Small businesses are particularly at risk from these AI-powered attacks as they tend to have fewer dedicated security resources than large enterprises and, sometimes, struggle to find security professionals with specialised knowledge to help defend against these attacks due to the skills shortage in the industry. In fact, Vodafone’s research showed that the average cost of a cyber attack for a small business was £3,398 – a significant hindrance to not only resilience but growth too.

To make matters worse, cyber attacks against SMEs have increased in recent years. Thirty-five percent experienced a cyber incident last year, while almost a third (32%) admitted to having no cybersecurity protections at all in place. The latter is a particularly scary statistic, considering that once attacked, all of a business’s data is available to bad actors if they don’t have measures in place to protect it. As the likelihood of a small business being attacked by cyber criminals continues to grow, the need for SMEs to implement cybersecurity measures to safeguard their futures is greater than ever.

Bad actors are upskilling with AI

Businesses and individuals are honing their AI skills and finding new use cases all the time – and bad actors are no exception. For instance, generative AI tools give attackers easy access to an improved method of carrying out successful phishing attacks. Large language models (LLMs) such as ChatGPT – a form of generative AI – can instantly craft flawless messages, with each one tailored to a specific individual. Previously, attackers deliberately added spelling mistakes to phishing emails to make them appear more authentic. Nowadays, by using GenAI, threat actors can create well-worded content, free of inaccurate information, making it increasingly difficult for targets to spot phishing attempts.

In years gone by, ‘spear-phishing’ attacks – where attackers send personalised emails to specific individuals or organisations, often appearing to come from a trusted source – would have required time-consuming research and development on the attacker’s part. But now, cyber criminals can easily automate these attacks using personal information which is often made publicly available through social media profiles.

As AI technologies continue to lower the entry barrier for cyber criminals, even those with limited knowledge are experiencing increased success. One of the most convincing and worrying ways bad actors are using AI is to clone voices and likenesses from audio and video clips, or even images found online. This tactic, known as vishing, has become increasingly popular recently, with organisations of all sizes being targeted.

When combined with tools that mimic caller ID, cyber criminals can fool targets by calling them and claiming to be an employer or colleague seeking urgent assistance. These technologies are already being widely used by attackers and, as bad actors become better educated in using AI to their advantage, innovative new uses of AI to power cyber attacks will undoubtedly arise.

How SMEs can combat evolving threats

Yubico’s recent State of Global Authentication survey of 20,000 employees found that 40% of respondents did not receive any mandatory cybersecurity training at work. This highlights the fact that an alarming proportion of organisations are not doing enough to help defend themselves against cyber threats, whether proactively or reactively. Training and education are key proponents of an SME’s ability to defend itself in the inevitable event that it is attacked. Without proper education, staff won’t know how to spot and detect phishing attacks, nor raise the alarm that their organisation is being targeted.

However, while training and education are necessities, no amount of knowledge alone can properly protect an enterprise. Organisations should not rely solely on staff to defend them. In addition to implementing training for all staff, small businesses need a security method that is up to the challenge. To truly protect themselves and their valuable data, SMEs should implement phishing-resistant multi-factor authentication (MFA), which allows for completely secure logins, only on verified sites. This eliminates the risk of users falling victim to online scammers purporting to be a trusted website or service.

By equipping every member of staff with phishing-resistant MFA in the form of device-bound passkeys, SMEs can ensure that, even in the event of a phishing attack, their systems remain unscathed and data is safe. While providing every member of staff with physical passkeys may raise budget concerns for SMEs, they are surprisingly affordable and moreover, the return on investment is significant, considering they eliminate the need for costly reparative cybersecurity measures.

Since device-bound passkeys are phishing-resistant, remote attackers cannot steal or intercept them, meaning only the key holder can gain access to their accounts. These physical passkeys provide users with the highest level of security available. They can also be used to manage staff logins across countless platforms and devices. By using the highest-assurance authentication method that a security key provides, SMEs can better protect themselves and their data from being compromised during a cyber attack.

Bolstering enterprise security even further

To take their security measures one step further, beyond implementing phishing-resistant authentication, SMEs should turn their focus to developing phishing-resistant users. Instead of simply stepping up their security as a reactive measure once a cyber attack has already taken place, this is a proactive strategy to remove the risk of phishing by eliminating all phishable events from the entire user lifecycle. To achieve this, SMEs must not only equip their employees with phishing-resistant MFA, but establish phishing-resistant account registration and user recovery procedures for all. This is because attackers are increasingly targeting businesses’ recovery processes as they are often seen as weak spots that rely on phishable methods and processes. These measures should be underpinned by using purpose-built and portable hardware security keys as the foundation for the highest-assurance security, as well as strong processes that do not allow the bypassing of these controls.

Unless organisations prioritise creating phishing-resistant users, they leave themselves open to suffering the same cyber threats time and time again, as users are not properly educated on the threats facing their company. Implementing phishing-resistant MFA, combined with creating phishing-resistant users, is the most foolproof method for businesses to protect themselves from the inevitable cyber attacks that arise when operating in today’s business landscape. In fact, the NCSC recently announced that the UK Government is moving towards embracing passkeys, citing them as the recommended authentication method for enhanced security. Without these defences, SMEs are at the mercy of cyber criminals, opening themselves up to attack due to having inadequate security measures in place.

Investing in cyber defences now will pay off in the long run, freeing up resources and granting teams more time to focus on other tasks. For business leaders, having peace of mind that staff accounts and company data remain protected no matter the time, location or size of the attack is an invaluable asset – one that is well worth investing in.

For more startup news, check out the other articles on the website, and subscribe to the magazine for free. Listen to The Cereal Entrepreneur podcast for more interviews with entrepreneurs and big-hitters in the startup ecosystem.