Four shifts in cybersecurity that matter today – and tomorrow

A lot can change in a year. In fact, scrap that, a lot can change in six months when we’re talking about cybersecurity. Unfortunately, most of us mere mortals simply do not have the time for daily security check-ins. Thankfully, we have our Senior Director of Information Security, Product Security and Global Response, Quentyn Taylor, whose extensive expertise to keep us on top of what to expect.

Cheaper deepfakes go mainstream

Deepfakes may flood our feeds, but human curiosity, caution and common sense may help us to stay safe.

“With enough money, anyone can make deepfakes that look completely real – so real, you might not realise.” explains Quentyn. “Right now, however, because of the investment required, they are largely used for high value targets. But as the price of creating these deepfakes reduces, we’ll start to see them far more frequently.” He foresees a massive increase in fake videos, voicemails and phone calls – all with the intent of extorting money from large numbers of people. “It will become such a part of life that we will need to come up with very human ways to head it off – having a family ‘safe word’, for example, is a simple way to test who you are talking to.”

He also warns that, as it becomes easier, social media deepfakery is also set to increase from the current torrent to a deluge. “Compromised social media accounts of family members asking for money. Heartstring-tugging videos requesting donations. Miracle product testimonials. Anything to convince people to part with their cash. It’s all already out there and we certainly haven’t reached the peak yet. But it’s coming.”

Malware multiplies

Criminals are using AI to turbo-charge how they send malware, but the code itself isn’t getting any smarter.

“Is AI revolutionising malware itself? Not really. But it’s supplementing it in new ways,” says Quentyn. If you’ve never encountered malware, then chances are you’ve had good luck or are taking precautions. It’s a harmful software which may find its way onto your device through phishing, and can be used to steal information or even let someone else control it.

“Using AI, criminals can make phishing lures sound so much more realistic,” Quentyn explains. “In the past, we could easily pick up those tell-tale spelling and grammar mistakes, or just that the tone was off. But, depending on what LLM [Large Language Model, such as ChatGPT, Gemini or Claude] is used, an email can be written in a very specific style, even accounting for what will have the most impact for that particular person.”

However, he believes that this might not be the extent of AI’s influence on malware. “Using AI to write the code for malware is not something we’re seeing at the moment,” he says. “But it is allowing criminals to work more efficiently and increase the volume of attacks. It might be used to quickly churn out malware, for example, because the quality of the code doesn’t matter if it works once and can get out there quickly.” As well as generation, research and targeting, this may also mean mass personalisation at scale – the ability to send thousands of seemingly legitimate, tailored messages. More messages = more victims. So, stay suspicious, slow down before you click and trust your instincts.

Preparing for a quantum future

Quantum computers are on the horizon and businesses must keep their customers’ data safe and stay in line with legal requirements.

If we lost you at ‘quantum computer’, that’s okay and totally understandable. But bear with us. They are basically super-powerful computers that can solve some problems much faster than those we use today. They will be able to crack even the strongest security in seconds. But, adds Quentyn, “quantum computers are pretty much in the same place they’ve always been – which is ‘just out of reach, but about to be there’. Because of AI, it's been taking a bit of a back seat, but now data security laws are being put in place that mean organisations must look to the future.”

But how? By assessing their data and securing it using a kind of cryptography method designed to shield it against attackers using quantum computers. “And there is nothing to stop data encryption being switched to quantum-safe today,” he stresses.

The death of the bug bounty

AI makes hunting for bugs in code faster and cheaper, but human researchers will still be needed to spot the less obvious problems.

‘Bug bounty’ is a fun name for a reward offered to people who find and report vulnerabilities in products, software and systems and it’s worked pretty well, but times have changed. “They were really only ever supposed to find unintended consequences,” Quentyn explains. “For example, imagine a photo on social media is flagged as inappropriate by another user, but the built-in moderation tool on the platform then shows them a load more photos, asking ‘should these be removed too?’ Except these have been set to private. Nothing crashed or malfunctioned, but it’s a huge privacy issue.”

Today, the financial incentives mean that bug bounty hunters tend to avoid such blind spots and target easy wins – bugs and glitches in code. But these are increasingly being handled more cheaply by AI tools “because AI doesn’t need to sleep and can literally just run every single test and work until it gets all the answers.” While this is happening, internal researchers now focus on those misbehaving features, unexpected behaviours and hidden security gaps. For users, this simply means that 100% attention is focused on creating a much smoother – and safer – experience for them.

While it seems inevitable that AI will continue to dominate security conversation, Quentyn also values critical and strategic thinking at scale – the human touch, if you like. Because, as he stresses, we must not forget that sometimes the most effective tool we have to protect ourselves is our humanity and that even AI-powered sophisticated cybercrime can often be countered by scepticism and a safe word.