Cyber Threats And Artificial Intelligence: What Small Business Owners Need To Know

Let me start with a simple and scary story that serves as an effective analogy. As CEO of Nandi Security, I am in the business of cybersecurity. I am not in the business of banking. As a business owner, banking is a critical piece of plumbing that enables our daily operations. On 9th March 2023, I wrapped my day’s work and went to bed in a very good mood since we had some wonderful customer and prospect conversations. I woke up the next morning and I got a text message from my co-founder asking me if I could perform transactions on our business banking account. I confirmed that we could not pay bills or withdraw money. The reason? Our bank had gone belly up! And just like that, I did not know if I had a company any more since we had no way to conduct any financial transactions! As a tech company, a bank is something you set up and just expect that it works every day while you focus every day on your core business. It was not our fault, there was nothing wrong with our business but when a key piece of plumbing broke, it brought the business to a grinding halt – an existential crisis that popped up overnight. Now, imagine a scenario where your computers or key software stop working or there is a reputation smear on your company or your employees are personally getting hacked. Artificial Intelligence (AI) has enabled a whole new dimension to cyber threats that can and will result in the existential crisis scenarios to the undefended and unprepared. No business is too small or too large to not be a target. So, whether you are a law firm, an auto repair shop, a plumbing business, a construction company or a doctor’s office, accountant, etc. you are just as much a target as large corporations and governments.

Emergence of new threats

When ChatGPT came out in late 2022, within days cybersecurity researchers had created a computer virus that defeated most known anti-virus software. Since that time, cyber researchers, nation state threat actors and cyber criminals have elevated the state of the art to create all new malware and all new attack techniques. Let us look at a few examples:

• A security professional showed that he could create a Zero Day attack with undetectable exfiltration by just using ChatGPT prompts. This means that he was able to attack a vulnerability in some software that even the vendor of the software was NOT aware of(and hence is not even working on a patch, yet)!
• What about software and hardware vulnerabilities that vendors are aware of and are still working on a patch? Well, ChatGPT 4 can exploit 87% of those i.e. while you are waiting for the patch or security update to come out, threat actors can use ChatGPT to attack you.
• Customized Large Language Models (LLMs), such as WormGPT and FraudGPT, that are specifically trained to create new malware and scams have now emerged. This means that even low skilled criminals can use these AI models for cyberattacks.
• It is now much easier to create polymorphic or shape shifting malware i.e. malware that alters its own software code to become a new malware that can evade traditional defenses like anti-virus or firewalls.
• Emergence of hyper personalized attacks. These are attacks that use data available about you from social media, data brokers, trackers in your web browsers or devices, etc and then craft very personalized cyberattacks. One example could be a phishing email like this:
  • “Hi Mr. Smith – last night around 7pm you dropped a prescription while you were in the Walmart parking lot. Can you click this link and confirm if this prescription is yours?”
    • Process that for a second. The above email would mean that the attacker knew this victim was at Walmart around 7pm yesterday as well as the fact that they had a prescription. Attackers are able to do this by acquiring people’s personal and behavioral data collected from their apps and devices and then using AI to generate hyper personalized attacks.
    • Imagine all of your employees being targeted by such attacks and these may be through email or ads in apps/websites they use or social media messages, etc. Remember, all the attackers need is for one employee to fall victim and just like that they have a way to get in to your business.
• The emergence of agentic AI. Agentic AI are AI agents that once set up learn on their own and adapt in order to make decisions as well as take actions on their own i.e. they are autonomous and can work without further supervision to complete the tasks they are assigned. As business owners, we are all already salivating at the cost savings of using agentic AI for customer support, chat bots, etc. No brownie points for guessing what tasks cybercriminals are assigning to these AI agents! Criminals or nation states could create and dedicate hundreds or even thousands of such agents to launch various kinds of cyber-attacks against your business or your employees or your suppliers.

These are but just a few examples of the kinds of attacks that are now enabled by the emergence of cheap, easy-to-use AI tools. The scope, scale and types of new attacks are only limited by the imagination of the threat actor. Threat actors can deliver these attacks from a beach in Vietnam or an apartment in Belarus! In other words, every new attack could come straight out of left field.

How do you protect your business?

First of all, let us be clear that there is no such thing as bullet proof protection. Cyber defense is a risk reduction game. It takes three things to be a cybercriminal:

• Motive
• Skill
• Resources

In terms of motive, it is important to understand that there are 5 things of interest to an attacker in your business also called your attack surface:

• Your money
• Your devices
• Your data
• Your employees
• Your reputation

A cyber criminal’s motive may be one or more of the above and you have no control over what they want to target. In terms of skill and resources, what AI has done is that it has significantly lowered the barrier to entry on both fronts. In fact, in the example that I mentioned above where a researcher created a Zero Day malware, the researcher had no prior experience creating malware but was able to create one! AI is now commoditized and cheap as are the computing resources such as cloud servers, attack tools, etc. that may be used in attacks. So, access to these is easy and require very little money. In many cases, all it takes is a laptop! What this means is that since you cannot control the criminal’s motive, your cyber defense strategy needs to be centered around countering their skill and resources. How do you do that? Simple – by raising the cost to attack i.e. make them require more skill and more resources. Remember, criminals are not looking for the hardest way to get in to your business. They are looking for the easiest way. If it is harder or more expensive to attack your business A than attack business B, they will focus on attacking business B.

So, here are some strategies to consider:

• Know your attack surface: Remember, everything is a computer these days – not just laptops and desktops.
  • Walk around your office and make a list of all the devices including that smart TV in your waiting room, or the video conferencing system in your office or internet connected lightbulbs or those security cameras around the building or the credit card processing machine or even your internet router.
  • Identify what apps, websites and online are used on each of these devices. This may include your accounting software, marketing software, customer service portals or even the apps that are used to access devices like security cameras, etc. Make sure you set strong passwords that are fortified with two factor authentication wherever possible.
• Evaluate and upgrade your current defenses: If attacks are now adaptive and shape shifting, defenses need to be adaptive as well. If all you have are basic anti-virus or static firewalls or you just use the firewall built in to your router, you are very vulnerable to these new kinds of attacks. Take a hard look at implementing AI driven security tools as well to protect all of your devices and apps. Depending on the size of your company and your budget, you may want to consider defense-in-depth strategies that deploy layers of defenses.
• Lower your data footprint: People are the easiest targets to attack. New attacks such as Deep Fake videos or AI voice cloning use your data such as your photos and videos to scam your family members or employees. Reduce what you share through apps and websites. This includes not just personal information like name, social security number, phone number, email, etc. but also behavioral information like your hobbies, where you shop, your religious beliefs, your political beliefs, your sexual orientation, your browsing history, etc. AI feeds on data, the less data you give it, the less potent it becomes.

I can tell you from personal experience that it is a sickening feeling to walk in to your office one morning and finding out that everything you built in your company may have just disappeared. In my case, I was lucky since we were able to open a new bank account and get functional again. But with a cyberattack, you may not have that opportunity.

This is a contributed piece published by Vikram Venkatasubramanian, founder and CEO of Nandi Security, Inc, the makers of Kavalan, an Intelligent Digital Safety product that protects homes and small businesses from cyber threats and privacy violations across unlimited devices. Vikram has over 25 years of experience in the technology industry including 15 years in the cybersecurity industry. Vikram has a Masters degree in Mathematics from IIT, Chennai, a Masters degree in Computer Science from the University of Missouri-Columbia and an MBA from Cornell University. When not busy defending homes and small businesses from cyberthreats, Vikram is an avid cricket and soccer fan.

Interested in submitting a contributed piece? Fill out our contact form.