July 18, 2024
Cyberattacks have been rising, and growing more sophisticated, for years. Adding AI to the mix is, experts say, like adding fuel to the proverbial fire. Not only does AI make technically adept criminals even more effective by upping the sophistication factor and facilitating attacks at scale, but it lowers the bar so much that even those with relatively little technical know-how can join the fray. That said, AI-driven cyber defenses can help thwart those attacks. And, of course, AI can also enhance productivity—if it’s deployed cautiously and correctly. The key is having the right policies in place. We took a deeper dive on the subject with Mindsight’s cybersecurity leader Mishaal Khan.
AI cyber threats
AI is unbound in terms of how it processes data, where it stores that data, and who it shares that data with. As a result, privacy is a huge concern. Take, for example, end-user products like ChatGPT, which have been introduced to people without a lot of boundaries. As a result, people are inputting personal info, like company data, intellectual property, things that are protected by copyright, and they’re supplying it to a third party, which is ingesting it, and storing it, and re-adjusting their own algorithms to produce output based on your public input. Consequently, they can now use sensitive data to improve their product—at your expense. If they get breached, your sensitive data has now also been breached because you supplied it to a third party. That’s why other similar solutions are now emerging, like Microsoft’s Copilot, which claims to store data locally and doesn’t share it. That’s the hope, anyway.
I had a recent panel conversation with three people who were very pro-AI and talked about how it can help the manufacturing industry. I was the hacker/party pooper telling them how hackers are also using AI to be more productive. It’s a double-edged sword: Hackers will use AI to improve their social engineering, and to breach the systems that you’re giving sensitive data to. So be careful what you feed it.
The Importance of AI Policies
While you can’t stop the use of AI everywhere, because it’s integrated or will soon be integrated into so many products, it’s not practical to tell your employees, “Stop using AI-based products.” Instead, your policies should be more about awareness. Sure, you can use AI, but also be aware of the following facts:
- First and foremost, don’t give it sensitive data. And anonymize anything with personally identifiable information. For example, if I want to input a prompt that contains my name or my company’s name, first remove those names and replace them with generic ones.
- Don’t take anything for granted as a fact. Whatever AI gives you is not a fact. It’s not even an opinion. It’s a glorified algorithm that’s taking in certain inputs, and we don’t know exactly how it gives you the outputs. As a result, AI is frequently inaccurate, so don’t use it for factual things. Use it more for language manipulation, because that’s what it’s good at. It’s good at talking back like a human. Use it for text-based commands and interaction where facts are not important.
Who should be involved in AI policy creation?
It should be people who are responsible for data protection. That means primarily the CIO and possibly the CTO, in collaboration with the CISO, to make sure that data isn’t being leaked to third parties (including vendors). Regulations are now being instituted in Europe and other places, and soon in America, around what information you can and can’t give to AI systems. So it’s important to make sure you’re not breaking any laws by reviewing the most current restrictions on a regular basis—at least quarterly, but probably more frequently given the rapid rate at which AI and AI policies are changing.
Once your policies around AI are set, institute awareness education. But keep it general. Talk about privacy, trust and boundaries so people in your organization are aware of AI’s potential flaws—and its vulnerability to exploitation. An example of the latter is called “prompt injection,” where people fool AI systems with smart prompts to get some sort of benefit. Like the guy who recently manipulated a chatbot to get a massive discount on his airline ticket. If you’re in the industry of utilizing AI for your benefit, for productivity, know that somebody’s out there who’s going to break that AI with prompt injection, which in turn negatively impacts your productivity and reputation.
What it comes down to is this: AI is a powerful tool and it’s here to stay. But AI isn’t going to change things instantly. If your business has been running fine without it, let it run and introduce AI gradually. Despite what you might hear, it’s not a race.
About Mindsight
Mindsight, a Chicagoland IT services provider, is an extension of your team. Located in Downers Grove, IL we proudly serve customers across the area including Naperville, Oak Brook, Northbrook, and surrounding counties (Cook, Lake, Dupage, Will, Kane, and Grundy). Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Expert
Mishaal Khan is a subject matter expert in cybersecurity, pentesting, privacy, Open-Source Intelligence, and social engineering. He is a frequent speaker on these topics at universities and popular cybersecurity conferences like DEFCON, Wild West Hacking Fest, and multiple BSides events. Mishaal has worked with multinational companies for over 20 years, securing their networks and providing executive-level consultancy to manage risk and avoid breaches. He’s an author, holds a CCIE and CEH, and runs the cybersecurity practice at Mindsight as a vCISO. Visit Mishaal’s LinkedIn page.