Canadian businesses say AI is a double-edged sword for cyber risk

Is AI the answer to preventing attacks, or could it be another vulnerability?

Canadian businesses say AI is a double-edged sword for cyber risk
Steve Randall

With Canada’s financial services industry increasingly at risk of cyberattacks, could artificial intelligence be the answer?

A new report from KPMG found that Canadian organizations from multiple industries are weighing the benefits of generative AI to help protect themselves against cyber criminals, but that it can be a double-edge sword that increases risk.

Concerning is that just 56% of Canadian CEOs of large businesses said that their companies are prepared for a cyberattack today and 93% believe that AI will make them more vulnerable. For small and medium sized businesses, 88% said their company is well-prepared to defend against a cyberattack, up from 73% last year.

"Generative AI can help organizations bolster their security posture and gain efficiencies while doing so.  However, the reality is cybercriminals will increase the use of generative AI in their attack strategies as well, and they can be much faster at adopting the technology than large organizations are,” warned Hartaj Nijjar, partner and national leader of KPMG in Canada's cybersecurity practice. “What that means is we're likely to see more generative AI-enabled attacks particularly through social engineering, where deepfakes can be deployed to fool employees into compromising company data, and bypassing traditional access methods"

As it can be challenging to know whether AI will increase risk or not in an individual organization, the advice is to have strong cyber security fundamentals including rigorous staff training.

Small firms held to ransom

Ransomware attacks, where firms are locked out of their own data unless they pay a ransom, are on the rise.

KPMG’s research shows that six in ten companies said their company paid a ransom to cybercriminals in the last three years, and 59% said their company doesn't have a plan to address a potential ransomware attack (up from 32% last year).

"Paying a ransom to cybercriminals is a costly expense that companies generally don't plan for – especially smaller and medium-sized enterprises with fewer resources and limited budgets. But unfortunately, many SMBs are choosing to pay cybercriminals because ransomware attacks can paralyze or even shut down their operations, and many simply can't afford that," says Robert Moerman, a partner in KPMG's cybersecurity practice who leads managed security services.

Although having strong defences in place will likely cost the organization less than paying a ransom, small businesses are challenged by vulnerabilities in their legacy systems or infrastructure, having the staff to implement defences, and financial resources.

Despite these challenges, 80% of SMBs said they are considering using AI to bolster their cybersecurity defences and feel they have a good understanding of the risks associated with it and how to manage it.

"Successful implementation and enablement of AI capabilities – including generative AI – is a journey that starts with optimizing existing cybersecurity controls, understanding gaps, readiness, and investing in emerging capabilities in line with the evolving cybersecurity landscape and organizational boundaries,” said Nisal Samarakkody, a partner in KPMG's cybersecurity practice who specializes in the use of artificial intelligence to tackle cybercrime. “Without that, organizations may not be able to leverage generative AI to its full potential, and they risk falling behind their peers and being vulnerable to complex threats.”