Has your security team prepared for AI?

Thanks to ChatGPT and the barrage of artificial intelligence (AI) companies popping up, more and more organizations are leveraging AI to do everything from writing blogs to creating artificial images to writing code.

With Drake AI releasing hit singles and Netflix using forms of AI to make the perfect movie and TV show recommendations, organizations are getting creative with how they use AI. You can even get AI headshots that, for the most part, look shockingly real. But are we distracted by the shiny new thing (AI) when we should dive deeper into the risks associated with these popular technologies?

Before you jump on the AI bandwagon, we recommend working with your IT and security teams to build a well-defined policy around using AI.

What is artificial intelligence?

With talk of AI, robots, and machines taking over, artificial intelligence has unfairly earned a bad rep. AI can be a powerful tool to assist organizations (and humans) in automating tasks, making better business decisions, and much more. But what is AI?

Built In defines it as “a wide-ranging branch of computer science concerned with building smart machines capable of performing tasks that typically require human intelligence.” Simply put? It leverages computers for problem-solving by mimicking human decision-making processes.

AI learns how to do something by:

1. Processing immense amounts of data
2. Observing patterns within that data
3. Using that data and those patterns to make decisions

Typically, humans oversee AI to ensure the AI makes good decisions instead of bad ones (like writing bad code, creating deep fakes, and more).

Strong vs. weak AI

AI is constantly evolving. While strong AI has not yet come to fruition, it will be the ultimate AI success story if we can get there. Built In defines strong AI as a machine that solves problems we never it trained on—like how humans can figure things out without much training. It would have full cognitive abilities. But again, it doesn’t exist… yet.

Right now, we have weak or specialized AI—machines that try to simulate human intelligence and apply it to a specific task (think Zoom transcribing your business meeting or Drake AI writing songs). It operates within well-defined constraints to perform a single task well.

What are the security risks of AI?

While AI has—and continues to—change how we do things for the better, there are still some risks to consider. The benefits can be huge, but the risks have the potential to be so great that some believe we should limit research before setting up appropriate guidelines and protections.

A recent Salesforce survey revealed that 71% of senior IT leaders believe generative AI is likely to introduce new security risks to data.

Let’s explore a few of the most common threats popping up with AI.

Model and data poisoning

AI relies on data to execute tasks. Data is crucial, so if the machines or computers receive corrupted or malicious data, the outputs will be tainted, too.

Model and data poisoning is an attack that focuses on inputting inaccurate or tainted data that causes the model to misclassify the data and make bad decisions. Instead of executing the intended tasks, the machines learn something different than the original task (because of the bad data).

Model and data poisoning accounts for most of the security risks associated with AI because data powers them. Bad inputs lead to bad outputs.

Data Science Central sums it up with an example. Imagine a malicious actor tricks your models and has them classify data in different categories than how we (humans) categorized them—like labeling a photo of a dog as a cat instead.

The risk is ensuring that the data is accurate, not tampered with, and used how it’s meant to be used.

Pro tip: Limit access to AI training data to ensure no one tampers with the model and data inputs.

2. Consumer data privacy

Data privacy always seems to be in the news—Meta had to go through countless court hearings about data privacy, and consumers freaked out when a retailer suffered a data breach that put their customers’ personal information at risk. But with AI, consumers are more concerned about their data privacy.

Almost every business on the planet collects personal data, and they typically outline how they’ll use or share the data in a well-defined data privacy policy. But with AI, customers have no idea whether their data will be used in AI algorithms, among other concerns.

1. How does your business use AI?
2. How will your use of AI impact my data?
3. Can you protect my data against attacks on your AI machines?

Another concern is the data AI collects and who gets access to that data. Chatbots have become commonplace within many customer success departments—and they collect a lot of data, like IP address and browser information. 

Chatbots might share this information with third parties, and, according to Acceleration Economy CEO Wayne Sadin, there will be a “heightened chance of that data being broadcast far more widely to an audience that includes ‘your competitors, your customers, your regulators, your board members.'”

Pro tip: Understand how AI and customer data interact. Then, be clear in your privacy policy about how AI collects, uses, and shares consumer data, including with third parties. 

3. Attacks on AI systems

As the benefits of leveraging AI become even more obvious, savvy organizations are using some form of artificial intelligence to automate tasks, make better decisions, and even reduce costs. Don’t think cyberattackers haven’t caught on to this increased usage (and sometimes reliance on AI). They’re now attacking AI systems.

Hackers launch deliberate and AI-driven attacks to gain competitive advantages or steal and destroy data. Data Science Centers explains the difference:

• Deliberate attacks. These malicious attacks can cost you millions. Hackers tap into your AI systems for many reasons, including stealing the data in these systems (which is often proprietary).
  
• AI-driven attacks. These weaponize AI to launch an attack. Bad actors use AI to identify a target, find data to steal or destruct, and choose a way to attack. They use artificial intelligence to skirt security controls or create malware. AI empowers hackers to mimic trusted users or find ways past security safeguards.

Defending against AI risks

There are a lot of unknowns and risks around AI, which is why creating a policy around it is a crucial first step. Cybersecurity—especially in the ever-evolving world of AI—requires a definitive approach and plan that outlines how to mitigate and resolve risks. 

We’ve outlined three of the more common concerns with AI, but there are many reasons to design and adopt an AI policy, including:

1. Data privacy and loss protection
2. Bias mitigation
3. Ethical considerations
4. Threat/attack response
5. High-quality data inputs

Your policy should outline the above and how your organization will ensure you protect your business, data, and customers from the potential risks of AI. It should include who needs to be involved if there’s a security event, how you’ll respond, how to minimize risks, and how you use AI throughout your organization.

Forbes breaks the policy into three parts: process, governance, and ethics.

1. Process. When designing AI models, build in controls that ensure you comply with security regulations. There are multiple steps in the process where cyber attackers can introduce security threats, so it’s crucial you address every part of the model-building process.
   
2. Governance. Build a framework to help your teams manage AI tools and projects. Because data is central to AI, data governance is a must.
   
3. Ethics. AI has introduced new ethical concerns, specifically around data collection and sharing and biases. Are you using AI ethically? Have you addressed any biases that have been presented? Neglecting ethical considerations can lead to discriminatory AI outputs and can result in consumer distrust around how you use their data.

Endless possibilities… and risks

The possibilities are truly endless with artificial intelligence and all its sub-fields. With unlimited creative powers and the ability to automate tasks that can save organizations time and money, AI is a powerful tool we should all leverage. But it’s not without its risks.

We all still have much to learn about Ai and its security risks. As we uncover more, it’s vital we build a robust policy to address those risks and how we respond to them. Much like your existing cybersecurity policies, your AI one should detail who’s involved, how you use AI, and how you mitigate security events.

At Lightstream, we’re anxious to see how AI evolves and how organizations will leverage it for good and respond to security threats from AI. And we’ll be here to protect your most critical asset—your data— as the threat landscape changes.