The Indispensable Imperative: Institutions Must Do More To Mitigate Cybersecurity Risks
On Oct 29th, The New York Times reported that members of former President Donald J. Trump’s family, as well as Biden administration and State Department officials, were among those targeted by China-linked hackers who were able to break into telecommunications company systems. In recent years, cybersecurity has become a quintessential focus for governments, businesses, and non governmental organizations alike. The market cap for cyber security is expected to reach $185.70 billion by 2024 and that number is expected to rise to $271.90 billion in 2029.
Companies such as Google and Microsoft have been increasingly reliant on digital infrastructure to operate efficiently, making them prime targets for cyber-attacks. With many large companies prone to security risk and data breaches, some have chosen to hire the services of third-party cybersecurity software companies such as CrowdStrike and Bitsight. There has been increased demand for cyber security specialists in all industries, especially given the emphasis on both harnessing the potential strengths and combating the threats of AI in cyber security. However, there are not enough qualified people to meet this demand, and this skill gap must be filled to support this growing ecosystem.
Third Party Software and Third Party Cyber Risk
On July 19th, a massive tech outage brought Windows’ computer and business operations to a halt. This unexpected crisis stemmed from a faulty update deployed by cybersecurity company CrowdStrike that affected millions of computers using the Windows operating system, many of which entered what users call the “Blue Screen of Death.” Although ultimately resolved, the crisis caused confusion for businesses and represented an infamous case of third party risk. Third-party cyber risks are potential cybersecurity threats an organization encounters from vendors within its ecosystem or supply chain. While companies, businesses, and organizations may have strong cybersecurity measures in place, third-party vendors may not uphold the same standards. These risks can come in cybersecurity, operational, or reputational variants, and they can often have significant legal, regulatory, and compliance ramifications. These events destabilize networks and halt workflow operations, which cause significant financial windfalls for companies. When a company experiences a cybersecurity breach and customer data is compromised, financial, regulatory, and reputational risks become heightened.
Knowledge and Skill Gap:
According to the Future Jobs 2023 report, the cybersecurity industry is facing a significant talent shortage, with an estimated need for 3.4 million experts globally. This gap leaves many companies vulnerable to cyber threats due to insufficient staffing. With the rise of AI, cyber threats caused by phishing and data breaches, make the issue even more pressing. AI-generated deep-fakes and other deceiving fronts, common components in the phenomenon known as the liar’s dividend, pose especially serious threats. Despite facing these vulnerabilities, companies have traditionally failed to provide sufficient cybersecurity training for staff, thus furthering the skill gap. Many companies suffer from the misconception that cyber security professionals require a technical background in IT or engineering to do the job effectively when in reality many technical skills required for cybersecurity can be acquired on the job with training. Erecting such strict barriers for entry into the cyber security space only exacerbates the skills gap problem by discouraging talented candidates lacking the technical or academic background from applying for roles. As an alternative, companies should craft apprenticeship programs and raise awareness about less traditional pathways into cybersecurity work to minimize the talent gap and create efficient homegrown pipelines to solve high-level risks.
Cybersecurity isn’t just about technology, it also involves building a culture of security awareness. For instance, clear and consistent communication both among employees and between security teams and executives helps build a common understanding of cybersecurity threats, aligns priorities, and ensures everyone is on the same page. Creating an effective security awareness program is a great way to mitigate the risk of cyber threats. Additionally, conducting assessments on security awareness levels throughout the company, can identify flaws and behaviors within the organization and mitigate risks. For instance, conducting a social engineering test regularly could build the security institutions and muscle memory needed to be better prepared for real-time cyberattack scenarios.
Frequent Data Breaches
In 2024 alone, there were numerous data breaches that impacted a wide range of industries and companies. For example, this summer there was a series of cyber attacks on the water utilities in Kansas, Texas and Pennsylvania; with hackers likely using an “old-school” method such as, “phishing, social engineering, or [simply taking advantage of] a system still running on a default password”. Although these attacks haven’t caused major damage to the water supplies, they exposed vulnerabilities in America’s water infrastructure system. Since May 2024, there were over 35.9 billion data breaches globally, with the most breached sectors being IT and Health. Discord(Spy.pet) has set the record for the most data breaches with over 4.1 billion, mainly due to Spy.pet’s practice of harvesting users’ messages and selling their data and personal information. These controversies led Discord to shut down the site.
According to a report by IBM, the global cost per data breach spiked to $4.88 million USD, with the US’s average cost of $9.36 million USD leading the world. The most common type of stolen data is customer personally identifiable information (PII) that includes personal information such as home addresses, phone numbers and emails. Companies use cloud storage for data offered by big market players such as Amazon, Microsoft and Google. As of 2023, more than 60% of corporate data is stored via cloud service. This heavy corporate reliance on cloud services has attracted hackers eager to use ransomware attacks to exploit such systems, posing risk for companies and customers alike.
The Use of AI in Cybersecurity
The recent AI boom has already changed how companies view and operate cybersecurity. On November 1st The Dow Jones Industrial Averaged announced that Nvidia is replacing rival chipmaker Intel. NVIDIA, now with a market cap of over $3.4 trillion has been uniquely positioned to enable organizations to deliver more robust cybersecurity solutions with AI and accelerated computing, enhance threat detection with AI, boost security operational efficiency with generative AI, and protect sensitive data and intellectual property with secure infrastructure. Other firms such as Microsoft, are already implementing AI as a core component in their cybersecurity offerings for consumers and businesses. However, the use of AI in cybersecurity has generated both optimism and skepticism among stakeholders and these decisions come with pros and cons.
Pros
Given it’s wide-ranging applicability, using AI in cyber security gives companies significant flexibility, enabling coverage for network security, data security, malware and phishing detection, and numerous other applications. The use of AI can also minimize response times to threats and reduce workload security times by automating some threat-hunting jobs. Moreover, AI applications will continue to evolve with further technological advances and will be able to adapt to new security content resulting in continuous improvements.
Cons
The risks associated with using AI must also be taken into consideration. AI needs data in order to enhance its security protection for companies. Using AI in cybersecurity raises privacy and ethical concerns, as it requires the gathering information from a wide-range of sources, including sensitive information, which could generate third-party risks. On September 4th, I attended the “Building America’s Cyber Workforce for Strategic Competition” roundtable sponsored by The Study of the Presidency and Congress. ” At the roundtable we were given a new book by authors Paul J. Maurer and Ed Skoudis entitled, “The Code of Honor: Embracing Ethics in Cybersecurity. The authors argue that, “the rapid evolution of the cyber world have caused it to lag behind in the creation of an overarching ethical standard for the people who secure the underlying technologies ”
Incorporating AI in a cybersecurity system is also expensive and requires high levels of human input for adequate deployment. The use of AI, especially generative AI, also requires a significant amount of energy. According to an article published on MIT Technology Review, the energy use associated with image creation from large, powerful generative AI models can have similar carbon dioxide output to driving a gas-powered car.
Dr. Daniel Ragsdale former Deputy Assistant National Cyber Director at The White House states that its critical that we “realize the full promise of emerging technologies while, at the same time, addressing the potential perils those technologies may present.” In this new age where hackers are exponentially more sophisticated coupled with the rise of AI as both a useful security mechanism and a powerful cyber disrupter, it is essential that companies ensure their cybersecurity systems are both durable and flexible. Failure to take cybersecurity seriously could lead to dire economic and reputational consequences and negatively impact the lives of millions of users.
Special thanks to Quisan Adams and Cole Walker for their exceptional editorial, content, and research that was provided. Quisan was a Summer Analyst at CJPA Global Advisors as well as a first-year student at The University of The District of Columbia studying Cyber Security. Cole is an Analyst at CJPA Global Advisors and recently graduated from Tsinghua University in Beijing with a Master’s degree in Global Affairs as a part of Schwarzman Scholars. He received his undergraduate degree from Duke University.