Even in the AI Era, Basic Cyber Hygiene Is Still Key

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

ORLANDO, Fla. — Even as AI is significantly changing the cybersecurity landscape, experts still recommend foundational, traditional cyber controls.In this week’s ISAC Annual Summit,* an ongoing conversation thread emerged about how cybersecurity defenders could fend off criminals. During panels and Q&A segments, attendees raised the same concern: What can we do to keep our systems safe?State, local, tribal and territorial (SLTT) cyber practitioners are looking for concrete ways to lock down systems as criminals armed with publicly available AI platforms move at faster speeds, attack at higher volumes and scan the Internet for clues to who is most vulnerable. Participants examined cybersecurity measures such as identity management and email security processes, and deepfakes and business email compromise.In Tuesday’s “Joint Threat Brief: Center for Internet Security and Center for Digital Government,” CIS analysts walked through current cybersecurity concerns ranging from international cyber threats to AI’s effects on cybersecurity. Randy Rose, vice president of security operations and intelligence at CIS, reminded those present to commit to basic cyber hygiene, pointing to CIS Critical Security Controls.“We have found that getting the basics right — when I say the basics, I don’t mean to imply that they’re easy or simple because they’re not,” Rose said. “But they’re the essential things that we have to get right from a layered defense model. They mitigate an incredible number of attacks, even the more advanced attacks that we see.”Inventory control is at the top of the CIS security controls list. No. 1 within that is hardware assets and No. 2 is software assets. The work isn’t exciting, panelists agreed, but it will address multiple issues including supply chain management and endpoint management. When IT shops know what is in their environment, not only does that mean more complete security but also a baseline from which to add more systems and software.Cyber attacks are getting faster, looking more realistic, and coming through unexpected channels, Minnesota Chief Information Security Officer (CISO) John Israel said during another session, “Securing the Frontlines: How Attackers Weaponize AI Against SLTT Governments.”Many cyber threats are identity related, the state CISO said, so a focus in his state is looking at those, asking questions and applying tools to strengthen identity and access. Requiring phishing-resistant multifactor authentication, additional validation, and having a human double check whether behavior is malicious or not are essential. His advice connected in multiple concerns including deepfake emails, voice calls and video calls.Israel alluded to past technological disruptions, highlighting opportunities and concerns therein.“Coming in from a government perspective and looking out at a room of IT and cyber professionals, it’s not like we’ve never addressed a new technology or new challenge … I see this as really no different,” he said, indicating that from a government perspective, there are a lot of opportunities here. “We’ve got to look at the risk [AI] brings into our partnerships, but also the opportunity we have to really enhance the way we’re building programs and meeting our residents … enhancing the ability to support them more intelligently, more actively, and in real time.”Concern is rising about deepfakes, which can impersonate an executive, vendor or someone else linked to the business. These frequently ask a government worker — for instance, a procurement officer — to transfer large sums of money as quickly as possible.Asking questions and slowing down before responding are helpful tools in avoiding these scams, Israel said, suggesting when there is doubt, employees should feel empowered to double check with the person in the “To:” line or to check in on the chain of command for authorizing payments.“We can lean heavily into … process, and at the state level, we’ve seen success because we’ve got so much process around releasing data, money and bank payments,” he said. “How do you educate people to really scrutinize something coming in, and if it’s really urgent? If it’s asking for something significant, like moving money or data really fast, you’ve got to take that offline.”The exploits haven’t changed, Hector “Sabu” Monsegur, black-hat hacker turned white-hat, told attendees — but the adversary has. Instead of a highly technical hacker who understands computing’s inner workings, the AI-enabled hacker is technically inexperienced, often a teenager, and is seeking easy targets, Monsegur said during the Tuesday keynote, “How to Work Better Together — Through Collaboration in Tech, Security and AI.”“We’re talking about … adversaries and bots and unsophisticated actors looking for low-hanging fruit,” Monsegur said. “So, if you at least cover the fundamentals … they’re probably going to pass you by.” He did note that if someone is looking for intellectual property, or to make political waves, they are more likely to work harder toward a breach.As to identity, Monsegur recommended that team members assess Active Directory environments, which can be done with freely available tools.“It’s going to take about an hour’s worth of work, so if you get paid $50 an hour, you just cost the company 50 bucks, but … you just saved millions of dollars in potential future damages,” he said. “From a national security level, each and every one of you in here, you play a role … in national security,” Monsegur said. “From the smallest of counties to the biggest of cities, all the way up to the federal government. This is why MS-ISAC and some organizations are very important. You have to keep these alive, make sure you get funding … because these organizations tend to help those smaller communities and counties that don’t have the resources to invest in cyber.”*The ISAC Annual Summit 2026 is an event produced in partnership between the Multi-State Information Sharing and Analysis Center and e.Republic, Government Technology’s parent company.