Getting the basics right, understanding the threat and putting in place multi-layered defenses are key to protecting organizations from AI-powered cyber threats, the UK’s Information Commissioner’s Office (ICO) has said.
Alarmed by the uptick in AI-driven attacks, the data protection regulator today released a five-step guide, urging organizations to proactively prepare for emerging threats.
“By investing in cyber resilience and ensuring appropriate security measures are in place, you can build public trust and confidence in how your organization protects the personal data you hold,” said Ian Hulme, executive director of regulatory supervision at the ICO.
He pointed readers first to the National Cyber Security Centre’s updated Cyber Assessment Framework (CAF) to better understand how adversaries are using AI in attacks, or attacking corporate AI systems.
Read more on AI-driven threats: Hackers Observed Using AI to Develop Zero-Day for the First Time
The specific threats outlined by the ICO should be familiar to cybersecurity professionals and include:
- AI-enhanced phishing targeting colleagues, clients or suppliers
- Deepfake-powered social engineering used on employees
- Automated vulnerability scanning and exploitation
- AI-powered malware which adapts in real time to evade detection
- Credential stuffing and password attacks which target weak passwords
- Data poisoning of AI models
- Indirect prompt injection attacks
Getting the Cybersecurity Basics Right
The ICO said it expects organizations to have in place Cyber Essentials’ five controls and the UK’s Cyber Governance Code of Practice as a bare minimum.
But it added that extra layers of defense are “essential” and should include a “solid patching and updating process” to mitigate the machine-speed vulnerability research and exploit development that adversaries can now achieve.
“As part of vulnerability management, an organization should be considering the impact of an exposed vulnerability and prioritizing remediating action based on that assessment,” an ICO spokesperson clarified to Infosecurity.
“This includes reviewing other compensating controls if an update is not available, and the timing will depend on the risk assessment carried out. If a decision is taken to not take action but there is still risk exposure, then the rationale should be fully documented and agreed at senior levels.”
Extra layers of security cited in the blog include: multi-factor authentication (MFA) on all remote access, admin accounts and email; strong password policies; and auditing and enforcing of the principle of least privilege.
Organizations should understand the security/privacy implications of using AI tools for access controls, the ICO added.
Security teams must also include supply chain partners in these access policies and wider security vetting.
“The ICO would expect organizations to not rest on the achievement of a point-in-time assessment and instead adopt a dynamic threat-based approach to security,” the ICO spokesperson explained. “This will depend on the criticality of the supplier, the types of services it offers and the type of data they process on behalf of the organization it is supplying services to.”
The basics should also include a regularly tested incident response plan, and comprehensive security monitoring and vulnerability scanning – using AI tools to improve outcomes but ensuring there is human oversight, Hulme argued.
The Basics of Data Protection
Finally, Hulme urged organizations to meet their obligations under the GDPR by implementing “appropriate technical and organizational measures” to protect personal data.
This could include:
- Data minimization and storage limitation
- Regular data audits
- Staff awareness training, including AI-powered social engineering
- AI governance including safeguards and a data protection impact assessment (DPIA) for any AI tools that process high-risk personal data
- Compliance with the government’s AI Cyber Security Code of Practice
- Encryption and pseudonymization to reduce the impact of a breach
When asked how the ICO assesses whether enforcement action is necessary following a breach, it explained that the organization’s “attack surface, sector, and data held” are key factors.
“The [Cyber Essentials] controls will be considered when an organization is investigated but that does not necessarily mean that we would not take regulatory action,” the spokesperson explained. “A key consideration will be whether an organization has put in place appropriate technical controls commensurate to the level of risk that organization faces and whether it can demonstrate how cyber risk has been governed.”
