Unleash the Power of Generative AI

Generative AI poses several threats to data security. These include a data leak, data breach and non-compliance with data privacy laws. 

Generative AI applications like ChatGPT and Gemini are LLMs that learn from the information that users put in. If a user is reviewing, for example, information about the target of merger and acquisition activity that has not yet been made public, then subsequent searches from other users could reveal that information. 

If a software engineer were to use generative AI to debug proprietary software code, then that intellectual property would be at risk of becoming public domain – or worse, ending up with a competitor. Similarly, if the engineer were to use generative AI to write code, it could potentially contain malware that could provide an attacker a backdoor into a company’s system. 

Lastly, data privacy laws like HIPAA or GDPR mandate organizations closely safeguard personal data. Using generative AI for anything having to do with Personally Identifiable Information (PII), such as drafting an email response about a customer query, could put the company at risk for non-compliance as this information could be leaked or misused.

Generative AI can be used to write malware and spoof content for phishing and spear-phishing attacks. Generative AI vendors like ChatGPT are also at risk of data breach, giving attackers access to sensitive data from users. 

One example of generative AI being used to create malware is from Aaron Mulgrew at Forcepoint. Mulgrew was able to get ChatGPT to write malicious code, despite ChatGPT having safeguards in place to prevent this from happening.

Generative AI data security requires both real-time access control and robust data controls.  

In a platform like Forcepoint ONE SSE, organizations can provide access to generative AI tools to limited groups of employees that have been approved to use them. These policies can be implemented on both managed and unmanaged devices, giving companies a wide range of control. 

With Forcepoint DLP, ChatGPT and Gemini users will be limited in what information they can share with the platforms to prevent an accidental data leak. This includes preventing the pasting of sensitive information, such as social security numbers, into the application.

The cybersecurity threat landscape is constantly evolving and while generative AI is a new risk, there are existing technologies to mitigate it.

Generative AI is most at risk of being another avenue for a data leak or data breach – not too different from any of the other SaaS applications that businesses use on a daily basis. If employees are working out of generative AI with sensitive data, then a data breach or misuse of that data could impact the company’s security posture.

Treating generative AI tools like ChatGPT and Gemini as shadow IT is the first step in the right direction. Define who should be able to use the applications and build policies enabling these groups to access the tools – and preventing those who shouldn’t. Furthermore, introduce strong data controls to ensure that sensitive data remains within the organization.

Generative AI applications like ChatGPT are built and trained on large language models. These algorithmic models enable the platforms to ingest and learn from large databases, giving them the knowledge, context and accuracy that users have come to expect from AI chatbots.

But because generative AI is built on large language models, it continues to learn from the information that is fed into it. It is continuously learning and applying context to new information it interacts across, enabling its answers to stay fresh and relevant.

This poses a significant risk for your business. Sharing proprietary or sensitive information with the AI chatbot opens up two avenues for risk. One being that the application takes that information as public knowledge and shares it when prompted in the future. The second concern being that the company behind the generative AI tool itself is breached and the information shared with it is compromised

By default, you should operate on the assumption that generative AI applications like ChatGPT and Gemini are likely to use the data you enter to improve their models. However, you will want to double check with the specific platform you use.

This data is collected with a host of other information, such as the device you are using, where you are accessing it from, and any details associated with your account. The ability for the application to train off your data can usually be turned off in the settings, depending on the vendor.

This is one of the primary risks of sharing sensitive information with AI. Sharing sensitive company information, such as an upcoming go-to-market strategy for a product launch, with the applications can effectively make that information publicly available if the proper precautions aren’t taken.

Forcepoint data security helps prevent this by limiting access to only users that are trained to use the applications safely, or by blocking the pasting of information into the application.

Generative AI applications must be treated like any other third-party vendor in the digital supply chain. If the platform suffers a data breach, then the information you have entered into it could be at risk. This is why companies must develop stringent acceptable-use policies surrounding generative AI to ensure data isn’t unexpectedly put at risk.

All organizations are responsible for being in compliance with privacy regulations. When entering data into generative AI applications, there is a potential for individuals to share PII, PHI and other types of information that is regulated.

Sharing private information with a generative AI application is a form of data exfiltration that falls under privacy regulations. In order for organizations to remain compliant, they must have strong data security tools in place that will prevent this type of information from being shared.

All companies should review how their employees already or may interact with generative AI, what types of risks those interactions pose and how the organization can prevent ineligible users from accessing and sharing sensitive information with generative AI.

Like any other SaaS application, businesses should ensure they have complete visibility over users accessing generative AI and control over the data they interact with. In most cases, this will involve URL filtering by job role, device or location, and data security policies to prevent any compliance breaches.