Over three-quarters of 200 chief information security officers (CISOs) across Europe surveyed by cybersecurity company MetaCompliance say that senior executives in companies fail to understand the full scale of the insider threat.
Sixty-eight per cent of CISOs identify employees as their organisation's chief security risk, at a time when AI is amplifying the scale of cyber-attacks directed at staff. MetaCompliance's research shows that among CISOs who feel less confident in their organisation's cyber resilience than they did 12 months ago, nearly half cite increasingly sophisticated AI-enabled social engineering attacks as the primary reason.
AI-powered socially-engineered attacks increasingly target employee judgement rather than technical vulnerabilities. More than four out of ten CISOs are concerned about AI increasing the speed and impact of social engineering attacks.
Attacks are becoming more sophisticated
These kinds of attacks are very different from the scatter-gun phishing emails of a year ago. Today, phishing emails are increasingly individually crafted to target key individuals in the company, in order to gain access to corporate systems and critical data, enabling serious cyber incidents such as ransomware attacks. The new generation of phishing attacks are often more sophisticated than merely sending bogus emails. They can involve something known as a "vishing" attack, whereby the cybercriminal poses on the phone as a trusted colleague or member of an IT support team.
The research also suggests many CISOs are trying to address the rapidly growing threat without consistent senior-level backing. Nearly four out of five CISOs say that senior corporate-level support for security education initiatives fades over time.
"AI has changed the context for human risk. Attackers are no longer relying on obvious scams or poorly written phishing emails. They can now create highly convincing impersonation attempts, social engineering attacks and fraudulent communications at scale," comments MetaCompliance CEO, James Mackay.
Mackay adds that human cyber risk is no longer just an awareness issue or a training issue; it is a strategic business risk and that building resilience against AI-enabled threats requires sustained executive backing and a more intelligent, behaviour-led approach to managing human cyber risk.
