EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Related content
Cybersecurity in the age of AI: navigating new frontiers at the RSA Conference
Explore key insights from RSA Conference 2024 on evolving cybersecurity strategies and AI challenges with EY and industry experts.
Being single threaded on the reporting tools can become a barrier. Different groups prefer different reporting channels, such as a hotline to a human, chatbots and emails. So having multiple channels has become a requirement for today’s organizations. Now with GenAI it is helping to improve cybersecurity by making chatbots that can be queried about different policies and reporting avenues.
Communication is also vital — not just from the CISO but from frontline managers as well. Those messages should stress partnering, not policing: cybersecurity must be everyone’s concern, and to some extent we’re all reacting to the negative and positive aspects of a constant state of disruption.
Instead of “gotcha” phishing traps, Guinn recommends gamification, in which different functions within your organization can compete to demonstrate their level of cyber awareness. Such campaigns against social engineering, such as phishing attacks, can come with awards, whether through head-to-head exercises or by showing overall improvement year over year that should be an integral part of your company’s rewards and recognition programs. It takes your people’s natural curiosity and human competitiveness and channels them in a more helpful direction. In our survey, the respondents who feel “rusty” on training are most fearful of using tech, while 94% of employees who received training within the past year say cybersecurity is a priority.
Within an organization’s cyber function, it’s useful to perform regular tabletop exercises in a limited lab environment, demonstrating the potential fallout and cascading effects in the event of a cyber attack, as well as how well mitigation responses perform. A lab environment is virtualized to reflect your day-to-day reality in your IT infrastructure but quarantined from your actual production environment.
With regard to AI, C-suite and senior leaders must embrace transparency surrounding how AI is developed and deployed enterprise-wide and demonstrate responsible AI practices themselves to mitigate risks. At EY, the mantra is “If you give people tools, give people training,” and it has published its own commitment to developing and using AI ethically and responsibly, which anyone can access.
Ultimately, employers need to find the happy median between knowing concerns and being concerned. “We need to envision a world where we have healthy skepticism about digital interactions,” Guinn said. “Are you prepared to help your workforce be better sophisticated when a cyber event occurs because they are the weakest link?”