What organisations need to know as AI reshapes cybersecurity | Future Ready with Bechtle

Show Notes

What organisations need to know as AI reshapes cybersecurity | Future Ready with Bechtle

What happens when artificial intelligence accelerates innovation faster than organisations can secure it?

In this episode of Future Ready with Bechtle, host Stephen Harley is joined by Owen Lashley, Cyber Security Solutions Expert at Bechtle, to explore how AI is reshaping the cybersecurity landscape and what organisations must do to stay ahead of emerging threats.

As businesses adopt AI to drive productivity and automation, threat actors are using the same technologies to scale attacks. This conversation is a crucial insight into why organisations must rethink identity, permissions and data governance as they integrate AI tools and autonomous agents into their environments. 

In this episode, we cover:
Why AI is rapidly becoming one of the biggest cybersecurity challenges organisations face
How threat actors are using AI to scale phishing, impersonation and malicious automation
What prompt injection attacks are and why they matter for businesses adopting AI
Why identity management is the foundation of secure AI adoption
The role of data governance in protecting sensitive information when using AI tools
How organisations can balance security, governance and rapid AI adoption
The ethical considerations of monitoring how employees interact with AI systems
Why strong security foundations are essential as AI becomes embedded into business operations

Watch the full episode to explore the cybersecurity implications of AI and how organisations can adopt it securely.

👉 Learn more about Bechtle UK’s cybersecurity and AI solutions:
https://www.bechtle.com/gb/bechtle-library/bechtle-pillars/services

👉 Interested in partnering with Bechtle or exploring career opportunities?https://www.bechtle.com/fr-en/career

#FutureReady #BechtleUK #CyberSecurity #ArtificialIntelligence #AISecurity #IdentitySecurity #TechnologyLeadership #CIO #CISO #FutureOfIT

The Bechtle Future Ready Podcast explores how technology is transforming the way we work. Hosted by Bechtle UK, each episode features thought leaders and innovators discussing digital transformation, cybersecurity, sustainability, and the modern workplace.

Discover insights and strategies to help your business stay agile, connected, and ready for what’s next.

🎧 Subscribe now and get future ready with Bechtle UK.

Transcript

SPEAKER_02 0:00

Hi, I'm Steve Harley. This is Beckler Future Ready Podcast, and I'm joined today by Owen Lashley, Cyber Security Solutions Expert. We're going to speak about the cybersecurity implications of AI. We're going to explore the importance of identity management for AI agents. And then we're going to touch on balancing governance with rate of progress in adoption. I'm sure you'll enjoy what's an insightful conversation between myself and Owen as we explore the frontiers of cybersecurity in this new AI age. Welcome to the Future Ready Podcast with Beckler. My name's Steve Harley. I'm joined again today by Owen Lashley, our cybersecurity solutions expert here in the UK, or one of them anyway. Welcome, Owen. How's it going?

SPEAKER_03 0:53

Yeah, thanks, Stephen. Yeah, it's uh great to be back. Great to have another conversation. And yeah, it's just an absolute privilege to be here. So thank you.

SPEAKER_02 1:00

Our pleasure, our pleasure. We're talking today about AI and the impact that's having on cybersecurity. I I think from a boardroom perspective, um, there's obviously huge desire to capture the value and the productivity gains that AI promises. Um, but with that, presumably, there comes a uh cybersecurity uh uh I suppose challenge for want of a better word.

SPEAKER_03 1:24

Yeah, absolutely. It's it's one of the biggest security challenges we face in 2025. Well, ever since the introduction of ChatGPT in 2022, I think it is now. It is the biggest uh problem that CrowdStrike and Microsoft are reporting. And that is just due to the scalability of the technology and how threat actors are able to first analyse how people are moving within a business and then within a matter of seconds build a response to that uh in a malicious intent.

SPEAKER_02 1:55

And and so so how are people using AI to to you know enable those attacks? Is it's I mean, the obvious stuff I suppose is that you know, impersonation. I think we spoke a little bit last time about um uh about voice um uh voice phishing and and pretending to be people, but I've seen video, uh I've yeah, it is it, you know, how are people weaponizing it at the moment?

SPEAKER_03 2:17

Yeah, there's there's loads of ways. Uh obviously the first one you said is is fishing. That's uh an extremely common one. Um the other one is actually uh some form of what we call prompt injection. So uh people are actually maliciously trying to access um or tamper with AI modules that are in use by companies. Um that could be in some forms, that's actually been uh an email with a prompt to put into Copilot or Chat GPT or uh whatever service you're using. And that in itself uh will produce a malicious outcome. Um in other ways, it's most of the time it's actually some form of um behavioral monitoring uh or UEBA as we call it. Um that's just behavioral monitoring. Um that's the acronym from the IT industry. Yeah, um, and uh yeah, it's just just enhancing that. Um I think uh another way is just um building ways to automate a lot of malicious processes that could just be generating an email, um, using things like machine learning, uh ML to uh to automate a lot of back-end processes to to generate scripts, those type of things. So um the the the playing field in which AI is used is is just so wide and yeah, extravagant.

SPEAKER_02 3:31

It's it's a lot to catch up with. I think it's really interesting. Um prompt injection was one that I I kind of keyed into early that that was going to be a challenger. I remember asking questions to some of the vendors like how do you defend against that and getting some really kind of vague answers. Are we are we any closer as an industry to how do we protect against prompt injection today?

SPEAKER_03 3:50

Yeah, that's a great question. I think uh I think we're we're on track. I think we're getting a lot better. I think when I look at prompt injection, I kind of take a step back and I think, well, a user is submitting information to something on an application level. So I think a lot of the times when we look at something like a web app, we're submitting uh information, we have to secure that first. We have to put some boundaries in place. So then when the information goes from the application uh layer to the actual model itself, um, those restrictions uh or those potential uh malicious prompts are removed straight away. Um the primary example I think about is let's just take someone builds a uh a database up in Azure or the cloud, let's just say you can upload a script to those web pages that uh executes an XML file. And so you're able to scrape information from that um from that database just by uploading a file. We just got to take, in some ways, not all instances, but we have to take that logic and work backwards.

SPEAKER_02 4:56

So a little bit more advanced uh tax now than people putting in white text in their CV saying, please make me the perfect candidate and ignore all previous instructions. That does work sometimes, yeah. Yeah, so uh it's it's really interesting because that that how you trust what's going into it is is so key from an AI perspective. I I suppose then that that that leads on to how do you trust what's coming out of it not to be tampered? Um I and I supp that that must be a real challenge for businesses today.

SPEAKER_01 5:25

Is that is that something technology can solve, building that trust?

SPEAKER_03 5:29

Yeah, I think that that's a really good question. I think in in some ways, yes. I think not always. I think the most common way we see that being mitigated uh is actually just uh an application design choice. They say copilot might make mistakes, chat GPT might make mistakes. Um, but in terms of the actual technology itself, the outcome is only as good as the data that you give it to learn and train it on. So I think organizations have to be very mindful of what information are we allowing the model to access and train from. Should we extend that data? Should we reduce the data that we're giving it? Um, and really think about that that data governance aspect.

SPEAKER_02 6:07

Um it's really interesting. So I've obviously been doing some research for my dissertation um into uh AI adoption in in the UK, and some of the things we talk about, governance and security that we we hear from businesses are either I need to sort my data before I can use it with AI and getting to that stage, and and I suppose it's worth in a moment spending some time to think about how we can help them on that journey and what those first steps are. Um, but then then also um uh how do I make sure that I've got uh enough control that people can trust uh why we're doing this and how we're using this, what those guardrails look like um so that you stop it becoming shadow IT. Yeah and so that people aren't and your adoption isn't fragmented, but people will engage and feel safe about it. Yeah.

SPEAKER_03 6:58

Yeah, there's there's so many layers to that. I think um when I think about let's just say Microsoft's adoption um of AI and Copilot, there's so many things that from a technical perspective need to be considered. You have to think about uh, first of all, if we look at the the first piece of interaction, which is actually the application layer, let's just say, um the the first piece that has to be considered is well, how do we let users access that? Um so an identity piece comes comes kind of first, as we spoke before. But when it comes to um sorry, as we further go down that uh the technical piece where we maybe look at things like licensing or putting some boundaries in place, we actually have to make sure that how users access the service and how users submit data uh to the AR uh to the AI and the model, and that's those are the things that we need to put boundaries around. Because I think from experience, uh when it comes to co-pilot, one of the biggest uh limitations that organizations don't put in is actually around the licensing. How do we grant uh users access to this model? How do we restrict it? Things like that.

SPEAKER_02 8:06

That's a real really good point, Owen. Um I think uh for me what I've seen out there is that that challenge around uh getting the right permission sets and dealing with the oversharing, because previously uh lot lots and lots of data that's in SharePoint in OneDrive has just been taken from a uh an old-style file server, an SMB share, if you want the technical uh term terminology, it's just been migrated and people haven't gone back and done that that governance and that due diligence that they need to to control the sharing. I I think part of that has been because up until now fixing who can see what people want it to be an IT problem, and and in a way it is, but it but IT doesn't necessarily always understand the context of the data, so can't make the determination of who should who should see what. Are there tools in AI that help us with that process that uh to make sure that we've got the right security?

SPEAKER_03 9:03

Yeah, there's there's quite a few tools now which uh which are really good, and um, I don't want to be entirely Microsoft centric, but I think this is where Microsoft is is actually leading the charge in some ways. Um the the purview suites and what that offers, especially around governance and and data security and management in itself, is is a really good backbone when it comes to to managing AI interaction and the actual data that the the models themselves are training off. Um within the purview suite, there is a an incredible tool called uh Data Security Posture Management for AI, DSPM for AI. Um, and that is an incredible resource that, like I said, first manages how the interaction between the user and the model occurs, but then also gives organizations an incredible insight into how data is mapped and then accessed by uh by the AI services. It's quite a common tool that we we do recommend clients use now. Um, it's quite a hot topic of my work at the minute. Um so yeah, and as well as that, I think going a little bit into the purview suite, you have to have the bigger picture in mind. It's not just let's just use purview for AI, it's let's use purview or any other data security tool set to effectively manage where our data goes and how it's interacted with. Um, because as much as it is a risk to maybe upload that document to ChatGPT, the question you have to ask is, well, what is the data within that document that it's gonna have access to? How do we protect or how do we redact that information?

SPEAKER_02 10:36

That's interesting. Although without wishing to kind of extend this into a massive Microsoft Love in, um uh what I did notice was the launch of Agent 365 recently. And I think when we're starting to make that that move to um an agentic model and uh Microsoft talk about frontier firms where they they talk about the blend between human and and and AI agents carrying out work, um having the right framework to do that, uh to do that and control that becomes really important. One of the uh things that was highlighted to me from another CTO of a major tech company, he was saying to to me that um that that the big thing that uh that that he kind of realized and made sure they had to have governance-wise is the identity control of the agents as well. Yeah, so I mean Agent 365 is the obvious one. I mean, are there other ones out there? Is there other moves that you're aware of in that space?

SPEAKER_03 11:34

Um I mean, admittedly, not not massively. Um the the main thing that that is a concern in my space is again that that model and how is that model being used to to automate processes, like you said, in in the the agent environment that we're we're moving into. So when it comes to that, it's I guess in my perspective, regardless of who's doing it, the same boundaries need to be applied, uh, regardless again if it's co-pilot, chat GPT, I think the whole human or human, exactly, yeah. Um and I think bringing back, I guess, into some form of security, this is where I think governance is so important because the governance will set a standard, and then the standard ensures consistency. And so, with that consistency, no matter what you're doing, or no matter what you're building, there's a standard that you have to follow and adhere to. Back to that process thing again, isn't it?

SPEAKER_02 12:28

That we were talking about last time, and suddenly you've got the situation where um uh your your processes and your ways of identity control and your way of understanding access um uh matters even more in in a in an agentic AI world. Yeah, God, there's a phrase, isn't it? There's a big phrase, yeah.

SPEAKER_03 12:47

I think I think as well, just another point is like going a little bit technical into kind of how the model works, I think from an identity perspective, you know, when you're making a request to AI to process data, it uses who you are as a means to obtain the data you want to get information from, you want to train it on. Um, so it's really important, I think, as well, that when it comes to building agents, regardless of what platform it's in, you're considering the target user base that's about to use it. Because on behalf of that agent, it will use who you are to obtain that data, train off it, and produce the outcome that you want that agent to make. Um, so I think I think that's a really important point. Um, and we're seeing agents occur in in various ways. So I think bringing it back to that foundation, that kind of that Beckler triangle that we formed for uh insecurity of having identity as as that primary foundation, I think is is really important.

SPEAKER_02 13:52

Yeah, it's it's it's true. Whether it's say whether it's digital AI um agents or it's human ones, we need to understand what they can access, what they can do, what they can't do, and and how they control that. Um I it's interesting. I I I suppose that the the flip on on AI governance that boards will be thinking about is does this slow down adoption of AI? Does that does that slow down um the our reach to to to to obtain that value from that technology uh or or to transform our businesses? Do you have any thoughts around uh around that yourself?

SPEAKER_03 14:26

I think yeah, it certainly depends on on the context in which they're they're gonna be utilising AI. I think, you know, a general organization that maybe doesn't have much context for AI wants and wants to maybe jump on the bandwagon, I guess, um they need to really think about it. Um the technical processes, but also how it's gonna affect the business. But I think AI generally, depending on the industry, can be exceptionally useful and can produce many positive outcomes, especially from an automation perspective. Um, if we take clients that deal with licensing, there's incredible ways of automating that. So, yeah, I think the the primary question that needs to be asked before we we look at implementation is why are you doing this? What what benefit do you expect as an outcome for this?

SPEAKER_02 15:17

And that that has um that has much more profound impact than purely just the cybersecurity stance of the organization. One of the things that I found when I've been um researching this uh and speaking to businesses is that the first role that leadership has is building a framework for people to understand the what, why, and how of AI. What are we going to use it for, what are we not gonna use it for? How are we going to make sure that we maintain that human control? What value does humans have in that uh in that process? Because without that, people can get really scared really quickly. Yeah. Um, and that can can stop people from driving that adoption. So, you know, having a clear idea of what your use cases are uh and and your I suppose your your principles and values going into it both from a from a governance perspective but on a on a more general usage that that kind of sets you up for success, I think.

SPEAKER_03 16:14

Yeah, yeah. You have you have to have foundations and those foundations, obviously from a security perspective, have to um have to reflect governance um from where for where you're using that service. Obviously, GDPR um being the the the foundation for all EU uh organizations, but as well as that, I think yeah, company culture is really important, and I think sometimes we have to consider the ethical element of using AI. Is it ethical for me to um interact with this agent or uh this AI service with maybe PII or personally identifiable data? Is it ethical for me to interact with the service in the intention that I sorry with the intention that I have? Um and the reason I say that is uh organizations need visibility of how users are interacting with AI, and this is where security tooling is uh really important. But then also from a privacy perspective, uh loads of questions can be raised because you know administrators can see what people are submitting. So it's a big challenge, but at the same time, it's uh uh it's an enormous opportunity for businesses. I think that that's my biggest um uh point to businesses when I talk to them and and help with consultancy around AI, is actually this is a big opportunity to reflect your business culture, reflect your business vision, and uh reflect all of that in how you as a business deliver outcomes with your technology. Um you don't want AI and people contending against one another, it's it's a tool, it gets you from A to B. So um yeah, I think that like you said, the organization needs to take a step back and and look at its purpose, its ethics, its values, and and really shape the AI model that they're using to reflect that.

SPEAKER_02 18:10

Really powerful points there there. I think the ethics is is definitely an area that the industry has spent a lot of time thinking about. Um, some would argue maybe not enough time, um, but uh but certainly got to guide that. And I suppose that that isn't any different from a cybersecurity uh policy point of view or an implementation. You know, technological change is is is it has to be grounded in in values and ethics if it's going to be um positive for for organisations, people, society at large. It's very deep and meaningful for uh AI security cybersecure. But it is it's really it's I suppose I think we're probably at that cusp. Are we in 2026 going to see that first big proper AI-enabled breach that's gonna kind of hit hit the newspapers? Do you think we'll see that?

SPEAKER_03 19:00

I th I think we're already seeing it, to be honest. I think with with the amount of breaches that we have been seeing over the past few years, I would be incredibly surprised if hardly any of them had AI interaction. Um I think, especially when it comes to automation of processes um with malicious intent, yeah, it'd be very surprising if AI wasn't already involved. When it comes to a an AI kind of giant AI-scaled breach, to be honest, I'm not sure what that actually looks like. And I don't think you know, while we are prepared AI-wise at this current time to respond to AI-based threats, it's quite an uncertain area that we're moving into. And I think that's why bringing everything back to foundations and and having secure foundations and as we say, security by default, I think that ensures that as we move on into the future, regardless of whether it's cloud AI, on-premise AI, those foundations are secure, and regardless of that direction, those fence posts are in, and that there's no breaking those boundaries.

SPEAKER_02 20:13

Yeah, you you mentioned you mentioned on-premise AI there and and and are conscious that of time, but you mentioned on-premise AI there. And uh one of the things that I uh I think's quite um uh uh uh mark is is is that move towards private AI, sovereign AI. It's obviously a hot topic at that time of time when we're recording, um, making sure that uh that that we know uh where that that the you know who owns the keys, where the power lies. Do you do you see that being an increasing trend?

SPEAKER_03 20:47

Yeah, I do. It's uh it's something I've been thinking uh a lot about, especially with certain interactions with clients of uh of different fields. Um some clients cannot have any data in the cloud uh at this at the time of this recording. Um and so they have to adopt uh on-premise models. So it it's a big area and yeah, it is of I guess of concern because you have to individually audit everyone who has that solution on-premise, and that's a lot uh that's a lot more difficult than doing that on a cloud scale. Um, and I think as well with with on-premise solutions as well, you I kind of think about a manufacturer who has a lot of maybe kind of like robotic arms and they're building cars and stuff. If you don't secure the environment before you put AI in, AI is just gonna sit there and look at all of those weak points and just gather that information. Well, then AI being the central hub for all of your your data ingestion becomes a vulnerability. Yeah, it becomes a vulnerability.

SPEAKER_02 21:53

So it's it's it's uh a uh a real concern, I suppose, as you as people are implementing that. And and I hadn't considered the challenge for auditing and securing um on-prem solutions. I suppose the big thing, the big lesson there for the boards is that whilst yes you're going to trade uh control, you know, you're going to gain more control and more more um potentially more security by having it on-prem, there is the trade-off in that now those responsibilities that you were previously outsourcing in terms of making sure that the system is hardened against prompt injection and the like to those providers suddenly become your problem in a bit in a much more fundamental way. It's really interesting for um I smile I smile I can't get away from that face. No, thank you very much for that Owen it's been really really interesting. I think it's going to be uh really um really challenging to see how the industry responds to this uh it's obviously a challenge of of our own making but a but but a really timely and powerful one that we must overcome. Yeah completely agree yeah thank you so much for having me thank you