The Ponemon Institute report, "2024 State of Enterprise Cyber Risk in the Age of AI" sheds light on the evolving landscape of cybersecurity challenges faced by enterprises. The report highlights pressing concerns that keep cybersecurity professionals awake at night.
The report outlines that many organisations struggle to keep pace with the rapidly changing requirements of cyber risk strategies. Notably, unpatched vulnerabilities have emerged as a primary concern, exacerbated by the growing reliance on AI tools.
While AI has become a pivotal asset in prioritising threats and vulnerabilities, nearly half of the surveyed organisations expressed worry over vulnerabilities stemming from AI-generated code.
This dual role of AI—as both a defender and a potential threat—has led to a critical need for organisations to reassess their security postures.
The first key finding is that organisations must revert to the basics when managing AI-generated vulnerabilities. The speed at which AI can produce code may inadvertently increase the number of vulnerabilities.
Rather than fixate on the generation of these vulnerabilities, firms should establish robust systems for identification and remediation, prioritising vulnerabilities based on their organisational context.
The second significant issue identified is the persistence of unpatched vulnerabilities, which remain the top concern for security professionals. Misconfigurations and end-of-life (EOL) software compound this challenge, with inadequate vulnerability scanning practices observed across the board.
Alarmingly, half of the organisations conduct vulnerability scans for Common Vulnerabilities and Exposures (CVEs) only once a week or less. Given that attackers can exploit vulnerabilities within days, this infrequent scanning leaves organisations at a considerable disadvantage.
Finally, the report reveals a widening gap between the concerns of security teams and the priorities of executive leadership. While security professionals recognise the potential business impact of vulnerabilities, 87% of CISOs and CSOs lack responsibility for defining metrics in their cyber risk management strategies.
Reports are often perceived as unengaging by executives, highlighting the need for improved communication. Translating cyber risk into monetary terms could make these issues resonate more with leadership, thereby enhancing the relevance of cybersecurity reporting.
As organisations navigate the complexities of AI-driven cybersecurity threats, addressing unpatched vulnerabilities and improving communication with executive teams will be vital steps in strengthening overall cyber resilience.