How generative AI raises cyber risks for SMBs – and what they can do about it

How generative AI raises cyber risks for SMBs – and what they can do about it | Insurance Business Canada

Cyber

How generative AI raises cyber risks for SMBs – and what they can do about it

Fraud and other cyber attacks are becoming more sophisticated

The rise of generative artificial intelligence has brought new challenges, particularly in how cyberattacks are conducted and what it means for small and medium-sized businesses (SMBs) with cyber coverage.

Gen AI tools popularized by ChatGPT have enhanced the effectiveness of social engineering tactics such as phishing, making them harder to detect. At the same time, AI allows threat actors to adapt quickly to cybersecurity measures by automating their strategies.

At the same time, the IBC report revealed a troubling decline in cybersecurity investments by SMBs. In 2023, 69% of respondents indicated they were actively working to minimize cyber risks, but that figure dropped to 61% in 2024.

“When people hear about AI, they often have grandiose images of robots taking over or supercomputers causing chaos,” said Jonathan Weekes (pictured), HUB International Canada’s cyber practice leader. “But in cyber attacks, AI is primarily a tool for threat actors to research their targets more effectively.”

How gen AI is augmenting cyber attacks

Where cybercriminals previously spent months surveilling a business’s operations, AI enables them to gather information and launch attacks in significantly shorter timeframes.

“It helps them quickly identify vulnerabilities within systems and encrypt data faster, so they can take steps to impact the client in the most drastic ways,” Weekes said. “The emails have fewer grammatical and spelling errors, making it more difficult for the victims to distinguish them from legitimate communications.”

Weekes predicted that deep-fakes would soon be the next major phase of fraud and social engineering attacks.

“We’re seeing not just video deep-fakes, but also voice imitation, where someone can convincingly impersonate a leader to trick employees into surrendering credentials or transferring funds,” he said.

Due to the increasing sophistication of these threats, continuous employee training and engagement are critical for businesses, especially for SMBs that may have limited resources for cybersecurity. Companies can invest in a few basic tools, such as features in email clients like Outlook that flag messages originating outside the organization, to boost their cyber resilience.

“Helping employees understand what to look for, and keeping them sharp through ongoing, increasingly challenging training, can go a long way in reducing the likelihood of a successful social engineering attack,” Weekes said.

Adopting AI tools also comes with cyber risk

At the same time, while AI was the buzzword of 2023, many organizations are now reassessing how quickly they roll out AI-driven tools as they realize these, too, come with cyber risks.

“What we’ve seen since mid-2024 is a pullback, where organizations are taking a more responsible approach to adopting AI,” Weekes told Insurance Business. “They want to make sure they address security issues before fully deploying these technologies.”

A more cautious attitude could slow down the implementation of AI-enhanced software, but it also reflects a growing awareness that cybersecurity must be prioritized.

While Weekes didn’t foresee immediate changes to cyber insurance policies, he encouraged businesses to ask their brokers about any potential updates or adjustments related to AI. His overarching advice was to focus on proactive risk management.

“Keep rinsing and repeating the same strategies you’ve always used but adjust them based on the evolving technology,” he said. “Make your training more challenging each year, so employees adapt to the increasing sophistication of phishing attacks.”

What are your thoughts on the risks posed by AI-driven cyber attacks on Canadian SMBs? Please share your thoughts below.