ICO Publishes Five-Step Plan to Counter Emerging AI-Powered Attacks

Getting the basics right, understanding the threat and putting in place multi-layered defenses are key to protecting organizations from AI-powered cyber threats, the UK's Information Commissioner’s Office (ICO) has said.

Alarmed by the uptick in AI-driven attacks, the data protection regulator today released a five-step guide, urging organizations to proactively prepare for emerging threats.

“By investing in cyber resilience and ensuring appropriate security measures are in place, you can build public trust and confidence in how your organization protects the personal data you hold,” said Ian Hulme, executive director of regulatory supervision at the ICO.

He pointed readers first to the National Cyber Security Centre’s updated Cyber Assessment Framework (CAF) to better understand how adversaries are using AI in attacks, or attacking corporate AI systems.

The specific threats outlined by the ICO should be familiar to cybersecurity professionals and include:

AI-enhanced phishing targeting colleagues, clients or suppliers
Deepfake-powered social engineering used on employees
Automated vulnerability scanning and exploitation
AI-powered malware which adapts in real time to evade detection
Credential stuffing and password attacks which target weak passwords
Data poisoning of AI models
Indirect prompt injection attacks

Getting the Cybersecurity Basics Right

The ICO said it expects organizations to have in place Cyber Essentials’ five controls and the UK’s Cyber Governance Code of Practice as a bare minimum.

But it added that extra layers of defense are “essential” and should include a “solid patching and updating process” to mitigate the machine-speed vulnerability research and exploit development that adversaries can now achieve.

“As part of vulnerability management, an organization should be considering the impact of an exposed vulnerability and prioritizing remediating action based on that assessment,” an ICO spokesperson clarified to Infosecurity.

“This includes reviewing other compensating controls if an update is not available, and the timing will depend on the risk assessment carried out. If a decision is taken to not take action but there is still risk exposure, then the rationale should be fully documented and agreed at senior levels.”

Extra layers of security cited in the blog include: multi-factor authentication (MFA) on all remote access, admin accounts and email; strong password policies; and auditing and enforcing of the principle of least privilege.

Organizations should understand the security/privacy implications of using AI tools for access controls, the ICO added.

Security teams must also include supply chain partners in these access policies and wider security vetting.

“The ICO would expect organizations to not rest on the achievement of a point-in-time assessment and instead adopt a dynamic threat-based approach to security,” the ICO spokesperson explained. “This will depend on the criticality of the supplier, the types of services it offers and the type of data they process on behalf of the organization it is supplying services to.”

The basics should also include a regularly tested incident response plan, and comprehensive security monitoring and vulnerability scanning – using AI tools to improve outcomes but ensuring there is human oversight, Hulme argued.

The Basics of Data Protection

Finally, Hulme urged organizations to meet their obligations under the GDPR by implementing “appropriate technical and organizational measures” to protect personal data.

This could include:

Data minimization and storage limitation
Regular data audits
Staff awareness training, including AI-powered social engineering
AI governance including safeguards and a data protection impact assessment (DPIA) for any AI tools that process high-risk personal data
Compliance with the government’s AI Cyber Security Code of Practice
Encryption and pseudonymization to reduce the impact of a breach

When asked how the ICO assesses whether enforcement action is necessary following a breach, it explained that the organization’s “attack surface, sector, and data held” are key factors.

“The [Cyber Essentials] controls will be considered when an organization is investigated but that does not necessarily mean that we would not take regulatory action,” the spokesperson explained. “A key consideration will be whether an organization has put in place appropriate technical controls commensurate to the level of risk that organization faces and whether it can demonstrate how cyber risk has been governed.”

ICO Publishes Five-Step Plan to Counter Emerging AI-Powered Attacks

Phil Muncaster

Getting the Cybersecurity Basics Right

The Basics of Data Protection

You may also like

#DPI19: Privacy Playbooks Can Help Navigate Data Protection Act Rules

#IRMS18 ICO Begins Countdown to GDPR Compliance with Reassurances

Interview: Jon Baines, Mishcon de Reya & Joe Hancock, MDR Cyber

Outgoing Information Commissioner Stresses Need for GDPR Compliance

ICO Releases New Data Protection Audit Framework

What’s Hot on Infosecurity Magazine?

Ransomware: Over Half of CISOs Would Consider Paying Ransom to Hackers

UK Cybersecurity Market Expands to £14.7bn with Strong Growth in AI Security Firms

Global Cyber Agencies Issue New SBOMs for AI Guidance to Tackle AI Supply Chain Risks

OpenAI Launches 'Daybreak' to Help Build Secure By Design Software

ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign

South Staffordshire Water Fined £1m After Data Breach

ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign

Hackers Observed Using AI to Develop Zero-Day for the First Time

OpenAI and Anthropic LLMs Used in Critical Infrastructure Cyber-Attack, Warns Dragos

Five Years Later: Lessons Learned From Colonial Pipeline Ransomware Attack

Open Source is the Tip of the Iceberg: Why Proprietary Software, Hardware and Protocols Face Greater AI-Driven Security Risk

Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign

Financial Services Under Pressure: Supply Chain Risk, Regulation and Operational Resilience

How To Enhance Security Operations with AI-Powered Defenses

Behind the Curtain of Microsoft 365 Cybersecurity: Lessons from Overlooked Resilience Gaps

Why Resilience‑Focused Cloud Design Is Your Best Defense Against Modern Attacks

How to Harness Advanced Intelligence Capabilities to Strengthen Cyber Defence

Risk-Based IT Compliance: The Case for Business-Driven Cyber Risk Quantification

Anthropic Rolls Out Claude Security for AI Vulnerability Scanning

Inside the Code War: Defending Against Nation-State Cyber Threats

Interview: How YKK Is Securing the World’s Largest Zipper Manufacturing Operation

CISA and Partners Publish Zero Trust Guidance For OT Security

Most Cybersecurity Professionals Feel Undervalued and Underpaid

Cyber Resilience Under Pressure: Can Your Organisation Prove Control When it Matters Most?

ICO Publishes Five-Step Plan to Counter Emerging AI-Powered Attacks

Written by

Getting the Cybersecurity Basics Right

The Basics of Data Protection

You may also like

What’s Hot on Infosecurity Magazine?