By Bree Fowler, Contributor
Artificial intelligence has already dramatically changed the game for cybersecurity and will continue to revolutionize how both attackers attack and defenders defend for years to come.
That was the message of many KnowBe4 experts and others in attendance at the ninth annual KB4-CON recently held in Orlando, Florida. But what’s that going to look like and what do cybersecurity professionals really need to worry about as the technology advances?
AI has become a key part of how cybersecurity companies protect their customers. Products like AIDA — KnowBe4’s suite of AI agents that continuously automates administration and content personalization — free up human security teams to focus on higher-level decision making instead of mundane tasks.
But attackers are also using AI as a productivity tool. And while splashy deepfakes spread over social media may grab the headlines, some KnowBe4 experts say it’s the quieter, less exciting uses of AI that actually pose the biggest threats.
Erich Kron, CISO advisor at KnowBe4, said cybercriminals have been calling people up, claiming to be their bank, boss, the IRS or someone else in authority for decades, attempting to trick them into handing over money or information.
“So the fact that it's now AI generated and it's a super deepfake doesn't make that much difference,” Kron said in an interview at KB4-CON. “What matters is it's something that people with less skill can do and it's something they can do a lot more efficiently."
Instead of manually combing social media and other websites for personal details about each target that can be used to make scams for convincing, cybercriminals can use AI to automate the process and scale up their operations to target more people and organizations.
They’re also using AI tools to analyze code at higher-than-human level, identifying previously undiscovered bugs that could be exploited and used to breach company systems.
Kron added that the fact that deepfake technology has advanced significantly in recent years also isn’t a game changer, because people are pre-programmed to believe even the bad ones. An employee who gets a video call from their CEO is already in the mindset that it’s actually them, he said.
They’re willing to ignore red flags like glitchy video and voices that don’t sound quite right, attributing them to everyday annoyances like spotty Wi-Fi and background noise.
“And that's something that's important for us to understand and realize,” Kron said. “I see a whole lot of effort going into deepfake detection within organizations and while there’s a need for that in some cases, we can't put all of our eggs in that basket.”
AI Can Get Phished Too
Meanwhile, the ever-expanding use of AI agents at the enterprise level poses new security risks that professionals need to deal with. Companies need to know how their employees are using AI agents and what data those agents are connected to, then put policies in place that adequately secure them.
Just like human employees, AI agents can make mistakes and inadvertently hand money or company data over to malicious actors. But unlike humans, the agents have the potential to make those mistakes at a much larger scale.
Matt Duren, KnowBe4’s VP of AI and data, pointed to the rise in prompt-injection attacks, where cybercriminals attempt to trick an AI agent into doing something it normally wouldn’t be allowed to by using clever phrasing or hidden instructions.
While a human employee could make the same mistake, they’re going to do it at human speed, limiting the potential fallout. The same can’t be said for an AI.
“That's the hardest thing I think people are dealing with right now,” Duran said. “How do they protect these systems that don't have fingers and toes, brains, laptops and phones from doing the same things that flesh and bone will do?”
Fighting Back
The first step is making sure people know the threat exists, Kron said. For example, employees should be aware that there are deepfakes out there that might sound just like their boss. If someone emails or calls them and asks them to send money to an outside account, they need to know to make a quick call to verify their identity before they do.
While problems like business email compromise and deepfake scams might be complex, the best ways to stop them don't necessarily require vast amounts of technology, Kron said.
Security awareness training like KnowBe4’s also can help, but only if it ultimately gets people to make better decisions, he said.
“We need to be focused on changing people's behavior,” Kron said. “We need to think about it from that standpoint, not just assume that if we give them information, they’re clearly not going to do the wrong thing.”
