Cyber security an organisational responsibility given the threats posed by AI

Dumisani Ndiweni, partner, Wendy Tembedza, partner and Dario Milo, partner, Webber Wentzel.

---

While tools such as ChatGPT have caught the public imagination, artificial intelligence (AI) and machine learning (ML), a branch of AI, are now important tools in industries ranging from travel and insurance to media and finance.

However, as AI's capabilities improve, so does the danger it poses to cyber security, increasing incidents and attacks. According to the South African Banking Risk Information Centre, cyber breaches and attacks in South Africa increased by 22% in 2023. More specifically, occurrences of phishing, ransomware and unlawful access to information have all increased markedly, with the number of victims making ransomware payments increasing by 20% in 2023. The exponential developments in AI technology have had a notable impact on these statistics.

Furthermore, the National Cyber Security Centre in the United Kingdom published a sobering assessment earlier this year. Generative AI and large language models (a subset of ML) will make it difficult for any person, regardless of their cyber security understanding level, to assess whether an e-mail, password reset, identity request or social media engineering request is genuine or not. AI and ML tools are and have been trained to understand how a person reads and responds to an e-mail, impersonating to such a degree that responders cannot tell the difference between the person and the tool designed to mimic them.

As an employer, cyber security risk primarily lives with negligent and intentional employees who either make judgment errors or intentionally subvert an organisation's cyber security policies and procedures.

In cases where an employee is suspected of aiding or abetting a cyber security breach, they can be suspended ahead of the associated investigation. The suspension ought to be precautionary in nature and not punitive. There is no longer a legal requirement for an employer to afford an employee an opportunity to provide reasons as to why the employee should not be suspended; the employer may proceed with the suspension without obtaining reasons from the employee.

Following suspension, and if an investigation yields a finding that prima facie evidence exists of fraud, a disciplinary inquiry can be initiated with dismissal as a possible outcome. Given current international trends, South Africa will likely soon see class action lawsuits due to data breaches, making data policy and cyber security matters of existential importance to any organisation that handles large volumes of consumer data.

Organisations can take several steps to prevent data breaches or reduce their exposure to cyber security risks.

As a first step, organisations should do their utmost to understand where key vulnerabilities exist. Typically, these are:

• Employees using weak passwords on their personal and work devices. Furthermore, employees who make password information publicly available to a passerby, such as an external service provider, by sticking a note on a monitor screen for ease of memory.
• Employees sharing their passwords with each other due to interdependencies or availability challenges.
• Improper handling of password-protected work devices, such as allowing family members or external associates to use them for non-work purposes.
• Phishing, which arises as much from employee error as it does from an organisation failing to update its security protocols and cyber security software.
• Employees regularly neglecting to update their devices. Updates are a vital defence of any IT infrastructure since they have the latest best practices built into them.

Beyond the above preventative measures, organisations need to prioritise regular employee cyber security training and cyber security itself. Cyber security training should be mandatory and held regularly. Materials associated with cyber security best practices should be made easily accessible to employees.

Proactive cyber security management must involve and be championed by an organisation's upper management. Organisational leaders have outsized influence over employees' ability to absorb training and best practices when directed. In addition, cyber security training has to be mandatory during the recruitment and employee onboarding process.

In our experience, some employers have gone as far as providing cyber security training to potential hires before contract finalisation and then making the new employee do it a second time as part of their induction. Others run drills and simulations of cyber security threats so that their teams understand what decisions should be made in situations where speed is vital.

Given the speed of AI development, employers are advised to codify data breaches or negligence relating to a data breach as misconduct within their disciplinary codes. Policies that govern IT use within an organisation should also be constantly updated to match as best as possible developments within the cyber security landscape.