AI promises to exponentially improve innovation and efficiency for businesses of all kinds, but it’s also ushering in a new age of cyberthreats.
Nearly 9 in 10 CISOs say AI-driven attacks represent a major risk for their organizations, according to a study from Trellix.
While the trend represents a security problem, it’s on the minds of CIOs too, as they “play a very important role as we think about AI attacks,” said Allie Mellen, principal analyst at Forrester. “Many of the changes that security recommends, we take to improve and defend the infrastructure we have.”
As risks mount, CIOs from different sectors are preparing to help their businesses secure critical data in the age of AI-driven attacks.
Increased sector risk
Healthcare systems are rich targets for hackers because they hold a treasure trove of patient personal information.
More than 6,000 data breaches of 500 or more records were reported to the Department of Health and Human Services' Office for Civil Rights between 2009 and 2024, according to the HIPAA Journal. The health information of 275 million individuals was exposed or stolen in 2024 alone.
“Cyber is a huge problem for us, and AI pours gasoline on that fire,” said Josh Glandorf, CIO at UC San Diego Health. As a result, the organization is spending more on cybersecurity software and its overall cybersecurity portfolio. That includes spending on vendors leveraging AI technology to detect and shut down intrusion attempts including CrowdStrike Falcon. “It’s been a tremendous level-up for us,” he said.
Deciding where to spend that budget means working with the CISO to know what the organization needs "and what it’s going to take for us to be safe,” he said, and striking a balance between what would be ideal from a security point of view and what is realistic for the healthcare system.
“I could spend my entire IT budget on cybersecurity and we would be the safest hospital in the world, but we would have zero other dollars to spend on other innovations and the users would probably hate me, because it would be so locked down I couldn’t do anything,” he said.
Ideally, the CIO, CISO and CTO would “all be acting in an advisor capacity,” said Mellen, speaking to both the board and the rest of the company to get them “up to date on what the attacks will look like.”
This effort includes helping the company understand the difference between what's possible and what's probable when it comes to AI-drive attacks. “It’s just a matter of educating them on the current state versus what marketing messages they’re going to see out there.”
Blocking turbocharged phishing
While AI-fueled attacks might be a more recent trend, they're often targeting well-known threat vectors.
In 2024, 73% of all reported cyber incidents were business email compromise attacks — up 44% from 2023, according to Eye Security. In a separate study, VIPRE Security Group analyzed 1.8 billion emails and found that 40% of business compromise attack emails in that group were generated by AI.
Andrew Marshall, executive vice president and CIO at Campus Apartments, said that their organization hasn’t been flooded by AI-powered threats, but they are starting to see more of them. “Probably 90% of the threats we see are still really stupid, but 10% are starting to become a lot more sophisticated and harder to spot,” he said, estimating that the problem will worsen over the next year.
That has made cybersecurity training even more important. “It’s the best defense a company has against cyber threats,” he said. “However many technical systems you have, if someone scans a QR code on a telephone pole and gets an infection, it’s game over.”
Over the last three years, Campus Apartments has been doing monthly training, helping staff spot and report patterns that “they feel are not quite right,” he said. It’s so important that the company has tied employee annual bonuses to being compliant with training.
While doing the basics such as focusing on zero trust, training, multifactor authentication and strong passwords seems rudimentary, it’s still important for CIOs to be pushing this as a company security stance because they work, said Mellen.
Core cyber preparedness practices are “ultimately a factor in how you can most effectively manage the asset you have and reduce vulnerabilities,” she said. “Time and time again, it comes back to doing the basics well because it’s just so incredibly difficult.”
