Dive Brief:
- Nearly 30% of cybersecurity executives say privacy and security issues related to artificial intelligence represent their top concern, surpassing ransomware and other forms of malware, according to a new report from Arctic Wolf.
- The report, based on a survey of more than 1,200 leaders in 15 countries, highlighted trends such as ransomware negotiators reducing payouts, the widespread nature of breaches and attitudes about companies’ perceived returns on their cyber investments.
- Another interesting data point: Nearly 85% of security leaders said they used next-generation endpoint security software, but only 40% said the tools gave them full visibility into their networks.
Dive Insight:
Arctic Wolf’s report captures the opinions of the security profession at a pivotal moment, as threat actors adapt to changes in the capabilities of AI and the profitability of different kinds of attacks. Companies are eager to use AI in some form, with 86%of them having established AI use policies, according to the report. But AI-driven security solutions still aren’t generating a significant return on investment — those technologies topped the list of devices creating “the least value” in corporate security programs, with 18% of respondents citing them.
“While AI devices are great during demonstrations,” Arctic Wolf’s report observed, “they tend to underperform in the real world. This discrepancy is at least somewhat due to impractically high false positive rates. … [I]t will likely be a long time before the accuracy improves enough to put more trust in these devices.”
At the same time, AI is a major driver of companies’ cybersecurity planning.
“Data transformation and secure AI adoption” topped the list of factors driving respondents’ strategic decision-making, earning a mention from 45% of respondents. Privacy and data protection came in second, followed by risk management. Arctic Wolf bemoaned this mismatch between strategic motivators and real-world threats, noting that AI-generated attacks pale in comparison to breaches that rely on common weaknesses.
“Training staff to recognize phishing lures, MFA bombs, and other common — and unfortunately effective — techniques is a cost-effective way to improve an organization’s resilience,” the report said. “However, ‘building a culture of security awareness’ was only selected by 31% of respondents [as a strategic driver].”
Rich Campagna, senior vice president of product management at Palo Alto Networks, said it's understandable that companies want to focus so much on AI threats, given that the AI space is complicated and rapidly changing. But, he added, “Overemphasizing on future threats like AI can lead to gaps in defending against the more routine, yet still highly effective, attack vectors that adversaries continue to exploit daily.”
While ransomware receives significant public attention, business-email compromise scams remain equally potent. Twenty-three percent of respondents reported suffering a ransomware or data-exfiltration attack in 2024, but 35% said they had experienced a BEC attack. Another 35% said they experienced a “significant malware infection.” Seventy percent of respondents said their companies experienced at least one significant cyberattack, and 64% of those attacks led to at least three months’ worth of lost productivity.
Editor’s note: This story has been updated to include a comment from Palo Alto Networks.
