If your organization doesn’t already make security a pillar of its culture, this could be the year to start. That’s because the cybersecurity landscape is changing, due to factors including GenAI, new cybersecurity reporting rules for U.S. public companies, and the growing recognition that security is critical for all platforms and processes. As a result of these trends, the need for data protection, fraud prevention, and other forms of digital security are increasing across business processes and tools.
Companies that cultivate a strong culture of cybersecurity can have advantages in terms of adapting to evolving compliance and performance needs. When security thinking is part of the organization’s daily life, it’s often easier to adopt new best practices, adhere to new requirements, and identify potential risks and threats. Understanding the current trends and the role culture plays can help you identify your organization’s strengths and areas for improvement.
GenAI is changing security needs
Online crime was already equivalent to the world’s third-largest economy during the pandemic. Now, generative AI and automation give organized criminals the means to create more realistic-looking attacks, develop new types of attacks, and automate attacks at scale, even without coding and writing skills. For example, the Association of Certified Fraud Examiners site shows how easy it is to use ChatGPT to create a realistic-looking security warning email that fraudsters could use to impersonate a business and steal account login credentials.
GenAI-powered bots can also help scammers to identify high-value targets and engage with them conversationally to build trust before defrauding them. These kinds of attacks–especially when they’re used to impersonate brands and ecommerce sites–have the potential to erode rising consumer confidence in ecommerce.
From 2022 to 2023, according to ClearSale’s consumer attitudes survey data, the portion of U.S. and Canadian consumers who said that they had been deterred from making an online purchase because they didn’t know if the online store was legitimate dropped from 52% to 24%. That’s a testament to the work that businesses, payment processors, and fraud prevention teams have put into making ecommerce a safer experience.
If AI-generated impostor sites and emails succeed in defrauding a higher percentage of online shoppers, more people will hesitate before doing business with companies online. That will result in less online revenue and higher customer acquisition costs, along with a decrease in ROI on existing ecommerce investments.
Keep your culture open to GenAI’s defensive possibilities
Organizations that want to detect and deflect GenAI-powered security threats need to leverage AI for defense. Because of AI’s powerful pattern-recognition capabilities, it’s the most efficient way to identify the subtle indicators of GenAI-created messages, other media, and sites. For example, one AI-based model for detecting insurance fraud finds three times as many fake claims as legacy fraud-screening tools.
Rather than dismissing GenAI because of its current flaws, cultivate support for properly supervised innovation with these emerging tools. That way, your organization is less likely to fall behind as GenAI threats and defenses advance.
Public companies face new security accountability
2024 is the first full year that publicly traded companies in the U.S. must disclose cybersecurity incidents within four business days of determining that an incident is material. The new rule took effect in December 2023 and requires that these incident disclosures “describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations.”
Companies are not required to share technical information about incidents or their responses to them. The rule allows for exceptions when reporting would jeopardize national security or public safety. The new rule also requires public companies to annually disclose their “cybersecurity risk management, strategy, and governance” practices in terms that a prospective investor could understand.
Make clear, timely cybersecurity communication part of your culture
In many organizations, cybersecurity operates behind the scenes or keeps a tight lid on disclosures to avoid oversharing information that could be misused in the wrong hands. Caution and discernment are always important when discussing security, but these new requirements can serve as a prompt for organizations to review their incident disclosure protocols and their communication guidelines for talking about incidents and security practices. Even if your organization isn’t required by law to comply with the new SEC rules, this approach can put your company in a better position to respond effectively when an incident occurs.
Cybersecurity is increasingly everywhere
With so many of our work processes, communications, infrastructure operations, and personal lives taking place online, criminals have a nearly limitless list of potential ways to attack organizations. With scammers targeting everything from government databases and telecommunications networks to social media and retail customer rewards programs, it gets clearer every year that everything digital needs built-in security.
Normalize thinking about security across the organization
Many companies that are thriving in today’s economy are those that improve security for existing products or processes. That’s an indicator that organizations can benefit from reviewing their technology stacks, networks, and other infrastructure to see where they have strong security and where it needs improvement. It’s also a sign that everyone in the organization should be part of conversations about security at some level, including how to report concerns and what to do if there’s an incident.
Embedding security in your company culture
When your company’s employees and leaders are encouraged to think creatively about using technology like Gen AI for security, you’re more likely to develop new strategies to combat new threats, without waiting until there’s a crisis to react. When your company has policies in place for timely incident reporting and easy-to-understand security practice disclosures, you’re better prepared for incidents and for inquiries from your board, potential investors, and other key stakeholders.
Finally, when you foster a security mindset across your organization, you empower each employee to look out for the company, which can reduce the likelihood of a successful social engineering attack. As new threats and regulations continue to emerge, a security-minded culture will be an asset in adapting, responding, and protecting your business.
About the Author
Rafael Lourenco is the Executive Vice President and Partner at ClearSale, a global card-not-present fraud protection operation that helps retailers increase sales and eliminate chargebacks before they happen. The company’s proprietary technology and in-house staff of seasoned analysts provide an end-to-end outsourced fraud detection solution for online retailers to achieve industry-high approval rates while virtually eliminating false positives. Rafael can be reached at LinkedIn, Facebook, Instagram Twitter @ClearSaleUS, and at our company website https://www.clear.sale.
