Don’t tell GenAI all your secrets: Leverage GenAI without compromising security
By Anurag Lal, CEO, NetSfere
Generative Artificial Intelligence (AI) became the latest phenomenon in November 2022 when the artificial intelligence lab OpenAI released a generative AI-powered chatbot called ChatGPT. According to a Reuters report, ChatGPT reached an estimated 100 million monthly active users just two months after launch.
Today, many enterprises are deploying the use of generative AI solutions like ChatGPT to automate responses to common questions, code a variety of apps, automate tasks such as writing emails and creating content, and more. A recent survey by VentureBeat revealed that more than half (54.6%) of organisations are experimenting with generative AI and 18.2% are already implementing it into their operations. This enterprise adoption of generative AI technology is fuelling an increase in the generative AI software market which S&P Global projects to reach $3.7 billion in 2023 and grow to $36 billion by 2028.
The use of generative AI technology holds a lot of promise for enterprises, but there are risks associated with integrating this technology into the enterprise stack. Organisations are concerned about shadow IT as different departments experiment and use it without the appropriate governance and control. There are also concerns over the potential of generative AI to displace or atrophy human intelligence, enable plagiarism, and fuel misinformation. Indeed, in November 2023, Rishi Sunak held the UK’s first AI safety summit at Bletchley Park which discussed some of these challenges and the need for government testing of AI models.
While the use of any new technology carries some degree of risk, to get the most out of generative AI with the least amount of risk, organisations must take a secure approach to its implementation.
As the rapid adoption of AI in the enterprise continues, questions surrounding the accuracy of the technology and concerns about cybersecurity, data privacy, and intellectual property risk are why organisations like Apple, Samsung, Verizon, and some Wall Street banks are limiting or banning employee use of generative AI technology like ChatGPT.
Cybercriminals are using AI
A Salesforce.com survey of more than 500 senior IT leaders reveals that 67% are prioritising generative AI technology for their organisations during the next 18 months, but 71% of those leaders believe this technology is likely to introduce new security risks to their data.
Cybercriminals are honing their skills in using this technology to bolster their cyberattacks. In a call with journalists reported by PC Magazine, the FBI discussed how generative AI programs are fuelling cybercrime, with cybercriminals tapping into open-source generative AI programs to deploy malware and ransomware code and execute sophisticated phishing attacks, and create AI hallucinations.
The ability of generative AI technology like ChatGPT to seamlessly generate phishing scams without spelling, grammatical, and verb tense mistakes is making it easier to dupe people into believing the legitimacy of the communication. A 2023 report by Perception Point found that advanced phishing attacks grew by 356% in 2022. The report noted that “malicious actors continue to gain widespread access to new tools and advances in AI and Machine Learning (ML) which simplify and automate the process of generating attacks.”
Exposing PII data
The growing popularity of generative AI is also raising data privacy concerns. Enterprises must be careful about what information they feed into generative AI tools to avoid exposing sensitive or personally identifiable information. Because generative AI tools can share user information with third parties as well as use this information to train data models, this technology has the potential to violate privacy laws.
According to news reports, the US Federal Trade Commission (FTC) launched an investigation into ChatGPT’s creator OpenAI, focusing on its handling of personal data, its potential to give users inaccurate information, and its “risks of harm to consumers, including reputational harm.”
Intellectual property infringement
Information entered into a generative AI tool may become part of its training set, which can put users of the tool at risk of intellectual property (IP) infringement. Gartner highlights that tools like ChatGPT, which are trained on a large amount of internet data, likely include copyrighted material. The analyst firm warned that its outputs have the potential to violate copyright or IP protections.
There is no question that generative AI holds a lot of promise for enterprises, but to reap these benefits safely and securely, organisations must take steps to minimise the risks.
Mitigating the risk of generative AI in the enterprise
IT leaders must examine this technology to understand how accurate and useful generative AI is to their enterprise. A lack of transparency about what is happening on the back end of this new technology can make it difficult to determine if it is really useful for the organisation and establish its best use cases.
When using any external tool, it is important to review each solution provider’s terms of service, and data protection and security policies. It is also important to conduct due diligence to determine whether the tool uses encryption, whether data is anonymised, and whether the tool complies with regulations such as the EU’s GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act) and numerous other privacy regulations.
Organisations should develop and implement policies governing the use of AI in the workplace. The policy should not only spell out which tools employees are permitted to use but also what information employees are allowed to feed into them.
Enterprises should also equip their IT teams with tools that can identify what is generated by an AI like ChatGPT versus what is human-generated, especially as this relates to incoming “cold” emails. To further mitigate organisational risk, enterprises should make it a priority to routinely train and re-train employees on the latest cybersecurity threats associated with generative AI, with specific emphasis on AI-generated phishing scams. This training should also include cyber risk prevention measures as well as guidance on appropriate uses of AI in the workplace.
Using AI for competitive advantage
AI offers exciting opportunities for organisations but, as with any new technology, there are uncertainties and risks. By understanding these risks and taking steps to mitigate them, enterprises can more safely and securely deploy this technology to gain a competitive edge.