Generative AI considered a security risk by 60% of board members, survey finds

US tech firm Proofpoint report also says that 73% of those polled feel at risk of cyber attack

The World Artificial Intelligence Conference in Shanghai in July. Globally, AI investments are projected to hit $200 billion by 2025. AFP
Powered by automated translation

Generative artificial intelligence is one of the most promising technologies riding the AI wave, but businesses are also concerned about the potential risks it carries, a survey has found.

Nearly 59 per cent of board directors globally consider generative AI tools – such as Microsoft-backed ChatGPT and Google’s Bard – a potential cyber security risk to their organisation, according to US technology firm Proofpoint.

Board members have those concerns even though more than 70 per cent of them view cyber security as a priority, 72 per cent believe their board clearly understands the cyber risks they face and 70 per cent consider they have adequately invested in the security framework, Proofpoint said in its second annual report, Cybersecurity: the 2023 Board Perspective.

Investors have put more than $4.2 billion into generative AI start-ups in 2021 and 2022 through 215 deals after interest surged in 2019, recent data from CB Insights showed.

Globally, AI investments are projected to hit $200 billion by 2025 and could possibly have a bigger impact on gross domestic product, Goldman Sachs Economic Research said in a report last month.

“Our findings show that it remains a challenge to translate increased awareness into effective cyber security strategies that protect people and data,” Ryan Kalember, executive vice president of cyber security strategy at Proofpoint, said.

“Growing even stronger board-CISO [chief information security officers] relationships will be instrumental in the months ahead so directors and security leaders can have more meaningful conversations and ensure they are investing in the right priorities,” Mr Kalember said.

Proofpoint’s report examined third-party survey responses from 659 board members at organisations with 5,000 or more employees across different industries.

It covered 12 countries: the US, Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil and Mexico.

Nearly three-quarters (73 per cent) of those surveyed feel their organisation is at risk of a material cyber attack, an increase from 65 per cent in 2022. Nearly 53 per cent of respondents said they were unprepared to cope with a targeted attack, up from 47 per cent last year.

“This year-over-year change may reflect the ongoing volatility of the threat landscape, including lingering geopolitical tensions and rises in disruptive ransomware and supply chain attacks,” Proofpoint said.

Nearly 84 per cent of respondents believe their cyber security budget will increase over the next 12 months.

However, these efforts are not leading to better preparedness as still 53 per cent view their organisation as unprepared to cope with a cyber attack in the next one year.

Among the biggest threats, board members ranked malware as their top concern (40 per cent), followed by insider threat (36 per cent) and cloud account compromise (36 per cent).

Nearly 37 per cent of board directors said their organisation’s cyber security would benefit from a bigger budget, while 35 per cent would like to see more cyber resources and better threat intelligence.

Personal liability is also a concern for boards. Almost 72 per cent of board directors expressed concern about personal liability in the wake of a cyber security incident at their own organisation.

Some of the top concerns of boards in the event of a cyber incident at their organisation include disruption of operations (36 per cent), internal data becoming public (36 per cent) and reputational damage (34 per cent).

“Board members are taking cyber security matters seriously, demonstrating they have no illusions about human risk and the impact cyber threats pose to an organisation’s bottom line,” said Mr Kalember.

“Boards must continue to invest heavily in improving preparedness and organisational resilience. This means pushing for even deeper, more productive conversations with CISOs to ensure directors are making informed, strategic decisions that drive positive outcomes.”

Updated: September 07, 2023, 4:30 AM