Cybersecurity is more than just a technological issue today. It has fast become a strategic challenge driven by geopolitical dynamics, the ubiquitous use of AI and a complex digital environment. Against this backdrop, two critical elements stand out for businesses: speed and trust.
For leaders, it is not a matter of if there will be a security incident but when, so the key is to address this risk as quickly as possible. Threats are evolving at a breakneck pace, and the time in which these threats are able to move laterally within a system – known as breakout time – has been dramatically cut over recent years. In fact, CrowdStrike’s latest report shows e-crime breakout time has plummeted from 582 minutes in 2019 to just 29 minutes today.
That means less than 30 minutes to stop, remedy and get ahead of an attack as it unfolds. Could this feasibly be done in your business?
There is simply no time to waste. Any approach that relies on periodic assessments and escalation processes is outdated. The only way forward is to have strong proactive safeguards and to monitor and respond continuously.
Underlying these pressures is the reality that trust has become a vital, yet vulnerable, currency for any business. Companies have to consider who and what they should trust throughout their environments. This needs to cover employees, as well as third-party partners, vendors, software platforms and AI applications. The modern supply chain poses an enormous threat because any vulnerability in your partners or suppliers can serve as the perfect entry point for intruders to penetrate your environment and gain a foothold over your networks and systems.
The double-edged AI sword
AI technologies have sped up the processes on both sides of the equation. On one hand, these tools enable attacks previously thought impossible due to their complexity. For instance, phishing attacks are significantly more difficult to detect nowadays, as AI can craft grammatically flawless phishing e-mails, with context, personality and cunning social engineering. Malicious code is added in a number of ways, and within many types of content, such as attachments, PDF files and links.
For defenders, the application of AI is equally revolutionary, as long as it is done right. Contemporary security processes depend more than ever on AI-based solutions that are able to filter out noise, prioritise threats and respond to them automatically. For many businesses, these tools already do a lot of the heavy lifting where security incidents are concerned, allowing analysts to focus on tasks that require human expertise.
Nevertheless, AI presents its own set of challenges. Many companies are experimenting with these technologies on their own, without proper oversight from their security departments. This approach inevitably leads to vulnerabilities and significantly widens the attack surface. For instance, we’ve seen clients’ sensitive documents surface in public LLMs like ChatGPT when staff dump entire files for summaries or PowerPoints. This conduct risks loss of data control, or leakage and exposure of personally identifiable information that should remain private.
As vital as these tools are becoming in our daily lives and work, it’s easy to see how AI implementation without regulation can quickly become a liability.
Risk in the shadows
Another critical issue companies are currently facing is the phenomenon of “shadow AI” or the use of unsanctioned AI technologies in violation of company policies. This phenomenon poses risks much like those posed by shadow IT.
While employees may have noble intentions and use AI to increase productivity, we’re increasingly seeing that unregulated, unmonitored processes may unintentionally lead to confidential information or IP being leaked. In many cases, entire documents, proprietary materials and proprietary client data have been uploaded to publicly available models, thereby putting the control of these resources beyond the company’s reach.
Adding to the problem is a lack of visibility. We live in a world of “bring your own everything”, whether that be a device, app, tool or connection. Many firms have very little insight into the technologies their staff members are using, what data is being transmitted and where that data goes. It’s not just a matter of AI; rather, it’s part of a larger asset management problem. Unapproved cloud instances, unsupported applications and hidden data repositories all play a role in degrading even the most robust cybersecurity policies and protections.
Without seeing the full picture, businesses cannot protect themselves.
Framework-driven security
In such an environment, organisations need something to guide them. Here, the importance of using cybersecurity frameworks to help develop a robust security approach can never be underestimated. We recommend NIST Cybersecurity Framework 2.0 (with its new Govern function), NIST AI Risk Management Framework, NIST 800-161 for supply chain, and the OWASP Top 10 for LLMs. Similarly, adopting a governance-centric model that incorporates continuous improvement and risk management is advisable, particularly when AI is introduced.
An effective approach rooted in cybersecurity frameworks has to begin with a comprehensive assessment to determine baseline visibility, including its existing data, systems, applications and the individuals who have access to them. Once this visibility is achieved, layering in control measures, from technology to policies and processes, becomes possible.
However, it’s important to remember that no solution is a total panacea. The best cybersecurity depends on an ecosystem designed to fit an organisation’s unique needs and risk posture. It should include threat detection, endpoint security, identity management and supply chain visibility capabilities.
Another critical component when building a resilient cybersecurity posture is having the right human expertise on board. Cybersecurity is a dynamic field, and not many businesses have the resources they need to stay up to date with, and on top of, emerging threats. Here, managed security services can step in, and provide the instant and latest expertise needed, without enormous upfront costs.
‘Zero trust’ and the identity challenge
With modern companies relying on distributed, flexible environments, the old way we approached security is not enough. At one time, the perimeter served as a fortress, with sentinels at the gate, letting good traffic in, while keeping bad traffic out.
However, as the world moved to distributed and hybrid work models, perimeter security has blurred and expanded, leading to a zero-trust approach. Practically, this means that one must never trust and always verify. This model must take into account not only people but also machines, applications, interactions, services and AI agents. All of these are to be verified for authenticity and authorisation before they are allowed to operate. The difficulty here is the inevitable trade-off between security and a frictionless experience for users.
The best way to address these challenges is to enable users. Taking a hard line and banning the use of an AI tool in an attempt to eliminate risk will ultimately prove to be counterproductive and futile. A determined, curious employee will always find a workaround – and these are the curiosities around AI that should actually be encouraged. A more effective approach is to supply employees with a set of secure, sanctioned tools and educate them on how to use them safely and responsibly.
Culture, speed and the way forward
Ultimately, it’s important to remember that cybersecurity cannot be understood independently from culture. Strong leadership is key to making sure the right attitude and approach are taken, including investing in the necessary technologies and establishing an organisational culture of shared responsibility.
Success in the future will depend on businesses adopting a proactive and coordinated approach, in which promptly addressing threats is a critical component. It will also depend on creating an atmosphere of trust built on clear governance and transparency. Success will also mean treating AI not as an add-on but as an integral part of any cybersecurity strategy.
As threats become more sophisticated, more varied and more persistent, success is no longer simply a matter of defence.
- The authors are Adam Whittington and Wayne Jones, respectively solutions executive and chief technology officer for Security Services at iqx, a division of technology and management consultancy iqbusiness. Contact Whittington and Jones to find out more about their proprietary security solutions, TotalSecure and TotalSecureAI.
About iqbusiness
iqbusiness is a digital integrator that transforms businesses, public sector entities and other organisations as your go-to for consulting and technology. With more than 27 years of experience, and led by some of the continent’s best thinkers and doers, our purpose is simple: to grow people, business and Africa as one.
Our scale and unique capabilities unlock exponential value and global growth for our clients – from intent to impact. We deliver end-to-end solutions through five value streams:
- Digital Experience and Strategy;
- Strategic Consulting and Innovation;
- Business Performance and Delivery;
- Intelligent Applications and Platforms; and
- Technology Managed Services
iqbusiness, including technology division iqx, is a proud level-1 B-BBEE contributor driven by a determination to deliver outcomes of excellence and meaning through our tenacious GESHIDO® energy. We are consistently recognised as a top employer and leading consulting firm. (*GESHIDO® = we get $#!% done.)
Established in South Africa in 1998, iqbusiness integrated into Reunert ICT in 2023 and merged with +OneX in 2024. For more information, visit www.iqbusiness.net.