A penny today or a pound tomorrow? – the economics of digital risk in the age of AI

The Digital by Default Era and Its Challenges

Both the public and private sectors now operate in a digital by default era, with even the smallest and most traditional operations having electronic processing as being in some way core to their functioning, (even if it is just the calendar and contacts apps on the smart phone of a self-employed builder). Unfortunately, whilst some organisations are very forward thinking in this regard, the reality is that the vast majority are not, and in fact most fail to even ensure that their digital resilience is on a level equivalent to their real-world resilience.

The Gap in Cyber Insurance and Risk Awareness

While very few businesses operate without insurance against fire, estimates for the take up of cyber insurance in the UK, US and EU regions vary between 12%-18%. Some businesses are incredibly sophisticated in their approach to non-digital risks and might specifically tailor their fire policies so that they are covered for simultaneous fires at two of four regional logistics centres, for example. Because the likelihood of all four simultaneously being on fire is so minimal, it is not considered worth the increased premium. But that same organisation is, given the statistics, unlikely to have any cyber insurance even though that risk is much more likely to result in all four centres being taken offline at once.

Physical Security vs Digital Vulnerability

Similarly, many smaller organisations are incredibly fastidious about physical security, ensuring their premises are secured with proper locks and bars on the windows, alongside adopting things like clear desk policies and access privileges for handling finances. But, for a variety of reasons including a lack of technical awareness and ability, many such bodies fail to provide the same level of digital protection to that very same information. So, there are legions of examples where confidential or private information ends up being inadvertently accessible on the web because of this.

Post-Breach Focus vs Prevention

This foundation has resulted in a climate where the primary focus in terms of digital risk is often post-breach not before. Even for the 12-18% of businesses that buy cyber insurance, in effect this is pre-event spending focused on mitigating post-breach costs. Investing in activities that seek to reduce the blast radius of potential future incidents or perhaps even prevent the incidents arising at all is in practice a much rarer thing. Sadly, it is also often the case that those few who are proactively investing in digital resilience are only convinced to ‘shut the gate’ after their first horse has bolted and they have been hit by an event.

The High Cost of Reaction Over Preparation

Objectively, prevention is always better than cure, and it will almost certainly be cheaper and easier. However, in the heat of the moment when operations are paralysed by a ransomware attack or similar, there is almost no price that an organisation would consider not worth paying to deal with the issue. In contrast, convincing the same organisation to invest in training, audits and services to improve resilience when there is no direct connection to a quantifiable return in the investment is often a Herculean task, (be that profit in the private sector or service delivery in the public sector).

Case Study: MGM Resorts International Cyber-Attack

At the end of 2023, MGM Resorts International (a global gaming and entertainment business) was hit by a cyber-attack across its digital and real-world estate that shut down ATMs and slot machines, closed the website, took the booking system offline and required physical replacement of digital hotel room locks amongst other things. This event has been estimated as costing in excess of $100 million including a reported $45 million settlement for claims by individuals.

Disproportionate Damage from Minimal Effort

Unfortunately, the scale of the impact of any particular attack does not have to even vaguely correlate to the cost, difficulty or effort required in executing such an attack. Extinction level events, where the costs of containing and remediating the effect of the attack exceed the capacity of the business to pay and/or resource that activity, can be executed with minimal cost and facilities.

The Human Factor in Data Breaches

A study by Verizon last year assessed that 74% of all global data breach incidents were attributable to human error in one form or another. Not, for example, the superior technical abilities of threat actors. In 2020 Virgin suffered a breach involving the personal data of 900,000 customers which arose because of a misconfigured database. Similarly, reports suggest that the MGM incident originated from social engineering where an employee was convinced by a threat actor, (impersonating someone else), to provide information that allowed the attack to then take place.

Building Digital Resilience Through Marginal Gains

With such incidents, there is a good prospect that spending thousands in services that build digital resilience (like training, staff awareness raising, process reviews and red team testing) pre-emptively can mean that incidents are avoided or are at least minimised in their effect. As is the case in professional sports, the concept of marginal gains is critical in the world of cyber because they accumulate into significant advantages which compound over time.

The Growing Threat of AI in Cybersecurity

This is of ever greater importance as AI comes of age, both in relation to how organisations will themselves use it and how others may use it against such organisations. AI is already established as a transformational technical milestone with revolutionary potential. Only those living under a rock somewhere will have not heard of generative AI models such as ChatGPT, but this is just one facet of the technology.

Agentic AI and the Future of Cyber Attacks

Of increasing importance is the emergence of Agentic AI which is designed to autonomously perform multistep tasks with little or minimal human supervision. Already threat actors are weaponising Agentic AI, using it in hacking tools that they can deploy or sell to provide ever more sophisticated attacks that adapt to defences in real time.

Internal AI Risks: Training Data and Liability

AI also poses a threat to organisations when it is being used internally for their own legitimate purposes. The nature of that threat can take many forms, but by far the most prevalent is liability arising from issues with the data an AI model has been trained on.

• this could be because failure to take sufficient time and resource to properly curate and quality assure the training data leads to inherently biased outcomes, such as in the SaferRent tenant screening tool case where an automated system allegedly led to over 400 unjustified refusals of tenancy to ethnic minority applicants
• alternatively, failure to properly scrutinise and tailor the training data can result in output that leaves the operating organisation liable in some way. This is the alleged scenario in relation to the AI Startup Cohere who has been sued by various media outlets for breach of copyright because their model displays whole copies of intellectual property owned and controlled by others without permission.

From Complacency to Preparedness

Arthur C Clarke stated, “Any sufficiently advanced form of technology is indistinguishable from magic”. For many businesses and public sector bodies that sentence is likely to have real resonance as they try to meet the challenges of the digital by default era. But it is important to remember, whether the issue of concern is AI or some other aspect of the digital landscape, these things are not actually magic - they are just tools that might look like magic. Tools can and must be managed, and the first step in doing that is preparing properly for their use. In the context of cyber, a mindset shift is needed from the complacent “we are fine - we haven’t had an incident” to “we are fine because we are prepared, as it is a matter of when, not if, an incident will happen”.

CyXcel is unique in the market as it seeks to fuse legal, technical, cybersecurity and geopolitical consulting expertise all in one provider through a single contract. Whether you’re responding to data privacy laws in multiple jurisdictions, preparing for digital transformation, battling ransomware, or navigating international compliance issues and sanctions, we deliver seamless scalable strategies that make sense in the real world. We offer a peerless holistic service to managing digital risk and helping businesses thrive by transforming those risks into opportunities for growth and success.