web analytics

On Point: Risk Management Strategies for AI Tools – Source: www.databreachtoday.com

on-point:-risk-management-strategies-for-ai-tools-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Artificial Intelligence & Machine Learning
,
Governance & Risk Management
,
Leadership & Executive Communication

What to Do to Protect the Sensitive Data You Submit to Online AI Tools

CyberEdBoard


June 28, 2024    

On Point: Risk Management Strategies for AI Tools
Ian Keller, security director and CyberEdBoard executive member

Artificial intelligence tools are both a blessing and a curse for companies. They enable staff to be more efficient and get tasks done quicker, but they also allow an ever-increasing amount of sensitive data to walk out of the organization. Data that is moved to AI for analysis can create legal and contractual nightmare for companies.

See Also: Identity Security Clinic

ChatGPT and Google’s Gemini operate under a freemium model, which offers users basic functionality. The more advanced features are locked behind a paywall. Like libreware, these online tools have vague and user-unfriendly license agreements, and buried inside these agreements are clauses that grant the provider rights concerning the data submitted.

These are the top three issues usually found in the licensing or use agreements.

  1. The provider has the right to use your data for training and the improvement of its products. The provider can incorporate your company data into its training platforms without further permission or consideration. This can benefit the provider’s products, and it can also potentially expose your company’s sensitive data to the underlying algorithms.
  2. The provider has the right to use your data for data analytics and marketing. The risk here is that the data you submit could be aggregated with data from other users to reveal industry trends or allow competitors to glean insights into your strategies.
  3. The license agreement allows for third-party sharing.. This might allow the provider to share your data with affiliates or third-party vendors, which would further expand the circle of those with access to your sensitive information.

Consequences of Submitting Sensitive Data to AI Tools

The risks inherent in the license/use agreement clauses raise serious concerns about your contractual and legal compliance, particularly with data privacy regulations. The General Data Protection Regulation addresses the principle of data minimization. It mandates that companies only collect and process the minimum amount of data necessary for a specific purpose. Submitting company data to an AI tool for a nonessential task directly contradicts this principle.

If you submit personal identifiable information to an AI platform without express consent, your company can be at serious risk of breach under the GDPR. It says that a company can be fined up to 20 million euros or 4% of its annual global turnover, whichever is higher, for this violation.

The consequences of a data breach caused by providing sensitive information to an AI tool extend far beyond regulatory fines. Your company will suffer reputational damage as a result of a data breach, leading to customer churn and a decline in brand value. And new and existing clients may be hesitant to entrust sensitive information to a company with a history of leaks.

If customer data is compromised through an AI tool, the company also could face legal action from affected individuals and/or from regulatory bodies seeking some form of restitution for damages suffered.

Risk Management for AI Tools

Risk management controls need to be in place when sensitive data is submitted to AI tools. Good security hygiene practices are essential. They include:

  • A data classification policy and associated awareness training: Educate your employees on data classification and the importance of identifying sensitive information. This will greatly reduce the risk of a compliance breach. Sending regular emails that contain easy-to-read information and guidance is an easy way to accomplish this.
  • A list of vetted AI providers: If AI is a business need, thoroughly research potential AI providers, scrutinize their license agreements and prioritize those with robust security practices and clear data usage policies. Make this list available to all staff and keep it updated.

You can also consider developing internal AI solutions. This is especially beneficial where high-risk tasks involving sensitive or PII data could be used. In-house AI solutions let you keep control of your data entirely within your organization.

AI technology will only continue to grow and evolve, so the issue of data security is paramount. The EU’s AI Act is a step in the right direction (see: EU Parliament Approves the Artificial Intelligence Act).

There is always a cost associated with tools, and AI is no exception. Ensure that you fully understand the risks associated with AI and other online tools, and implement robust business- specific mitigation strategies.


CyberEdBoard is ISMG’s premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.

Join the Community – CyberEdBoard.io.

Apply for membership


Ian Keller has over three decades of experience in information security. Currently, he leverages his extensive knowledge and expertise to bridge the gap between corporate telecommunications intelligence and business communication, providing data-driven solutions for informed decision-making and enhancing product quality in line with ISO and best practices. Keller is a chief information security officer whose career has encompassed sectors including telecommunications, network security, financial services, consulting and healthcare. His expertise in customer security, identity and access management, information security, and security awareness has made him a sought-after speaker at international events.

Original Post url: https://www.databreachtoday.com/blogs/on-point-risk-management-strategies-for-ai-tools-p-3655

Category & Tags: –

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Cybersecurity Talent Crisis Today and Tomorrow by Codrut Andrei
Cybersecurity Talent Crisis Today and...
SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
ACSC Australia
Personal Cyber Security First Steps by Australian Government – ACSC
Personal Cyber Security First Steps...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI...
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes...
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data...
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central...
Red Canary
Threat Detection Report 2024
Threat Detection Report 2024
HADESS
Pwning the Domain Persistence
Pwning the Domain Persistence

More Latest Published Posts

INCIDENT RESPONSE PLAN
INCIDENT RESPONSE PLAN
NIST CSF 2.0
Incident Response Recommendations and Considerations for Cybersecurity Risk Management
Incident Response Recommendations and Considerations for Cybersecurity Risk Management
GmFaruk
Identity and Access Management Policy
Identity and Access Management Policy
UK HM Government
National Cyber Strategy 2022
National Cyber Strategy 2022
NSA
NSA Network Infrastructure Security Guide
NSA Network Infrastructure Security Guide
NIST
NIST Policy Template Guide
NIST Policy Template Guide
Thecyphere
Malware prevention tips for businesses
Malware prevention tips for businesses
ministry of security
MERGERS AND ACQUISITIONS
MERGERS AND ACQUISITIONS
THE LINUX FUNDATION
Linux Privilege Escalation
Linux Privilege Escalation
LogRhythm
How to build a SOC with limited resources
How to build a SOC with limited resources
Kubernetes
Kubernetes and Cloud Native Associate (KCNA) Study Guide
Kubernetes and Cloud Native Associate (KCNA) Study Guide
Australian Government
Management structures and responsibilities
Management structures and responsibilities
Hacker Combat
How are Passwords Cracked ? by Hacker Combat.
How are Passwords Cracked ? by Hacker Combat.
N/A
Security Metrics & KPIs for Measuring SOC Success – Measure Up: How SOC Metrics Elevate Your Security Posture.
Security Metrics & KPIs for Measuring SOC Success – Measure Up: How SOC Metrics Elevate Your Security Posture.
Sectrio
The Global OT & IoT Threat Landscape Assessment and Analysis rEPORT 2024 by Sectrio Threat Research Lab Initiative.
The Global OT & IoT Threat Landscape Assessment and Analysis rEPORT 2024 by Sectrio Threat Research Lab Initiative.
ISA SECURE
The Case for ISA/IEC 62443Security Level 2 as a Minimumfor COTS Components
The Case for ISA/IEC 62443Security Level 2 as a Minimumfor COTS Components
Huntress
2024 Cyber Threat Report
2024 Cyber Threat Report
NACD - Intenet Security Alliance
2023 Director’s Handbook on Cyber-risk Oversight
2023 Director’s Handbook on Cyber-risk Oversight
Devoteam
14 Cybersecurity Trends for 2024
14 Cybersecurity Trends for 2024
IGNITE Technologies
MEMORY FORENSICS VOLATILITY
MEMORY FORENSICS VOLATILITY
CAREER UP
7 Steps to your SOC Analyst Career
7 Steps to your SOC Analyst Career
National Cyber Security Centrum
Managing Insider Threats
Managing Insider Threats
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
National Security Agency
CSI Cloud Top10 Key Management
CSI Cloud Top10 Key Management
CSA Cloud Security Alliance
Defining the Zero TrustProtect Surface
Defining the Zero TrustProtect Surface
HANIM EKEN
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CNIL
PRACTICE GUIDE GDPR – SECURITY OF PERSONAL DATA Version 2024
PRACTICE GUIDE GDPR – SECURITY OF PERSONAL DATA Version 2024