ICO publishes blog on AI-powered cyber threats

The Article notes that cyber criminals are carrying out faster and more advanced attacks using AI. Those attacks are, in turn, harder to detect. Whilst the advice is not novel, the ICO flags that the growing use of AI in cyber attacks “brings a renewed urgency” to cybersecurity. Some of the threats highlighted include: 

• AI-generated phishing emails; 
• deepfake social engineering; 
• automated vulnerability scanning; 
• AI-powered malware; 
• credential stuffing attacks; 
• data poisoning; and
• indirect prompt injection attacks.

The Article recommends that organisations should:

1. Conduct threat horizon scanning: organisations should carry out horizon scanning to understand potential threats. The ICO notes that the UK National Cyber Security Centre has updated its Cyber Assessment Framework to address AI threats. 
2. Implement foundational controls and layer various defences: as a core, organisations processing personal data should ensure the five technical controls outlined in the Cyber Essentials scheme are in place and take the actions in the Cyber Governance Code of Practice. The ICO notes that, in the case of AI-driven cyber attacks, layers of defence are required, as back-up to the foundational security position. Patching and updating processes must be effective and swift to account for the speed of AI identification of cybersecurity vulnerabilities.
3. Restrict access points: organisations should implement multi-factor authentication on all remote access, admin accounts and email, enforce strong password policies and limit user and system privileges on a necessity basis. Organisations should address supply chains and third-party access rights. 
4. Improve detection, monitoring and incident response: organisations should maintain thorough security monitoring for suspicious activity and regularly identify weaknesses through scanning and testing. The Article notes that in this context, AI can be a useful cyber defence tool, but human oversight and appropriate accountability is essential to prevent abuse by attackers. Incident response planning should also be up to date, available offline, and the roles and responsibilities clearly disseminated to relevant staff.
5. Protect personal data: organisations should implement appropriate technical and organisational measures to protect personal data as required under the UK GDPR, including data minimisation and storage limitation, regular data audits, staff awareness training, AI governance (including DPIAs where AI tools process high-risk personal data), encryption and pseudonymisation. 

Links to the Article, the Cyber Assessment Framework, the Cyber Essentials scheme and the Cyber Governance Code of Practice are available below:

• The Article
• The Cyber Assessment Framework
• The Cyber Essentials scheme
• The Cyber Governance Code of Practice.