Do AI Tools Pose a Security Risk to Businesses?

With the increasing prevalence of AI (artificial intelligence)  tools for businesses, many have taken this opportunity to access such tools in order to complete tasks more efficiently. Tasks that may have typically been draining resources and time, can now be completed at the click of a button. These tasks include managing customer interactions, writing ad copy, creating business reports and automating administrative tasks. AI tools, such as ChatGPT and Bard, take having information at the tip of your fingertips to a new extreme, whereby tasks can be completed and multiple resources studied, at an impossible rate for humans.

Now, while this all sounds great and provides businesses the ability to scale and grow without the need to hire new starters and expand the skills of their existing teams, what exactly are the risks? As cyber security experts, we wanted to highlight the security risks that artificial intelligence may pose so you can implement the necessary steps in your organisation. We’ll be looking at how to securely use AI tools for the safety and protection of your business, the potential vulnerabilities within the design and how threat actors can use them against you.

 

How do AI tools work?

To fully understand the security implications of AI tools, we think it’s important first to do a quick refresh on how they actually work. Artificial intelligence works by processing large datasets against a set of instructions or algorithms, analysing and searching for common behaviours and patterns to respond to the request.

With AI constantly learning, the tool will be using the data you enter to improve its future responses. This is an important aspect employees need to consider because if any sensitive information (such as client/customer information, internal company documentation or login information) is entered into the tool, it may be used to respond to someone outside of the organisation.

Another aspect to consider is that, in many cases, tools use a vast data pool from online sources. This means that the response could easily include misinformation or a biased viewpoint. It is critical that you and your employees take the time to check references and analyse responses rather than taking it at face value.

 

Are AI tools vulnerable to cyber attacks and data breaches?

In early 2023, ChatGPT saw a percentage of users’ conversation history being visible to other users. While the CEO, Sam Altman, reassured users that this was due to a bug that was later fixed, it’s important to remind users of generative AI tools, like ChatGPT, that they’re still within the very early stages of development and use by the public. This risk must be considered by cyber security teams as these vulnerabilities will need to be monitored. 

Bearing this in mind, this is another reason why being cautious about what data you feed into these tools as it will protect you and your company from potentially having sensitive and protected information being leaked.

 

Artificial intelligence being used against businesses

While the everyday user or business may wish to use AI tools to complete simple and harmless tasks, others may be abusing the power of these generative tools. In fact, such tools, including those that can manipulate sounds and voices, can be used to generate more complex phishing and social engineering attacks, thus making them increasingly harder to identify from genuine emails, phone calls, and social media messages. Such use of AI can be incredibly misleading and result in reputational damage, business losses and security breaches.

Now, anyone can use voice footage of recognisable personnel to generate AI audio that can trick listeners into believing that the person actually said those words. With the ease of use and accessibility of such generative AI tools, it is also likely that we will see an increase in the number of less-sophisticated cyber criminals. They will use these tools to do half the job for them, giving them the ability to conduct attacks that before they’d not have the skillset to carry out.

Another nefarious use of these tools is the ability to use them to write malicious code. The University of Sheffield released a study in October 2023, with multiple examples on how this can occur. The research emphasised how these tools can be used to help the threat actor steal sensitive information, amend or destroy databases and even bring down services through Denial-of-Service attacks.

 

Steps you can take to protect yourself while using generative AI tools

In order to protect your business’ security when using generative AI tools, there are some simple steps you can take and points you should bear in mind.

• Provide your staff with the relevant training – making your users aware of the potential risks of AI, both when using it themselves, and how it can be utilised by malicious actors, will increase their awareness of the dangers and help to reduce the risk of attack or data leaks.
• Assess the tools you are using – if you are comparing different generative AI tools and choosing one that is right for your business, take a closer look at the tool’s security. Ensure that whatever tool or application you are using is updated regularly and you have the appropriate anti-virus technology in place, to prevent attacks, before it is too late. 
• Avoid sharing sensitive information – in order to protect sensitive information and data, be cautious as to what information you choose to input. If you are creating reports or email campaigns, using a livechat or even just asking a specific question in the chatbot, be aware of the sensitive data your company holds and never share this information with the tool. You can always add and amend content that generative AI tools create for you, personalising this yourself. 
• Create a policy for your organisation around the use of AI tools which is easy for employees to understand and follow, with details on what kind of tools are authorised and how to report any policy violations.

 

For help and support with your organisation’s cyber security, you can always rely upon the expertise and knowledge of our cyber security experts. At Data Connect we provide a range of services, from staff training and phishing simulations to managed detection and response (MDR) services to reduce the risk of a successful cyber attack. Contact our team for more information and for reassurance regarding the tools you are choosing to use online.