Julie Bilodeau:
Hello and welcome to BDO Digital Digest, where as curious leaders, we're here to explore how evolving technology propels business forward and reshapes our work. I'm Julie Bilodeau, and I'm here with my co-host, Hamed Faghfoury. How are you doing today, Hamed?
Hamed Faghfoury:
I'm doing well, Julie. This should be a really good episode. I'm really looking forward to diving in here.
Julie Bilodeau:
Oh, agreed. Guys, I got to say, for those of you in the audience, we're diving into today's topic of the future of cybersecurity in an AI world. Got tons to talk about today. Really timely since the whole DeepSeek and all that has just recently come upon us, and we're starting to see the risks around that. So to lead us forward into this conversation, I'd like to welcome Mark Zuzarte, who is our BDO technology cyber engineering practice director. My goodness.
Hamed Faghfoury:
That's a mouthful.
Julie Bilodeau:
Yeah, what a mouthful. I don't know how he goes around and introduces himself in that five second elevator pitch or whatever we're supposed to know. I think it's a five-minute elevator pitch.
Hamed Faghfoury:
That's right.
Julie Bilodeau:
It just depends on how tall the building is. So let's get Mark onto the stage and we're going to ask him to tell us a little bit more about himself as well. Perfect timing, Mark. Thanks for joining us today.
Mark Zuzarte:
Thanks for having me, Julie.
Julie Bilodeau:
So we just gave your really long title. Would you tell us a little bit more about yourself beyond that title?
Mark Zuzarte:
Yeah, for sure. I'm one of the leads of cybersecurity here at BDO Canada. I'm specifically involved with running the teams that help organizations build secure applications, integrate security capabilities into their custom apps or into their organization. But on the other side of that, I help organizations with doing things like penetration testing or security testing that mimics that of an attacker, helping organizations find those critical vulnerabilities in their organization or their infrastructure before the bad guys do.
Hamed Faghfoury:
And Mark, let's just dive in to one area because I know top of mind for a lot of folks is enabling generative AI, AI capabilities. Obviously lots of exciting areas around that when it comes to the business impact. But from your perspective, obviously it's reshaped cybersecurity in a lot of ways. How has generative AI reshaped, both from an offensive and I guess from being able to be protected perspective when it comes to cyber threats?
Mark Zuzarte:
Yeah, for sure. So I think there are lots of different areas where generative AI and AI in general has impacted cybersecurity, but I'll focus on two, which I think are the two biggest or hottest topics right now. The first is, I'm sure both of you have been involved with projects where AI has been integrated into an organization. So an organization's brought on an AI engine to help them be more productive, help answer employee questions or chat bots and things like that. When organizations are looking to bring those kinds of features on, typically we tell them it's really easy. You install a package, click a few buttons, and away you go. What a lot of organizations aren't able to do, or maybe sometimes overlook, is making sure that that AI engine has the right amount of access. And what I mean with the right amount, I mean the minimal amount of access it needs in order to do its job.
So let's use a bit of an example. If an AI engine goes and indexes all this data in an organization and it consumes HR data or payroll data, you in theory would be able to ask that generative AI capability, "What does my boss make? What are the performance reviews of my peers?" And sometimes AI engines aren't able to have that knowledge or that capability around making sure that privileged information isn't shared with the wrong people.
On the other side of that is what attackers are doing. And just like us, every day, I'm sure we're increasing our use of generative AI every day to help us do our jobs. We're going on, we're asking questions. We're saying like, "Hey, tell me some information about an organization. Help me write an email. Help me build code." Attackers are then able to use those same features to build exploits or build bad software or phishing emails, things like that.
So what we used to take for granted as a language skill or a coding skill, attackers are now able to just ask generative AI, "How do I do this thing? Write me a malware toolkit. Write me an exploit." It'll pop it out. And the skill level of the attacker has really been able to go down because of the support of some of these capabilities.
Julie Bilodeau:
Wow, that's wild.
Hamed Faghfoury:
It's crazy. Yeah.
Julie Bilodeau:
I got to say, yeah, sorry, that's the underbelly of AI really, right, that of course, it's unleashed to the whole world, but that includes the bad actors out there who can just take advantage of what that is. And of course, cybersecurity is top of mind when it comes to these bad actors getting a hold of that level of power, let's say. Hamed, sorry, I didn't mean to interrupt you. Go ahead [inaudible 00:05:20].
Hamed Faghfoury:
No, I was just going to reinforce the same thing. I mean, we see it on a personal level obviously with deep fakes and phishing just getting more sophisticated. I imagine what you're saying, Mark, is ultimately companies are seeing the same thing, right? What we're seeing in terms of scam emails or phone calls that are from not so good actors, I'm guessing that this is the same type of sophistication that organizations are seeing on their side.
Mark Zuzarte:
Yeah, for sure. And let's say, you mentioned phishing emails. When you would get a phishing email, one of the things that you would do is you look at that phishing email and say, "It has spelling mistakes. It's not worded right. It doesn't seem to be tailored for my organization," like it would say something about a product or feature that you don't do or you don't manage, right? So it would be an indicator saying, "This doesn't seem legitimate."
But now with AI having this intelligence, you're able to have a properly written and perfect English email that has context about you and your organization, so all of those little tells indicate to you that it wasn't legitimate, those are all gone, and that was traditionally what we used to recommend to organizations to make sure to put into their training program around being able to detect some of those issues, but the world's changed.
Julie Bilodeau:
So are there AI tools to help with these new tells maybe that as humans we can't see anymore because it's that good?
Mark Zuzarte:
Right, so I would say that maybe... So the short answer is yes, there are new tools and capabilities, but we're really in the trickle down stage right now. So usually when these new tools or capabilities are released, they kind of come out right at the top, at the enterprise level. They tend to be pretty expensive, and organizations, as the adoption grows and as costs come down, other organizations are able to adopt it. So right now, we're in that trickle down stage where a lot of the tools and capabilities mostly around phishing and social engineering, they're still up there, but they're starting to exist and AI is starting to being used to combat AI.
But I would say that a lot of organizations that are concerned about AI and concerned about this new, what we call the new threat landscape, they should really look at the investments that they've already made. Many of them have, just between the three of us, we've all made investments, knowingly or not, into security capabilities. As the world changes, does it really make sense for us to continue to use the same capabilities or should we reevaluate what we're doing to make sure that we're still doing the right thing, to make sure that we're protected? Doing that reevaluation and making sure that everything's aligned, making sure that the right boxes are checked based on the way that the world is today is really important.
Julie Bilodeau:
I got to say something that I do on my own, although I don't know, Mark, if this would pass your test, but if there's a phone number that I don't recognize that's calling me, I don't even pick up anymore. There's so much out there that I personally don't trust because I don't know, and I don't know if there's anyone else in the audience that's having the same, I guess, extreme reaction to this by having a zero tolerance for this. But for me, you know what? If they know me and I just don't happen to have their number already saved in my phone, I'm just going to let them leave a voicemail. At the end of the day, that's how I vet whether or not a bad actor's trying to get at me, right? I don't know how-
Mark Zuzarte:
I do the same thing.
Julie Bilodeau:
... businesses can do that, but maybe you can give some insight into a case study or some client that you've worked with in this kind of regard.
Mark Zuzarte:
Yeah, for sure. So I'm sure we've heard of business email compromise or wire transfer fraud. So an attacker would get involved in the email thread or they would call somebody and say, "Hey, I'm the boss of this organization. I need you to wire transfer me a hundred thousand dollars." And what we were training or what the industry was doing was telling people, "Look for the indicators. Look for the tells that it's not actually that person. The signature's not right, something doesn't make sense, the tone, things like that."
Well, that's changed now with AI, right, that you can actually have an AI tool generate a conversation and play it to somebody that sounds... We've seen deep fakes. They all look really convincing. There's lots of them on YouTube. So now what we say, what we recommend to clients is that, have a back end process. Make sure that you receive that call, rather than just automatically doing what that person tells you, check with somebody else. Follow a standard process to make sure that the right checks and balances are in place, so even if legitimately, it might legitimately be the CEO or the owner of that organization, but the right checks have to go in place to make sure that kind of fraud is thwarted.
Hamed Faghfoury:
Before we get into Jenny's question, just one thing that came to mind is obviously it almost seems like a daunting exercise to keep up with the pace of AI, for example, in terms of the threat that that poses. We're seeing open source models now come about. We're seeing a progression of access that can be used by good actors and bad actors alike in terms of being able to beef up their ability to use AI. How would you suggest that leaders can think about how they prepare themselves for the next wave of AI threats and other threats alike?
Mark Zuzarte:
Yeah, for sure. So really, we can zoom out from the concept of AI and just think about the security landscape in general. The world's constantly evolving and changing. There's new cybersecurity threats coming out every day. So typically what we recommend to organizations, CEOs, leaders, is that they take a future facing approach. So rather than protecting their organization from what's today or in the past, think about building capabilities that are resilient to threats in the future by not focusing on the actual threat, but building resilient security capability.
So what that includes is having things like doing things like data classification, doing risk management, having a robust risk management and data classification program, doing security testing, making sure that that testing is done on a constant or continual basis to make sure that the threats that are actually existing in today's world are being considered and your organization is being assessed based on what those threats are, having response and monitoring capability, making sure that if an attacker does target your organization, that something's in place to at least give the indication that an event is happening so that some type of reaction or some type of remediation can take place, so future-proofing and having an agnostic approach is really important.
Hamed Faghfoury:
Well, I think it's time for Jenny to get her piece in because-
Julie Bilodeau:
Yes, let's see.
Hamed Faghfoury:
Jenny's itching.
Julie Bilodeau:
She's listening. We didn't tell you [inaudible 00:12:15].
Hamed Faghfoury:
And I'm going to read this from Jenny. Jenny has looked through your profile, has dug up your LinkedIn, has done her research, and she said, "It's clear to me, Mark that at BDO Canada, you're helping clients navigate AI security challenges," and I think you've covered a bit of that. Her question is, "Can you share a real-world example?" You don't have to name names obviously with the client, but I guess she's looking for a real-world example of how AI in real terms has helped strengthen defenses for somebody we've worked with.
Mark Zuzarte:
We have a client who they want to implement an AI chat bot and their organization was really focused on being able to triage customers so that they had to talk to less actual people, which would reduce costs because less people answering phones or responding to messages, and they felt that most of their clients could be served by this AI chat bot. Now, so this AI chat bot would have an integration into their organization through a custom web application, but they wanted to make sure the right checks and balances were in place and that integration was done securely.
So what my group did in our application security team is we really helped integrate some of the security testing capabilities into their development pipeline and built some of the access control in place. So that AI chat bot followed what we call the rule of least privilege, so that only the minimal amount of access that that AI chat bot needed to do its job was provisioned to it, and the integration of that chat bot into the actual web application was as secure as it can be for today's standards, which was pretty secure. We went through a pretty rigorous testing process.
Now, in addition to that, notice I mentioned about today's standards. We're going to be doing iterative, near constant testing as that organization makes changes to the application, upgrade modules, or integrate new AI models to make sure that that application stays secure, the right accesses continue to be granted, and we have the right capabilities in place.
Hamed Faghfoury:
It sounds like they're locked and loaded and ready for the future.
Julie Bilodeau:
I am so relieved, Mark, that you and your group and our practice at BDO are around to help businesses, and that's actually what I think of next is if I am a business leader right now or a business owner listening to this podcast, what advice do you have for them to move on this if they're really in their infancy when it comes to cybersecurity or even data security at this point?
Mark Zuzarte:
Yeah. Well, I'm more than happy to have them talk to me. I would say that really keeping an ear to the industry, understanding how their organization fits and what's important to them, understanding what the data severity level is and making sure that they have the right risk tolerances and right risk appetite understood and communicated within their organization. I think that's really important. All of the other decisions really trickle down or are fed by those key decisions, which there's nothing technical about those, nothing that actually has to be built or computed. It's an understanding between leadership that this is where we are in today's world.
Julie Bilodeau:
Yeah. Awesome. Well, I think we've got to wrap it up there for today. We could probably go on all day on this. I'm sure we could.
Mark Zuzarte:
We definitely could, and I'm sure I could talk all day about it.
Julie Bilodeau:
Exactly. I mean, you live and breathe this every day, so I'm sure it wouldn't take much, right?
Mark Zuzarte:
Exciting times.
Julie Bilodeau:
Thank you so much for joining us, Mark. Thank you for those of you in the audience for joining us and tuning in today on our BDO Digital Digest. Join us next time as we continue to explore the future of technology and how it's impacting us day to day. Until then, stay curious, stay innovative, and bend that arc of possibility in your world. Thanks again.