Singapore's boardroom debate: Generative AI as a security risk.

Singapore’s boardroom debate: Generative AI as a security risk. (Source – Shutterstock)

Board members in Singapore are worried about generative AI, viewing it as a security risk

  • Rising concerns over generative AI security like ChatGPT as new cyberattack vectors.
  • The fast-changing cybersecurity landscape focuses on human vulnerabilities and state threats.
  • CISOs and board are more aligned in their appreciation of the threat than they have previously been.

As the scope of cybersecurity challenge expands for most organizations, cybercriminals are increasingly focusing their attacks on human vulnerabilities. Concurrently, geopolitical frictions involving Russia, Ukraine, and NATO have heightened the prominence of state-sponsored cyberthreats.

The surge in high-visibility data breaches, escalating incidents of ransomware, and targeted disruptions to supply chains have starkly highlighted the severe ramifications of cyberthreats. Given that the potential fallout extends beyond financial loss, it has become imperative for boards to incorporate a cybersecurity lens into their decision-making to protect the company’s reputation, safeguard customers, and mitigate expensive operational disruptions.

Singaporean boards: A unique paradox in cybersecurity preparedness

In this evolving landscape, it’s unsurprising that many feel more vulnerable and less equipped to handle cyberthreats than in previous years. The prevailing sentiment among board members is that their organizations are inadequately prepared to manage an inevitable cyberattack.

Proofpoint, Inc. has unveiled its second annual Cybersecurity: The 2023 Board Perspective report. This study investigates how boards of directors globally, and particularly in Singapore, perceive the cyberthreat landscape, prioritize cybersecurity issues, and collaborate with chief information security officers (CISOs). Surprisingly, despite a 35% year-over-year increase in perceived risk, with 89% of Singaporean board members feeling more vulnerable to a significant cyberattack, they feel less prepared than the global average of 73%.

Interestingly, board members in Singapore are the least confident about their preparedness for a cyber-incident, even though they rank highest in believing their organizations have invested sufficiently in cybersecurity measures. This paradox may reflect the unpredictable nature of the evolving threat environment, characterized by escalating geopolitical tension, increasing ransomware attacks, and disruptions in the supply chain.

Are board prepared for an inevitable cyberattack in the age of AI?

Why are board members worried about generative AI? (Source – Shutterstock)

AI security: The growing concern over generative AI tools like ChatGPT

The data also indicates growing apprehension about the security risks associated with generative artificial intelligence (AI) tools like ChatGPT. A significant 78% of board members in Singapore see this form of AI as a security liability, a sentiment echoed closely in Japan (at 79%).

An experiment covered by Wired earlier this year highlighted this risk by manipulating Microsoft’s Bing chatbot into soliciting bank account details, heralding a new era of potential AI exploitation.

Since that experiment, several cases of “indirect prompt injection” attacks have been identified. Considered highly concerning by security experts, these attacks are emerging as a key vulnerability as generative AI gains commercial traction. The goal is to raise awareness in the cybersecurity community of these potential threats, to better protect both individual and corporate data.

Prompt injections can be either direct or indirect, with the latter being particularly troubling for cybersecurity professionals. In a large language model (LLM) setup, direct injections trick the system into generating harmful or hateful responses. Indirect injections are more covert, originating from third-party sources like websites or PDF documents that the LLM may be scanning. The prospect of indirect injection inserting hidden malicious instructions that the AI system could unwittingly follow is growing ever more worrisome.

Various demonstrations by security experts have showcased the potential for indirect prompt injections to extract sensitive data, manipulate personal documents like résumés, or even execute code remotely, further elevating the level of concern around these types of attacks.

The path to a more secure future

The Proofpoint study analyzes responses from a third-party survey involving 659 board members across various sectors, focusing on organizations that employ more than 5,000 people. Conducted in June 2023, the survey reached more than 50 board directors in 12 different countries.

The findings indicate that the most pressing cybersecurity threats anticipated for the coming year are malware (40%), cloud account compromise (36%), and insider threats (36%). This represents a shift from the previous year, where the leading concerns were business email compromise (41%), cloud account compromise (37%), and ransomware attacks (32%).

Biggest Cybersecurity threats anticipated for the upcoming year - generative AI security

Biggest cybersecurity threats anticipated for the upcoming year. (Source – Proofpoint)

Surprisingly, just 26% of surveyed boards view supply chain attacks as a top-tier threat, even though these attacks are expected to cost businesses nearly US$46 billion by year’s end and exceed US$80 billion by 2026.

Yvette Lejins, the Resident CISO for Asia Pacific and Japan at Proofpoint, noted that while it’s a positive development that boards acknowledge the evolving cybersecurity landscape and take preemptive actions, complacency should be avoided. Lejins emphasized the need for organizations to disrupt potential attack chains by safeguarding their workforce and securing sensitive information.

The report further aligns its findings with sentiments expressed in Proofpoint’s Voice of the CISO report, published in May of the current year. This comparison aims to assess how board perspectives align with those of CISOs.

Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, acknowledgd that while the increased concord between boards and CISOs on cybersecurity risks and preparedness was promising, this harmony has yet to manifest in substantially improved cybersecurity postures. Kalember asserted that the enduring challenge lies in converting heightened awareness into effective cybersecurity measures that prioritize both people and data.

To achieve this, Kalember said boards must continue investing significantly in elevating organizational resilience, which involves fostering more profound, meaningful dialogues with CISOs for well-informed, strategic decision-making.