning built in. You can apply those models to automate some of the attacks. Traditionally, things like reverse engineering and tampering required a very skilled person, but you can now offload a lot of that to AI, and it becomes accessible to anybody,” Whaley said.

jurgita vilius Paulina Okunyte Paulius Grinkevicius
Don't miss our latest stories on Google News

Similar concerns surround quantum computing, another technology that promises tremendous benefits but also poses significant risks to global digital security if used maliciously. Modern encryption algorithms are vulnerable, and there is an “urgent” need to quantum-proof security systems, the World Economic Forum warned earlier this year.

ADVERTISEMENT

Some tools used to quantum-proof security systems are already available. In August, the National Institute of Standards and Technology (NIST) released a finalized set of post-quantum encryption standards and cybersecurity agencies in Germany and France have published their own post-quantum cryptography guidelines.

Companies like Google and nation states, including Singapore, are moving to build quantum-safe networks, but there’s little doubt that the technology will still disrupt existing security frameworks.

When this will happen is a matter of debate and depends on research advancements, but there will be signs once it reaches that point – and potentially when it reaches the hands of cybercriminals.

“The first signs that we will see will be things like Bitcoin starting to disappear because once it becomes possible to crack the elliptic curve algorithms which make Bitcoin secure, then basically money is just going to disappear, and people are going to be scratching their heads thinking – what's going on?” Whaley said.

The author attended Shieldcon 2024 at the invitation of Promon, which covered airfare and accommodation expenses.