Generative AI could help and hinder cybersecurity, KPMG poll finds

TORONTO, Oct. 24, 2023 - Barely half (56 per cent) of Canadian CEOs believe their companies are prepared for a cyberattack today, with more than nine in 10 (93 per cent) worried that the emergence of generative artificial intelligence (AI) will make them even more vulnerable to breaches, finds KPMG International’s latest CEO Outlook.

The results mirror findings of KPMG in Canada’s Private Enterprise™ Business Survey, which found 81 per cent of small- and medium-sized business (SMB) respondents agree that generative AI is a “double-edged sword” that could help their organization better detect and respond to cyber threats while simultaneously increasing the number of cyberattacks by providing new attack methods for criminals.

“Generative AI can help organizations bolster their security posture and gain efficiencies while doing so. However, the reality is cyber criminals will increase the use of generative AI in their attack strategies as well, and they can be much faster at adopting the technology than large organizations are. What that means is we’re likely to see more generative AI-enabled attacks particularly through social engineering, where deepfakes can be deployed to fool employees into compromising company data, and bypassing traditional access methods” says Hartaj Nijjar, partner and national leader of KPMG in Canada’s cybersecurity practice.

“It can be difficult for organizations to predict exactly how generative AI will impact their cybersecurity posture, so the best way to protect against the unknown is to establish robust defenses that include investment in cybersecurity technology and programs and enforce rigorous staff training. Organizations with strong cybersecurity fundamentals in place will be better equipped to deal with the unknown risks of evolving technologies like generative AI,” adds Mr. Nijjar.

More than one-third of Canadian CEOs who said their organizations are underprepared for a cyberattack say the primary cause is outdated technology systems or infrastructure, followed by increasing sophistication of cyber criminals and a lack of investment in cyber defences. Less than five per cent said their organization is “very well prepared” for a cyberattack.

While some CEOs see generative AI playing a role in improving their cybersecurity programs, that role appears to be minor, with risks clearly outweighing benefits, according to respondents. Only eight per cent of CEOs cited improved cyberattack response capabilities as a benefit of implementing generative AI at their organizations. By contrast, one-quarter of CEOs said compliance and security issues – such as AI-armed adversaries – pose a challenge to implementing the technology, with 68 per cent of small- and medium-sized enterprises agreeing.

• 93 per cent of Canadian CEOs are worried generative AI might enable additional cyberattacks (82 per cent globally)
• 56 per cent said they are prepared for a cyberattack (53 per cent globally), unchanged from last year.
•  52 per cent said they are “well prepared” and 4 per cent said they are “very well prepared” (45 per cent and 8 per cent globally, respectively)

• 38 per cent cited vulnerable or legacy systems or infrastructure (20 per cent globally)
• 25 per cent cited increasing cyber threat and attack sophistication (34 per cent globally)
• 19 per cent said lack of investment in cyber defences (15 per cent globally)
• 13 per cent said shortage of skilled personnel (24 per cent globally)
• 6 per cent said cybersecurity is not regarded as a business priority (7 per cent globally)

By contrast, small- and medium-sized businesses (SMBs) surveyed by KPMG in Canada reported a higher level of preparedness for cyberattacks than large companies, with 88 per cent of SMBs saying their company is well-prepared to defend against a cyberattack, up from 73 per cent last year. That’s despite the fact that more respondents (63 per cent) said they’ve been attacked by cybercriminals this year than last year (56 per cent).

While there are various types of cyberattacks (phishing, malware, denial of service or deployment malicious code, for example), ransomware is particularly problematic for SMBs. Six in 10 companies said their company paid a ransom to cybercriminals in the last three years, and 59 per cent said their company doesn’t have a plan to address a potential ransomware attack (up from 32 per cent last year). A ransomware attack is when a criminal steals an organization’s data and keeps it hostage until a fee is paid.

“Paying a ransom to cyber criminals is a costly expense that companies generally don’t plan for – especially smaller and medium-sized enterprises with fewer resources and limited budgets. But unfortunately, many SMBs are choosing to pay cyber criminals because ransomware attacks can paralyze or even shut down their operations, and many simply can’t afford that,” says Robert Moerman, a partner in KPMG’s cybersecurity practice who leads managed security services.

“Paying a criminal will likely cost an organization more than it would to establish effective cybersecurity defenses to deter that criminal in the first place. Planned investments in cybersecurity reduce the likelihood and cost of a cyber incident, and cyber insurance can help address the residual risk. For smaller organizations that might not have the capacity or expertise to implement robust cybersecurity programs, external service providers can fill that gap as well,” adds Mr. Moerman.

• 88 per cent of small- and medium-sized businesses surveyed by KPMG in Canada said their company is well-prepared to defend against a cyberattack (up from 73 per cent last year).
  • 41 per cent “agree strongly” and 47 per cent “agree somewhat”

• 71 per cent say their legacy systems or infrastructure (i.e., information and/or operational technology) make their company vulnerable to cyberattacks
  
• 66 per cent say their company doesn’t have the skilled personnel to implement cybersecurity or monitor for attacks
• 64 per cent said their company lacks the financial resources to invest in cyber defences
• 62 per cent say cybersecurity is not regarded as a business priority
  

Like their larger counterparts, small and medium enterprises cite aging or legacy technology systems as their biggest vulnerability to cyberattacks, followed by a lack of financial resources and skilled cybersecurity professionals. Despite these challenges, 80 per cent of SMBs said they are considering using AI to bolster their cybersecurity defenses and feel they have a good understanding of the risks associated with it and how to manage it.

Nisal Samarakkody, a partner in KPMG’s cybersecurity practice who specializes in the use of artificial intelligence to tackle cybercrime, says organizations looking to bolster their cybersecurity defenses with generative AI need to first assess which areas of their cyber controls can be augmented to maximize efficiency and security.

“Successful implementation and enablement of AI capabilities – including generative AI – is a journey that starts with optimizing existing cyber security controls, understanding gaps, readiness, and investing in emerging capabilities in line with the evolving cybersecurity landscape and organizational boundaries. Without that, organizations may not be able to leverage generative AI to its full potential, and they risk falling behind their peers and being vulnerable to complex threats,” he says.

For more insights on generative AI and cybersecurity, see Securing the Transformation Journey by Stephanie Terrill, Business Unit Leader for Management Consulting and Thomas Davies, National Cyber Transformation Leader & National Risk Consulting Managed Services Leader at KPMG in Canada

The ninth edition of the KPMG CEO Outlook, conducted with 1,325 CEOs between August 15 and September 15, 2023, provides unique insights into the mindset, strategies, and planning tactics of CEOs. All respondents have more than US$500 million in annual revenue and a third of the companies surveyed have more than US$10 billion in annual revenue. The survey by KPMG International included CEOs from 11 key markets (Australia, Canada, China, France, Germany, India, Italy, Japan, Spain, the U.K. and the U.S.) and 11 key industry sectors (automotive, consumer and retail, energy, financial services, infrastructure, life sciences, manufacturing, technology, and telecommunications). NOTE: Some figures may not add up to 100 per cent due to rounding.

KPMG in Canada surveyed business owners or executive level C-suite decision makers at 700 small-and-medium-sized Canadian companies between August 30 and September 25, 2023, using Sago’s premier business research panel. A quarter of the companies surveyed have more than C$500 million and less than C$1 billion in annual revenue, a quarter have more than C$300 million and less than $500 million in annual revenue, 23 per cent have between C$100 million and C$300 million in annual revenue, and 26 per cent have between C$10 million and C$50 million in annual revenue. No companies were surveyed under C$10 million.