error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content

Loading

The page is loading.

Please wait...


      In this episode

      With the advent of frontier AI, organisations are facing a new reality where vulnerabilities can be identified, exploited and executed in a matter of hours.

      Cyber attacks are scaling at ever increasing speeds. Can you keep up? 

      In this episode of The Insight in 15, we’re joined by Del Heppenstall, Head of Cyber Security at KPMG UK, to examine what frontier AI really means for cyber security.

      We discuss how attack methods are evolving, and what organisations need to do differently to defend themselves. They cover the role of zero trust, automation, and why getting the basics right still matters.


      What you need to know:


      Frontier AI is accelerating the speed of cyber attacks significantly, but is not yet widely. available beyond large enterprises with the required compute.

      • Defence needs to shift from reactive to automated responses to be able to counter these newer, faster attacks.
      • Zero trust architecture is becoming a key foundational approach to modern cyber security.
      • Phishing remains prevalent and AI is making it harder to detect.
      • Strong cyber fundamentals like password hygiene, training, and patching, are still essential.

      Providing the insights on this episode:

      Del Heppenstall

      Del Heppenstall

      John Robertson

      John Robertson

      All in just 15 minutes.


      The Insight in 15 is KPMG UK's flagship podcast for business leaders and decision makers.

      Join us every fortnight for a fresh perspective on the issues shaping the future for your business, people and communities.

      No filler. We cut to the chase, setting out the risks and opportunities, and providing insights you can put into action straight away.



      Episode transcript


      John: Welcome to The Insight in 15, I'm John Robertson and today I'm joined by Del Heppenstall, who is our Head of Cyber Security here at KPMG in the UK, and today we're going to be talking about cyber, but we're going to be focusing in on what frontier AI means for cyber security. Del, thanks for joining us. As usual. We've only got 15 minutes, so let's crack on. So I guess the best place to start really before we go into cyber itself is what is frontier AI? 

      Del: So frontier AI is AI as it wasn't really anticipated, effectively using larger, faster scale models to chain events together and actually do things beyond what the actual developers thought that actually it would do. 

      So it's kind of bringing new concepts to how AI is thinking and the back that can actually chain events together to get to an outcome. 

      John: Okay, so why is this causing such a stir at the moment in the world of cyber security? 

      Del: Well, specifically in cyber security you had the launch of a couple of models recently, mythos being the one that everybody remembers. 

      John: Why did it cause such a stir? 

      Del: I guess primarily it demonstrated how AI can take a vulnerability, expose the vulnerability, do the exploitation, and do that at speed. So we've moved from a space where, by finding out the vulnerabilities in systems, has taken time, research, and then to actually write the exploit and then go and, you know, break into systems has taken days, weeks, months. 

      And sometimes this is now done at machine speed within hours, within 24 hours at pace. 

      John: Okay. So is this changing sort of the nature of cyber attacks? Is it opening up to more people to be able to attack you? Is it making it easier to be a cyber criminal? 

      Del: I guess inevitably it will. The models that we're all sort of causing the stir, as you say right now, are expensive to use. 

      The token use is very, very high and therefore not quite as available to the, I guess, the common user on the internet. 

      So there will come a time though, as models evolve and this becomes more widespread, that it will become more available. I guess the the real kind of conundrum to think about, though, is, is that the pace with which this is developing at, and how does policy and regulation keep up with that, that change as well. 

      John: So you mentioned it's expensive because of the token use. Can you just explain what you mean by that? 

      Del: Basically the compute power. It requires significant compute power to run. And that really is only accessible to very, very large corporates, very large organisations. 

      If we look at the glass swing project that came out of the back of mythos that was given to the large tech players, some of the largest banks in the world as well, to look at their own systems and assess the vulnerability in their own systems. 

      And they were given access to that because they are the largest organisations out there. They're the largest users of it, but equally as well, in terms of the use of it, it requires significant compute power, which comes at a cost. 

      So therefore, it's not like some of the developments that we've seen over time with cyber, where it becomes a commoditized, kind of outcome driven approach where you can buy for $10 access to, or even cheaper than $10 in some cases, access to exploits. 

      John: Okay. So you sort of talked about this as finding vulnerabilities. Now, my recollection from talking probably to people in your team about cyber security, there was a big focus on phishing. Right. And so this sort of like first wave of attack came through phishing attempts. Does this change that? 

      Del: What we're seeing with the use of the Frontier AI platforms is the potential for the malicious use to be much faster, more impactful, and therefore more damaging to an organisation. 

      If you're on the receiving end of that development. And phishing, though, will still continue to be a routine for threat actors to attempt to gain access to an organisation, because that still gives you access to that user and the environment they sit in. 

      Now, if you can tie the use of the Frontier AI into phishing using Frontier AI to do faster, better, more real, real life like type attacks, then of course that's going to become more impactful and will make it harder for us as humans to distinguish between the obvious phishing attacks that sometimes we see and the spelling mistakes, or it's come from an address that doesn't look real to ones that look far more real and are fired at you at pace, and have been tested in a much more kind of holistic view. And to look, look lifelike. 

      John: It's feeling like all the cards are in the attacker's hands here. But what does this mean for, as an organisation, how I set out my cyber security, how I defend myself now? 

      Del: So as I touched on, before that, we're almost into an AI versus AI potential space. So we're talking to a lot of our clients around using these exact same platforms in a defensive mechanism. 

      So in the past, as I said before, you could have been told about a particular vulnerability and a platform that you use, vendor solution that you use, you then get sent to patch, which you then go and testing your environments, and you then roll out in a nice controlled fashion across your estate that can take any time between days, weeks, months in some cases. 

      So what we're saying now is, is that you need to move at the same pace as the attackers, using the same platforms, but moving more into almost a concept of, defence at speed, and looking for anomalous behaviours and responding as opposed to, and this concept is not this not new this concept. 

      but zero trust concept and moving to an approach whereby you architect your environment knowing that there are attacks, they're going to come be have an architecture that allows you to segment parts of your network off, and defence in depth, and having automation and taking decisions at speed so it's almost a kind of an arms race in some respects, 

      John: Del, for our listeners, could you quickly explain what you mean by the zero trust concept? 

      Del: Yeah, sure. So for zero trust, it's never, never trust always verify kind of concept. So we've always traditionally had the concept of an internal network. And everything on the internal network is trusted. 

      Zero trust moves to that principle of always authenticate and verify every user on the network, as opposed to trusting ones that are inside the, I guess, the castle walls of your of your infrastructure. 

      John: My take was that you couldn't create a kind of no wall was impenetrable, and therefore you needed to put as much or more focus on recovery and response, does frontier AI change that? Does it put the emphasis back onto defence or does it still stand? You need to have this fast recovery. How's that changing? 

      Del: I don't think it changes those concepts. They still apply. It just changes the way that we have to go about transacting them. 

      And back to my comment before about using AI in that process to do things faster, more automated, at speed. 

      So it's still though requires you to have playbooks around when an event happens. What do you do? How do you do it? Let's all follow the same guidance and make sure we do it correctly. Let's recover correctly. 

      We still need to have, policies and approaches and recovery programs have worked built to do that in the event of something catastrophic happening. 

      So it doesn't change the need for that. I think it changes the way that we do it, though, in terms of how we use AI in that to enable it to be done at speed. 

      And it probably requires us to really think about the core bits of our environments and how we protect what really matters. 

      John: We're talking about Frontier AI now. I guess my next question is how big a risk is it right at this moment? How much of my concentration in terms of cyber security should be on that threat as opposed to, you know, the basics that I've always done in terms of, you know, good cyber security, patching vulnerabilities, training employees, etc. 

      Del: All those things still exist. And there are many, many organisations who still don't have a grasp of the basics. You know, there are still organisations who don't educate all their employees on the risks that are presented as from a cyber perspective. 

      We've talked before about phishing attacks, so there's still all that human element and the training and awareness that needs to continue. We still need to run our IT. We still need to continue to build or implement new systems. So that doesn't change. 

      What does change, though, is the fact that we need to be cognizant of the potential for Frontier AI to change the speed with which some of this stuff will come at us, and therefore how fast we need to respond. 

      John: A few days before we're recording this, there was the news that the US government had sort of restricted, I guess some of the latest Frontier AI from Anthropic being shared with foreign nationals outside of the US. And I guess the question here is what does that mean in your view, in terms of sort of governance and controls around these tools? 

      Del: So in relation to the US government have taken on, on the model more recently is down to the, unintended, I guess, consequences of how those guardrails have been potentially breached. 

      So, the phrase being used is jailbreak. So there's always been a concept that you might be able to jail, break out of these solutions to get it to do something it wasn't quite intended to do. It does need very strong guardrails to allow the platform to do what it was intended to do, and therefore back to that good use of the platform versus the malicious unintended consequences and use of the platform. But there's more to come on this as to where that goes next. 

      John: Talking about there being more to come. I'm assuming this isn't the final frontier in terms of cyber threats. What do you see being kind of the next threat on the horizon that organisations should be kind of getting ready for now? 

      Del: I've been in this industry for a long time. People still have poor passwords. People still write passwords down. They share them. They use the same password on systems. So we've still got a lot of work to do on the basics, right? 

      In terms of what comes next, though, I guess everyone's already talking about quantum and the fact that quantum computing, when that comes in, the UK government itself, has set an approach around how companies get ready for quantum computing and the control of all of that cryptography and use of that. So I guess that's the next big thing that will come down the line that we can foresee now. 

      John: I think there's a potential here that this is all coming across a bit scary to our listeners. So Del, can you give us some positives out of this? 

      Del: So I think there's plenty of benefits to come from the use of AI. I think we're still just working out what some of them are, but in a cyber perspective, we're definitely seeing some in terms of that increased security levels. That can be as a result of using these platforms and using AI to do things that would have taken humans too long to do before. 

      I think also as well, there's probably an up lift as well. This provides some of the have nots right where they have maybe haven't been able to get some of the best talent to work in their organisations because there is a talent shortage right, in this industry. 

      So where we can complement that and do some of the, you know, the lower down grunt work with AI and allow people to do more interesting, more challenging type of work. What the AI is then telling them is coming out of the systems. That has got to be a benefit as well. 

      John: Okay, good stuff Del. We're almost out of time. So I'm going to end with our final question we ask everyone, and that's what's your kind of one key takeaway? What's the one key thing you'd like people to leave with today? 

      Del: I'll probably give you two. One is don't just sit back and do nothing as a result of this and wait for something to come. Start exploring it and looking at what benefits it can bring, you know, embrace the platforms. 

      And the other I touched on earlier, but start looking at the zero trust concepts. It's been around for a long time, but with the AI Frontier and the speed with which tax will come, then having a zero trust architecture and approach will provide that ability for an organisation and to be able to operate and use the AI in a defensive mechanism far better than they would do with traditional approaches. 

      John: Right. That's our time up. Thanks for joining us today Del. Hope you've enjoyed the episode. If so, please do subscribe to us on Spotify, Apple Podcasts, or YouTube. See you again for The Insight in 15. 


      Make AI Scale

      Overcome the three forces holding back your AI programme.

      woman holding tablet



      MTD

      Get in touch


      Discover why organisations across the UK trust KPMG to make the difference and how we can help you to do the same.