A number of other interesting AI cybersecurity issues are hitting our radar as customers begin taking advantage of new AI tools in their small businesses.
Earlier this year, in our Forensic Update Webinar, we predicted that AI tools would become capable of rapidly creating complex, malicious code to steal credit cards and other data.
While we are certainly seeing that prediction come true, a number of other interesting AI security issues are hitting our radar as customers begin taking advantage of new AI tools in their small businesses.
Based on data collected from customers, the SecurityMetrics Forensic Team predicts that “with the help of AI tools, even script kiddies could rapidly create complex completed code that can steal credit card data. For example, AI is being used to create malware for more obscure languages (e.g., Golang, Swift) and generating ecommerce skimmers.”
This means that navigating AI safely is more important than ever.
Recently, a small merchant used AI to help generate an ecommerce solution for selling their products and services. Much to their dismay, soon after, they experienced a data breach that included theft of customer data and credit card loss. During the forensic investigation, our team discovered random directories and scripts were being dynamically created during the checkout process.
While not seemingly malicious or dangerous, these curious directories and code artifacts made little sense in the context of a well-thought-out and secure checkout process. If nothing else, they provided potential threat actors with an incredible amount of surface area to try attacking. The large number of directories and scripts popping in and out of existence made it extremely time-consuming and complicated to find the source of the data breach.
Additionally, none of the customer’s limited IT staff could shed any additional light on what the scripts were doing or why they were necessary. It was just something the AI did. Rather than continue a costly investigation through this bizarre eCommerce solution, it was more cost-effective for the merchant to just start over with a proven eCommerce platform; a very costly lesson both in time and capital resources.
Certainly, AI is also being used by bad guys to create malware in obscure languages quickly or to generate ecommerce skimmers, ransomware, and other evil contrivances, but its ease of use for good guys can also be that proverbial two-edged sword.
It might sound very tempting to use AI to whip up some JavaScript and PHP code to get a custom shopping cart done for your website and skip that $99 monthly fee for a hosted checkout solution.
However, the cost of a mandated forensic investigation after a hacker powns your shopping cart might prove $99 a month for a proven secure platform is a real bargain, especially if you do not have a skilled IT team on staff.
Key takeaway: It's crucial for small businesses to understand that while AI can do some amazingly cool and helpful things, it still has a long way to go before it is a replacement for competent and skilled human expertise, especially in sensitive areas where HIPAA and PCI DSS standards apply.
Artificial intelligence is quickly becoming widely utilized by small businesses. Examples of legitimate business uses include:
AI can and will be a game-changer for many small businesses with limited time and budget. In the hands of skilled users, AI can save a lot of time and money, and can even help small business get a bit of competitive leverage. But it's essential to use it cautiously, and knowledgeably.
Using AI in small businesses with caution and skill is crucial for several reasons.
Cautious and skilled use of AI helps small businesses maximize benefits while minimizing risks, ensuring that AI contributes positively to their growth and success.
See also: SecurityMetrics PCI Guide
Small business owners often wear multiple hats, including using AI to craft emails, generate ad copy, or create website code. While AI can be helpful, there are pitfalls to avoid. A solid AI strategy can mitigate many risks.
Matthew Heffelfinger, Director of the SecurityMetrics Threat Intelligence Center, advises providing employees with AI guidelines and creating a formal AI acceptable use policy.
A skilled writer can use AI to craft an excellent article or blog quickly. An unskilled writer might be able to get some content out using AI, but it will not be great quality writing and will probably sound just like an AI wrote it. Probably not the look your company is going for.
The same is true for a skilled coder, IT person, analyst, marketer, or blogger. AI is at a point where it can help you do your job in more productive and creative ways. It cannot do your job or somebody else’s job that you don’t want to hire, although it will certainly try. However, you will pay the bill when it fails.
E-commerce shopping carts are inherently high-risk. High-value data such as customer information and credit card data are present in those shopping carts, even if only for a small moment. This makes shopping carts, even for small merchants, a desirable target for data thieves.
SecurityMetrics' Shopping Cart Inspect tool combines forensic tools with human analysis to identify malicious or suspicious issues. This service analyzes your checkout process and identifies problematic scripts and processes for further inspection.
We are researching and implementing AI to help us in our investigations. AI allows us to quickly detect suspicious and malicious activity that may be present in the hundreds of thousands of lines of code that are often present in a checkout session. This process used to take many man-hours to achieve. Using AI, our hope is to cut this process down to minutes.
Commercial cybersecurity AI tools are quickly becoming available that can help small businesses with tedious tasks such as log monitoring, threat detection, and many other IT chores.
We encourage small business owners to get familiar with what is happening with these types of applications, but to exercise restraint and wisdom in their implementation and not to incorporate these tools until both you and them are ready to do so safely and securely.
Prioritizing cybersecurity can be challenging for small businesses, but even basic cybersecurity hygiene and a proactive approach to defending websites can go a long way. For assistance with cybersecurity, small businesses can reach out to SecurityMetrics experts or consult resources like their incident response plan blog.
We hope you are also researching and learning about ways AI can help you in your business processes. Artificial Intelligence is an exciting and game-changing technology. But as with all new advances, it comes with a new set of problems and challenges. We must learn to implement AI responsibly and alongside skilled experience so that AI does not come back to bite us with catastrophic failures from poorly executed plans.
The old adage is truer than ever. To err is human. To really screw things up, you need a computer.
.svg)
