The boardroom conversations have begun. Your company’s CEO is eager to put generative AI into action. They know it’s vital to improving efficiency and productivity as well as maintaining competitiveness. But, they’ve also heard about the risks. Namely, hallucinations, data leakage and cyber-attacks.
So, they turn to you: the company’s CISO. You, yourself, know that prohibiting generative AI isn’t an option. The technology is too powerful and too game changing to ignore.
But, for the sake of your company’s cybersecurity, you can’t say yes straight off the bat. You need to really consider and mitigate the risks. That’s the only way your organization can benefit from the opportunities.
What does the AI attack surface look like?
Generative AI models introduce a novel frontier for potential security threats, featuring distinctive attack vectors such as data poisoning, model evasion, and extraction.
In a recent security assessment conducted by IBM researchers, the vulnerability of LLMs became starkly evident. During rigorous testing, the LLM was successfully manipulated to divulge sensitive information belonging to other users, generate compromised code, create malicious scripts, and provide suboptimal security recommendations.
What compliance & privacy mandates must we consider?
Right now, a mosaic of AI regulations is taking shape, encompassing initiatives like the EU’s AI Act and the US Executive Order on AI Safety and Security. Nothing is set in stone yet, and the explosion of regulations—at both national and state levels—only add to the complexity of deploying AI in a wholly compliant manner.
Still, even though the regulatory guidelines surrounding AI remain incomplete and evolving, organizations that proactively follow available best practices, such as the NIST’s AI framework, will put themselves in excellent stead to adopt AI in a responsible and trustworthy manner.
On top of that, CISOs need to be mindful that established regulations, such as the General Data Protection Regulation (GDPR), extend their purview to include AI applications.
A notable instance occurred in March 2023 when Italy’s Data Protection Authority (DPA), the Garante, took decisive action by issuing an emergency order. This order temporarily halted OpenAI, the parent company of the ChatGPT platform, from processing personal data of individuals in Italy.
The Garante justified this intervention by pointing out several potential breaches of GDPR provisions. These concerns encompassed issues related to lawfulness, transparency, safeguarding data subject rights, and various other aspects critical to compliance with GDPR standards.
In that sense, it is not just AI regulations that CISOs and risk management teams must bear in mind, but established data privacy regulations like HIPAA, the GDPR, and CCPA too.
What are the cybersecurity risks of using generative AI?
In a recent security blog on ChatGPT, the analyst firm Gartner explained what many CISOs will already be wary of: sharing any sensitive information with a generative AI application is a data leak waiting to happen. As the notice stated:
“There are currently no verifiable data governance and protection assurances regarding confidential enterprise information. Users should assume that any data or queries they enter into the ChatGPT and its competitors will become public information, and we advise enterprises to put in place controls to avoid inadvertently exposing IP.”
It is paramount to acknowledge that, when users entrust data to a generative AI platform, the tool not only stores but also has the potential to reuse that data in subsequent interactions. Should an employee innocuously share any sensitive data with an LLM, such as personally identifiable information (PII) or protected health information (PHI), the fallout could be detrimental in terms of compliance fines and customer trust.
How can we use generative AI to improve cybersecurity capabilities?
So far, we have looked at generative AI from a risk standpoint. Now, it’s time to think about how you can mitigate those risks. A novel technology requires novel security approaches.
CISOs must shift their perspective beyond merely securing generative AI; they need to explore how generative AI can actively contribute to enhancing security.
Similar to how boardrooms hope to leverage AI to optimize functions like marketing and sales, generative AI holds the potential to empower security operations centers (SOCs) in combating alert fatigue, elevating accuracy, and combatting generative AI-related risks.
Here are the top recommended use cases that we propose:
1. Data loss prevention
Utilize natural language processing (NLP) to augment the efficiency and precision of data loss prevention (DLP) within apps like ChatGPT and Bard. NLP empowers organizations to automate the discovery, classification, and protection of unstructured data in these applications while minimizing false positives.
2. Threat hunting
Generative AI can streamline the overwhelming task of managing data and alerts from various security tools used in threat hunting. By consolidating this information into a unified repository, organizations can more effectively prioritize security incidents.
Leverage generative AI to simplify and automate the process of drafting reports, alleviating the time-consuming task of creating documentation for SOC 2 audits, stakeholder meetings, and compliance reviews.
4. Security training
Revolutionize security awareness programs by incorporating generative AI to provide real-time, point-of-violation training to users who may inadvertently or intentionally violate data protection policies while using AI tools.
Make Polymer DLP your first AI deployment
The pressure is on CISOs to embrace AI and Polymer can help. Polymer DLP for AI is a low-code, plug-and-play tool that uses the power of natural language processing to discover, classify, and secure sensitive data across your generative AI and SaaS applications.
Here’s how Polymer can help you deploy generative AI securely:
- False positive reduction: Polymer DLP is designed to overcome the traditional pitfalls of DLP, offering high true positive ratios thanks to the fusion of natural language processing and regular expressions.
- Automatic remediation: Using a self-learning engine, our tool autonomously remediates potential instances of data exposure without the need for manual intervention, meaning your security team can focus on strategic work instead of getting caught up in responding to alerts.
- Zero trust enablement: Polymer DLP uses dynamic, contextual authentication factors to verify users as they request access to sensitive information in real-time, bringing the principles of zero trust to your generative AI tools.
- Quantifiable value: Demonstrating the value of security investments has long been a challenge, but our data exposure risk score changes the game. It’s a metric that quantifies the presence of sensitive data, both inside and outside the organization. This score lends a measurable edge to data loss prevention efforts and allows for an accurate ROI calculation.
- Culture of security: Polymer DLP supports point-of-violation training with real-time nudges to users who violate security policies. This approach has proven to reduce repeat violations by over 40% within days.