Cyber security and the two faces of AI

Most people automatically think of “passwords” when we say the words “cyber security”, but that is not the main cause of security breaches. Quite often hackers gain access to sensitive data by scouring social media for clues or looking for back-door entry points.

When I see a message on Facebook that reads something like “Happy 60th birthday Dad, enjoy your trip-of-a-lifetime in the Bahamas. Don’t worry about the dogs, they will be fine in kennels, but the grass will likely need a good mow when you get back”, I inwardly cringe – an open house for burglars!

Most breaches are the result of careless or naive human behaviour, such as clicking on suspect links in emails from unknown sources, going onto spurious websites, leaving valuable information open for all to see (think Northern Ireland Police), or posting seemingly innocuous information on social media (like your date of birth, name of your pet etc).

Hackers are showing a growing interest in seeking out ‘back-door’ entries, with a particular focus on pinpointing vulnerabilities within a supply chain (See MOVEit hack: Media watchdog Ofcom latest victim of mass hack). In the corporate landscape, certain entities find themselves exposed due to their reliance on antiquated hardware and software and legacy systems. For example, many organisations still rely on Microsoft’s Windows 7, originally released in 2009 but hasn’t been supported since 2020.

But AI has another weapon in its armoury: Machine Learning (ML). The better security models have ML built into their system, which allows the model to start predicting threats, rather than reacting to them. This helps to continuously grow the model and offer increasingly better protection. They also ‘listen’ to chatter on the dark web, where hackers often ply their trade before attacking.

Larger companies tend to follow the security-by-design principle (hardware firewalls, user rights management, network topology, group policies, insurance, resilience and redundancy, penetration testing), but such measures are not always available for private individuals or smaller companies.

We can all protect ourselves a lot better by following some simple rules:

1. Use multiple methods of security and don’t rely on just one password: Use Multi-Factor Authentication (MFA) where possible, such as facial recognition, and SMS to your phone, fingerprints on laptops/phones etc. Most online services are now starting to offer MFA.
2. Only keep information online where it is necessary (printed matter is getting safer and safer).
3. Use a combination of 3 random words as your password and don’t use the same password for more than one service.
4. Cyber security insurance: if you run a business, try to get Cyber Essentials Certification, which can include insurance.
5. Have a proper, written Disaster Recovery Plan (and regularly TEST it).
6. Keep OFF-LINE backups and test them.
7. Secure your hardware by using unique PIN codes and passwords. Check if your router employs a firewall.
8. NEVER use a public WIFI – use a virtual private network (VPN) installed on your mobile and laptop.
9. NEVER answer a mobile call from an unknown number – if you must, always wait for the caller to start the conversation: hackers are now using AI (‘deep-fake’) to analyse your voice (vishing) and incorporate this into a bogus call to your family or friends to extract your cash.
10. Regularly check the security of your email address by entering it into haveibeenpwned.com. Your email address is the primary entry door for hackers.

What if things really do go wrong?

If you get hit by a cyber-attack, how do you cope with it? Do you have cyber insurance (and how much of it is covered)? How long can your business survive without data? Are you likely to lose customers and/ or supplier data and could they sue you? Do your suppliers have cyber insurance? If you have Cyber Essentials3 (which includes £25,000 indemnity insurance) and you are hit by an attack, the insurance company (and ICO) will look favourably on your predicament, and you are more likely to be covered for third-party losses.

You must NEVER pay up on a ransomware attack!

The ever-increasing dominance of information technology in our daily lives is forcing us to become more vigilant but with the help of AI and some common sense, we can carry on protecting ourselves from cyber-attacks. AI is like a double (Janus) face, with one side as our ally (the ML Mobius loop of continuous improvement in the security models) and the other as an enemy’s weapon.

In the words of Nick Ross (Crimewatch) “Don’t have nightmares. Do sleep well and goodnight!”

Further information

(1) Big data primarily refers to data sets that are too large or complex to be dealt with by traditional data-processing application software.
(2) Escher’s drawing of a Mobius loop (also known as Mobius strip II) represents a path without an end.
(3) Cyber Essentials is a government-backed security scheme for organisations of any type and size (from one-man bands through charities to multi-national corporations), but not for non-business individuals (who are better off with something like Norton 360, which can protect all their devices included mobile phones). Hanaxion now offers a Cyber Essentials Certification Programme to customers, including guidance on the application process (over email, zoom and phone), the standard £25,000 cyber insurance (and specialised insurance packages as add-ons) and 24×7 support in case of getting hacked.

Useful links

Cyber Essentials: Cyber essentials scheme overview 
Hanaxion.com: Why Hanaxion?
Email security check: Is your email at risk 
Identity fraud carried out by phone: Phishing, Smishing and Vishing: What’s the difference between them? 
Voice phishing: Vishing makes phishing campaigns three times more successful

If you have any further questions, please don’t hesitate to contact us. If you’re a client you can reach us on 0161 486 2250 or by getting in touch with your usual Equilibrium contact. For all new enquiries please call 0161 383 3335.