As Ryan puts it: “The questions GenAI really brings up are: What mechanisms do we have to trust that someone is who they say they are? And what does that mean for the decisions that we make based on that information? We have to be extra careful in thinking about what information we trust, what can be faked and what can't, knowing that it's not only technically possible for fakes to happen in an academic sense, but also possible for fairly average criminals to create them, with conventional off-the-shelf technologies.”

“The main fear that exists at the moment is that with the advent of large language models (LLMs), it will be easier to quickly come up with unique attacks that may be more likely to succeed, because models can integrate information about how specific recipients or companies respond to information or how they communicate,” says Doherty. “For example, if you took all of Thoughtworks’ internal data or internal emails and fed them into an LLM, you could generate very convincing emails in the style of Thoughtworks and send them to employees.”

This means some of the standard advice to employees on how to spot scam or phishing attempts will need to be updated. “We need to revisit assumptions about things like what a phishing email looks like,” Ryan points out. “If we’re telling people they’re usually full of typos, well – ChatGPT doesn’t really make typos.”

Thinking further out, companies will also have to consider the security implications of integrating AI into features like chatbots. Not only can these veer dangerously ‘off script’ – Canadian flag carrier Air Canada was recently held liable for a chatbot giving a customer erroneous advice – but as Ryan notes, to build or run chatbots many companies will upload massive amounts of data and documentation to third-party services, increasing vendor and supply chain security risks.

Yet while being conscious of the risks, it’s also important for organizations to remember AI can play a positive role. “AI is excellent when it comes to determining patterns and bridging the gaps between human and machine communications, so it can make incidents easier to query or analyze,” says Ryan.

“AI can be a great cybersecurity ally,” agrees Yang. “Its ability to analyze vast amounts of data and recognize patterns makes it the ideal tool for calling out suspicious activity, and enhancing the speed and accuracy of threat detection.”

Doherty counsels business leaders to keep both AI’s security risks and potential in perspective. “It’s still early days,” he says. “Many security tools will talk up the benefits of their approach but are based on basic logic. Snake oil is very prevalent in the security industry, and you find a lot of vendors just attaching the latest buzzwords to their products.”