According to one site, ChatGPT, the artificial intelligence chatbot created by OpenAI, has become the fastest growing website ever, with almost 1 billion users a month. And it seems like even more people are talking about it. There are a lot of amazing capabilities that it has which provide very useful information to an unlimited variety of requests, but also many risks that come with those capabilities in terms of how they impact organizations.
In the past few months since it was introduced in November 2022, ChatGPT has: 1) experienced its own data breach, 2) seen a lawyer submit a brief that used fake ChatGPT generated case citations, 3) seen a Texas judge require lawyers to complete a certification that they haven’t used ChatGPT (or other generative AI solutions) to draft filings without human QC, and 4) seen the first libel case filed against OpenAI for alleged hallucinations that claimed the claimant was sued for fraud in a case within which he wasn’t a party.
Those are just a few examples of the stories about ChatGPT in its first six months. And none of those stories reflect perhaps the biggest threat that ChatGPT and other emerging technologies pose for organizations today – the increased cyber threat vectors that exist due to potential misuse of these technologies – even if your organization has chosen to avoid using these technologies for now.
Threats from Emerging Technologies Today
Emerging technologies, including generative AI, present several new cyber threat vectors to companies due to their potential misuse. Here are four examples:
- Automated Hacking: Hackers can leverage generative AI technologies to automate the identification and exploitation of network and software vulnerabilities. By using machine learning, they can create convincing and accurate phishing and social engineering messages that are more likely to trick their intended targets into taking their desired action.
- Malware Adaptability: AI can be used to create malware that adapts and learns from the defenses it encounters. For example, it can be used to create mutating malware that can avoid detection by endpoint detections and response (EDR) applications.
- Poisoning Attacks: Data poisoning occurs when attackers tamper with the training data used to create deep-learning models. Cyber attackers can use sophisticated techniques to “poison” the data used to train an AI system, causing it to make incorrect decisions or behave unpredictably. Hackers could literally use your AI solution against you!
- Deepfakes: Generative AI technologies can create highly realistic videos, audio, and images, known as “deepfakes”. Those deepfakes can be used to create convincing fake videos or voice recordings of CEOs to trick employees into releasing confidential information or transferring money. AI-powered social engineering deepfakes are becoming a significant challenge for organizations, even if they have well-established procedures that require authorization from C-Suite executives to execute these tasks.
The threats to your organization are evolving as rapidly as the technological capabilities are, forcing your organization to constantly adjust to changing threats.
The Importance of Information Governance to Reduce Risk
In most of the examples above, cyber attackers are after one thing – your data. The more data you have, the more difficult it is to protect the important and sensitive data you have. Holding data creates risk – the more data your organization holds, the greater the risk it engenders. Data can literally be toxic to your organization!
That’s why a sound information governance program is the foundation of your approach to reduce cyber risk. Sound information governance practices include:
- Data Classification and Management: Protecting your data begins with understanding what you have, where it’s stored, how sensitive it is, and who has access to it. Good information governance includes a thorough data classification process (including the creation of a data map), which aids organizations in determining risks associated with different types of data and establishing security measures to suit. You can’t protect your most important and sensitive data if you don’t know where it is.
- Encryption and Other Data Protection Measures: Encrypting sensitive data and other security measures such as firewalls and intrusion detection systems are “table stakes” today for organizations. A key part of information governance is ensuring that data is stored securely, both at rest and in transit.
- Implementing Access Controls: Implementing strict access controls includes ensuring that employees – and third parties such as suppliers or contractors – only have access to the data they need to do their job and that access rights are revoked promptly when an employee leaves the company or changes roles.
- Training and Documentation: A strong information governance program includes regular training and awareness programs – backed by thorough documentation updated regularly – to ensure that all employees understand the importance of data security and their role in protecting the organization’s data.
- Periodic Audits: Your information governance program should include periodic audits to ensure compliance with your policies which will identify any irregularities that could lead to a security breach.
- Data Lifecycle Management: More than ever today, data must be managed from creation or acquisition, through its active use, to its eventual disposal. By regularly reviewing data (including conducting privacy risk assessments on sensitive data) and deleting unnecessary data, organizations can reduce the ‘attack surface’ available to cybercriminals.
Sound information governance practices like these can play a key role in reducing cyber risks by reducing the toxic data your organization possesses, which enables your organization to reduce its attack surface and focus on protecting important and sensitive data.
Your Best Cyber Defense Against ChatGPT and Other Emerging Technologies
Expect rapid evolution with emerging technologies like ChatGPT and other generative AI technologies. It’s going to be crazy and unpredictable for the foreseeable future! You can’t control how those technologies are going to evolve and how they can be used – maliciously – to attack your organization.
What you can control is what you do to protect your organization’s data from attacks. A sound information governance program is the foundation of your approach in protecting your data and reducing cyber risk. The more uncontrolled data you have in your organization, the more likely that data could be toxic to your organization. Your best cyber defense against ChatGPT and other emerging technologies is to minimize the amount of toxic data in your organization through a sound information governance program!
