web analytics

CISOs beware: genAI use is outpacing security controls – Source: www.csoonline.com

cisos-beware:-genai-use-is-outpacing-security-controls-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Report shows that every organization uses an average of 6.6 high risk generative AI applications.

Employees in every organization use an average of 6.6 high-risk generative AI applications – including some unknown to CISOs — says Palo Alto Networks in a new study.

But, an expert says, that estimate is low. “I think it’s probably worse,” said Joseph Steinberg, a cybersecurity and AI expert. “In a major company it’s got to be higher than that.”

In fact, he predicts the number of risky AI apps in the enterprise is only going to grow.

That means that CISOs need to do a risk assessment of every genAI app employees are using, he said in an interview, and then set policies and procedures staff have to follow.

He warned CISOs and CEOs against following ‘the Ostrich algorithm’ – pretending the danger doesn’t exist by ignoring, if not rewarding, the shadow use of AI by employees, either in the office or at home.

“There’s no question there’s a tremendous amount of use of generative AI apps being used in ways that are highly problematic for the organization,” he said. “Remember, I can use a genAI app from my personal computer that my company has no control over, and still leak a tremendous amount of data just from what I’m asking – and it may not be only what I’m asking, but what others are also asking, and the generative AI learns from the pattern of questions.

“It’s hard to block that, because the risk can’t be completely controlled by the organization, because someone can do it on their own time from their own machine.”

And organizations sometimes deliberately or inadvertently reward employees for using unapproved genAI apps, he added, for example, by applauding a report that’s just too good.

“Let’s be honest,” he said. “Many of the companies that ban generative AI are rewarding their employees [for using it]. They’ll never admit it. But if you’re getting reviewed based on your performance, and your performance is enhanced by using shadow IT or AI on your own machine on your own time, if you’re not being punished, you’re not going to stop.”

Steinberg was commenting on a study released Thursday by Palo Alto Networks (PAN) on the popularity of genAI in organizations. It analyzed traffic logs from just over 7,000 PAN customers during the 12 months of 2024 to detect use of software-as-a-service apps such as ChatGPT, Microsoft Copilot, Amazon Bedrock and more. It also included a separate look at anonymized data from its customers’ loss prevention incidents from the first three months of this year.

It observed:

  • on average, most organizations will see a total of 66 genAI apps in their environments. The bulk of those among PAN customers were “writing assistants” (34% of the sample. The biggest in this category was Grammarly); “conversational agents” (just under 29%, apps such as Microsoft Copilot, ChatGPT and Google Gemini); “enterprise search” apps  (just over 10% of the sample) and “developer platform” apps (just over 10%). These four alone make up 84% of the genAI apps seen;
  • 10% of genAI apps are called ‘high-risk’ because, according to customer telemetry, access to them was restricted or blocked by customers at some point or points during the study period;
  • data loss prevention (DLP) incidents for genAI detected by PAN more than doubled this year compared to 2024.

Writing assistants aren’t applications to be taken lightly, the report warns. “If an AI writing assistant is integrated into an organization’s systems without proper security controls, it could become a vector for cyberattacks. Hackers could exploit weaknesses in the genAI app to gain access to internal systems or sensitive data.”

“As genAI adoption grows, so do its risks,” it says. “Without visibility into genAI apps, and their broader AI ecosystems, businesses can risk exposing sensitive data, violating regulations, and losing control of intellectual property. Monitoring AI interactions is no longer optional. It’s critical for helping prevent shadow AI adoption, enforcing security policies, and enabling responsible AI use.”

The report identifies these genAI security best practices for CISOs:

  • understand genAI usage and control in the enterprise and what is allowed. Implement conditional access management to limit access to genAI platforms, apps, and plugins based on users and/or groups, location, application risk, compliant devices, and legitimate business rationale;
  • guard sensitive data from unauthorized access and leakage through real-time content inspection with centralized policy enforcement across the infrastructure and within data security workflows to help prevent unauthorized access and sensitive data leakage;
  • defend against modern AI-based cyberthreats through a zero trust security framework to identify and block highly sophisticated, evasive, and stealthy malware and threats within genAI responses.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/4002103/cisos-beware-genai-use-is-outpacing-security-controls.html

Category & Tags: Artificial Intelligence, Generative AI, Risk Management – Artificial Intelligence, Generative AI, Risk Management

Views: 3

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Marcos Jaimovich
Nuevo Firewall para IA , un Cacharro nuevo para nuestro SOC y los equipos de Ciberseguridad !
Nuevo Firewall para IA ,...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos