A new year brings with it new changes to the cybersecurity landscape – and a reminder that readiness isn’t a destination but a journey.
During the recent 2026 Property Records Industry Association (PRIA) Winter Symposium in Virginia Beach, Va., attendees received a comprehensive update in the “State of Cybersecurity” session, including a cautionary tale of how cyber attacks can impact public records and other vital infrastructure.
AI and cybersecurity
Mark Eggleston, chief information security officer with CSC, detailed the role artificial intelligence (AI) continues to play in the cybersecurity threat landscape.
According to the World Economic Forum, AI ranks among the top cybersecurity threat due to the way it’s evolving threat vectors like phishing emails, Eggleston explained.
“AI is really interesting because it can be used for good or it can be used for bad,” he said. “Remember when phishing emails from the Nigerian prince used to have grammatical mistakes? No longer. AI is making (phishing) much, much more believable, and it also does something called permutations, which makes (each email) a little bit different for every email recipient. So it becomes much harder to track, much harder to detect.”
Similarly, ransomware, along with adjacent schemes like extortionware, remains a leading concern among C-suite executives and cybersecurity experts, Eggleston added. He explained that rigorous training can go a long way to reducing the risk of ransomware, as such schemes tend to target the weakest link in any cybersecurity strategy: the human element.
“The most common link in all these data breaches, go figure, is the human element. But I would say I look at people as our greatest opportunity, not the weakest link,” Eggleston said. “I think people want to do the right thing. If your CISO is making it easy for people to do the right thing, if ’they’re making it intuitive, you have a much more resilient, much more secure company.”
Beyond simply making phishing emails more convincing, Eggleston noted that AI is also making cyber intrusions more efficient overall. However, the double-edged sword of AI also means defenders working for CSC and beyond also have more advanced tools at their disposal.
“About four or five years ago, the average dwell time – that is how long it took between someone breaching your company and them being detected – used to be six months,” Eggleston said. “In the last year or two, it’s shrunk down to less than three days, and it’s going to continue to get faster and faster because of AI.
“They’re getting in faster. They’re using AI to advance their threats. But the good news is we’re using AI to protect against those threats as well,” he added. “We have lots of engineers who also continue to do things called threat hunting, so they’re trying to be proactive and find threats before those threats are actualized. It’s a fascinating discipline. And, of course, last but not least, we have vulnerability management groups that are working to make sure they stay ahead of vulnerabilities – not just patches, but misconfigurations.”
Building effective cybersecurity program
When building an effective cybersecurity program, Eggleston explained that it’s crucial to look at the three key areas of administrative controls, technical controls and physical controls. On the administrative front, the simple discipline of diligently controlling who has access to critical system is among the most impactful, he said.
Eggleston went on to highlight the importance of technical controls like secure email gateways, physically segregated accounts for storing data backups and multi-factor authentication (MFA).
“You could have your password compromised and guessed, but if your MFA is resilient and robust, (threat actors are) not going to be able to get through to authenticate,” he said.
Last but not least, Eggleston tackled the question of how organizations can ensure that their people are on board with a comprehensive cybersecurity strategy. As he puts it, there’s no replacement for training, awareness and staff buy-in.
“People really, really appreciate when we make an investment in them instead of blaming them,” Eggleston said. “That being said, I’ve also worked with places where you have internet restrictions, so if people do continue failing phish tests, then you can reduce their Internet privileges to just business-appropriate sites. Again, not a very popular program, but it certainly helps reduce your risk dramatically.”