Why 'neurosecurity' says human brains are the next frontier for AI cyber threats

A recent surge in AI-powered social engineering attacks has business leaders concerned. Most organizations already struggled to keep pace with the speedy evolution of modern, sophisticated threats in a pre-AI world. For many, that task feels nearly impossible today. But the solution to this challenge may be closer than they think. With neurosecurity to explain why more threat actors are launching targeted attacks against the human brain, some experts believe corporate security training may be to blame.

We spoke with Roman Kruglov, an Information Security Architect at the New York health insurance company CDPHP. With over two decades of information security and technology experience, Kruglov built his career protecting critical assets, closing security gaps, and leading teams toward cyber resilience. And yet, he said, recent breaches in the news are unlike any he's seen before.

• New spin, old threat: Social engineering attacks aren't new, but they are quickly becoming more advanced. With AI to simulate human voices, for instance, modern threat actors are swapping out phishing emails for vishing attacks to impersonate people over the phone. "The vulnerability here is exploited through simple human interaction. Most of the biggest breaches today are so successful because the human firewall has been rendered obsolete."

• Brain security: AI-powered vishing attacks are effective because they exploit human psychology, Kruglov explained. He described a concept called "neurosecurity", where attackers intentionally target the human brain, exploiting vulnerabilities like cognitive biases and rising burnout to manipulate employees. "If somebody important calls with something urgent, most people are going to say yes automatically, but especially when they're already overburdened with too many things."

The result is a reality for which most organizations are dramatically unprepared. Today, Kruglov said, even the best technical defenses can't prevent employees from being tricked into resetting passwords over the phone. Meanwhile, attackers are innovating at a breakneck pace, creating a dangerous asymmetry. Worse, many organizations are being outmaneuvered while still failing to implement the most fundamental security controls.

• Missing the basics: "A lot of companies don't even have the basics in place," Kruglov said. "They don't have a process for verifying an employee who calls in to reset a password. That's a basic." As an example, Kruglov pointed to banking institutions. "The next time you log into your own bank account, check to see if it uses proper MFA. Most don't. Most make it optional."

• The training gap: From Kruglov's view, the gap in human readiness stems from a systemic flaw in corporate training. Even as threats become increasingly dynamic and personal, security awareness remains static. "Most companies have a budget for new tools, but few add a line item for training. Sure, everyone does it once a year when HR sends out an email. You click through a few slides that say 'don't open links,' and that's it. That's your training. That mindset needs to change."

For Kruglov, the solution is relatively straightforward: leaders must learn how to shift conversations in the boardroom from technical jargon and security risk into real business impact. "Start by aligning security initiatives to core business objectives and defining the organization's tolerance for risk. Ultimately, the end goal is to frame security as the primary mechanism for protecting the enterprise's most valuable and intangible asset: trust." Only then, Kruglov said, are honest conversations about protecting the organization truly possible.

• Trust as the new currency: Integrating AI literacy effectively will require many leaders to fundamentally reframe their approach to cybersecurity. "To do business right now in the digital world is to be able to trust somebody. Lose the trust once or twice, and people will go elsewhere. Lose trust, and you lose the business." Now, Kruglov said, the goal is shifting focus from pure technical defense to the preservation of trust. "Tools can provide some protection, and insurance can help cover the monetary damage of an incident. But they won't cover the reputational damage, the lost trust. You can't restore trust."

In a final word of advice, Kruglov spoke to employees directly. "If something feels off... hang up the phone and call your boss back to verify. Initiating the call yourself is the only way to be sure the person answering is who they claim to be. It all comes down to basic common sense. There's no tool or AI defense to replace it."