Last December, IBM Distinguished Engineer Jeff Crume, known affectionately on YouTube as "The Security Guy," shared his predictions for cybersecurity trends in 2024. So how are they holding up? We checked in with Crume to revisit his forecasts and chat about the ways AI is helping—and in some cases hurting—the cybersecurity landscape.
Crume: Yes, I have seen more and more sites offering passkeys as an alternative. The ramp-up has been slow, but it is continuing. I think the main barrier to adoption is a lack of understanding, both by users and by the IT community. Users don’t understand the difference between a passkey and a password. Many IT pros are still operating under the old information that passkeys require a special hardware token when, in fact, a mobile phone, tablet or laptop will do in most cases.
I’m still a fan of the technology because passwords are pretty awful, and we keep seeing them being stolen. With passkeys, there is no password—and you can’t steal something that doesn’t exist.
(Watch on YouTube: Jeff Crume on passwordless authentication)
Crume: The shocking story of the deepfaked CFO on a video call that convinced an employee to wire USD 25 million to an attacker is probably the most well-known. I think we will start seeing them on a more personal level, with deepfakes imitating friends and family members to get money from well-meaning relatives. These are sometimes called “grandparent scams,” and I’ve heard anecdotal stories from people who have relatives who were fooled by these. As deepfakes become easier to create, we should expect to see them more often.
Crume: NPR recently did an investigative report where they found that one of these tools was essentially no better than flipping a coin to determine authenticity. In that sense, deepfakes have already surpassed at least some of the detectors, and I think it’s only a matter of time until others are defeated as well. All this means that we need a different approach.
(Watch on YouTube: Jeff Crume on deepfakes)
Crume: I think RAG can help. I also think an architecture that chains together multiple LLMs—either in sequence or in parallel—to come to a consensus result, rather than relying on a single AI model, could be helpful.
Crume: I think we are still in the early days of figuring out how AI can help cybersecurity. At the same time, we need to have all hands on deck to figure out how to protect the AI we have from attack while also not falling victim to AI-based attacks. That puts a lot on the plate.
I think that AI will help with case summarization, as well as predictive analytics. It can also help with parsing through commands embedded in log files to provide interpretive analysis, saving cybersecurity analysts valuable time. I expect we will find many more use cases, which is exciting to consider.
(Watch on YouTube: Jeff Crume on AI and cybersecurity)
Crume: There is no doubt that will continue. We have got to do a better job of authentication because attackers are finding it easier to log in than to hack in. AI-generated phishing attacks are surely awaiting us, and when they hit mass distribution, all that we’ve known about looking for bad grammar and spelling errors as a clue will go out the window.
(Watch on YouTube: Jeff Crume on humans vs. AI—who’s better at phishing?)
Crume: I think it will be a lot more of the same, but with greater intensity and frequency. When I get some time to catch a breath, I’ll dust off my crystal ball and come up with a video for next year. Stay tuned.
Want to hear more of Jeff’s cybersecurity insights? You can find all his videos on IBM Technology’s YouTube channel.