Picking Pennies and Three Other Mistakes in Thinking About Cybersecurity in the Age of AI

For more than a century,¹ artificial intelligence (AI) has been a specter in the pop culture zeitgeist.  Stories about creations overthrowing their creators have instilled in us a fear that we may be getting too advanced: We may be putting in motion a creation that will soon refuse to be controlled.  We may be—right now—creating our very undoing.

Bret Arsenault,² Microsoft’s Chief Information Security Officer, doesn’t disagree.

In an era where the speed, scale, and sophistication of cybersecurity attacks aided by AI have changed the landscape of what it means to build a good defense, Bret points to several causes for alarm:

  • Automation and evolving tools have made it easier than ever to crack passwords and other authentication. He and his team oversee and respond to more than 12,000 password attacks per second.
  • Attacks are increasingly global endeavors. He and his team monitor and track 300 nation-state actors around the world. Some attacks are straightforward, but it’s the people who are patient and work low and slow, under the radar, who frighten him the most.
  • Cybercrime has become a thriving economy recently surpassing the global illicit drug trade.³ Attacks that used to take training and expertise to execute now require only the ability to write a check.

But through the darkness, there is light.

As long as there have been innovations, there have been advances in crime.  A unified mail system?  Mail fraud.  Telephony? Telephone fraud.  Financial services?  Financial fraud.  Internet?  Cyber fraud.  Bret contends that this is simply a new form of the same fight and sees his role as helping people and companies to protect themselves.  In his talk at Microsoft Ignite,4 Bret laid out four common pitfalls that you want to avoid in your cybersecurity journey:

1. Picking up pennies in front of a steamroller

The biggest mistake a company can make with cybersecurity in the age of AI is to say, “We don’t understand it, and we don’t want to do it.”  As platforms shift there are risks, but there are even greater opportunities.  The recent progression to cloud-based computing has led developers to code faster and more efficiently using new tools like open-source coding.  The use of distributed cloud computing has opened up avenues to scale that were previously unheard-of, enabling the Microsoft team to process more than 65 trillion security events per day.

2. Failing to update your company’s secure development lifecycle

Every new product produced by Microsoft or anyone else should be secure by design, secure by default, and secure by deployment.  Make it easy for users to make the right choice! Microsoft’s shift to make multifactor identification (MFA) an opt-out for users, rather than an opt-in, resulted in unprecedented levels of compliance.

3. Throwing out tried and true cyber security practices

Many of the methods we’ve used to secure our companies are still invaluable.  The big three are having a strong ID, ensuring good device health, and enabling pervasive telemetry.  I’ll expand a bit on strong ID below but suffice it to say that you want to be sure a user is authenticated and that they are who they say they are.  It may seem like common sense, but older technology is easier to break into if for no other reason than the fact that bad actors have had more time to practice.  Keeping devices up to date with the latest updates and security patches is key to supporting a strong cyber defense.  And, finally, you won’t be able to stop an attack if you don’t know it’s happening.  Pervasive telemetry—that is, continuous monitoring of the environment, collecting data, and reporting it for analysis—is a must.  Collecting and monitoring usage data can help thwart an attack that comes from an unexpected part of the globe or otherwise violates expected user behavior.

4. Neglecting identity security enhancements

MFA remains a cornerstone of cybersecurity policies; 80% of cyberattacks can be thwarted by instituting MFA.  The guidance now is to expand on that by not only instituting MFA for all users, but encouraging companies to invest in phishing-resistant MFA5 and token binding,6 a protocol that ensures a security token is usable only from the intended device.

It used to be that the mere mention of MFA would trigger a collective groan in an organization.  Anyone who’s spent a significant amount of time online can tell you how they’ve seen passwords evolve from short and simple to increasingly long and complex with a variety of letters, numbers, and symbols.  It doesn’t have to be this way. Identification via biometric markers such as fingerprint or face recognition may well mean that the password era is coming to a close.  After all, Microsoft’s employees haven’t used passwords in years.

Avoiding these four pitfalls may seem easier said than done.  Where does a small company even start?  Cloudforce has become a leading Microsoft partner helping institute cybersecurity policies, practices, and cutting-edge tools for our clients in every industry.  If you’d like to hear more about how to work with our team to discuss your organization’s cybersecurity posture, let’s connect!



[1] The Czech Play That Gave Us the Word ‘Robot’ | The MIT Press Reader

[2] Bret Arsenault (microsoft.com)

[3] Cybercrime surpasses illegal drug trade and we still don’t think it’s a big deal (updated) | CSO Online

[4] How we secure the Microsoft estate

[5] Require phishing-resistant multifactor authentication for Microsoft Entra administrator roles | Microsoft Learn

[6] Token protection in Microsoft Entra Conditional Access | Microsoft Learn


Katie Bates

Katie grew up in Alabama, where sweet tea flows freely and seasons are marked by their proximity to college football (Roll Tide). After graduating from a small liberal arts college, she moved to Washington, DC and balanced her life between restaurant management, freelance cocktail consulting, and finishing her Ph.D. at American University’s Behavior, Cognition, and Neuroscience program.  Central to her success in each of these arenas was (a) an ability to proactively prioritize and organize complex projects with many moving parts, (b) a detail-oriented focus on keeping everything on track, and (c) a commitment to seeing each project through to completion.  Katie has now brought these skills to Cloudforce as a Project Manager, where she works with clients to ensure that their needs are addressed on time and under budget, and with a result that exceeds expectations.  

Recommended for you.