Everyone uses AI at work. Here's how businesses can keep their data safe

Applications of AI


Companies across the industry are encouraging employees to use AI tools in the workplace. Meanwhile, their workers are often keen to make the most of generative AI chatbots like ChatGpt. So far, everyone has been on the same page, right?

There's only one hitch. How do businesses protect sensitive company data with the same tools that they believe will increase productivity and ROI? After all, uploading your financial information, client data, your own code, or internal documents to your favorite chatbot or AI coding tool to quickly get the results you need. In fact, a new study from data security firm Varonis found that Shadow AI (unconditional generation AI applications) poses a major threat to data security and leads to potential data leaks using tools that can hinder corporate governance and monitoring. The survey found that almost all businesses use unauthorized apps, with almost half using AI applications and considered high risk.

One of the key challenges for information security leaders is to educate workers about what risks are and what the company needs. They need to ensure that employees understand the type of data their organization processes. From company data such as internal documents, strategic plans and financial records to customer data such as names, email addresses, payment details, and usage patterns. It is also important to communicate how each type of data is categorized. For example, whether it is public, internally only, confidential or highly restricted. Once this foundation is in place, clear policies and access perimeters must be established to protect that data accordingly.

Balance between promoting AI use and building guardrails

“What we have is not a technology issue, it's a challenge for our users,” said James Robinson, chief information security officer at data security firm Netskope. The goal he described is to ensure employees use the generated AI tools safely without stopping employees from adopting approved technology.

“We need to understand what our business is trying to achieve,” he added. Rather than simply telling employees that they are doing something wrong, security teams need to understand how people are using the tools and see if they need to understand how policies are appropriate, or if they need to be adjusted to ensure that employees can share information properly.

Jacob DePriest, chief information security officer for password protection provider 1Password, also agreed to encourage the use of AI and educate appropriate guardrails to be installed, saying his company is trying to balance its policies.

Sometimes it means making adjustments. For example, the company last year announced its policy on acceptable use of AI, part of its annual security training. “The theme is “Use AI responsibly. Focus on approved tools. And here are some unacceptable areas of use.” “However, the way it was written caused many employees to become overly cautious, he said.

“That's a good issue, but CISOs can't focus solely on security,” he said. “We need to understand business goals and help businesses achieve both business goals and security outcomes. I think AI technology over the past decade has emphasized the need for that balance. So we tried to approach it in this hand to enable security and productivity.”

Prohibiting AI tools to avoid misuse doesn't work

But companies that think banning certain tools is the solution should think again. Brooke Johnson, Ivanti's HR and Security SVP, said her company has discovered that one-third of people using generated AI in their workplaces completely hides AI usage from management. “They share company data with systems that no one has examined, and they could potentially execute requests through platforms with unclear data policies and potentially release sensitive information,” she said in the message.

The instinct to ban certain tools is understandable, but it's misguided, she said. “We don't want employees to improve their use of AI. We want employees to be transparent so that they can be monitored and regulated,” she explained. It means accepting the reality that AI use is happening regardless of policy and implementing appropriate assessments that meet security standards.

“Educating the team about certain risks without any vague warnings,” she said. She suggested that they helped them understand why certain guardrails exist, but emphasized that it was not punitive. “It's about making sure they can do their work efficiently, effectively and safely.”

Agent AI creates new challenges for data security

Do you think securing data at the age of AI is complicated now? The AI ​​agent will raise the ante, Depriest said.

“To work effectively, these agents need access to credentials, tokens and identity and can act on behalf of individuals. Maybe they have their own identity,” he said. “For example, we don't want employees to transfer decision-making authority to AI agents, promoting situations where it could affect humans.” Organizations want tools that will help promote faster learning and synthesize data more quickly, but he explained that ultimately humans need to be able to make critical decisions.

Whether it's a future AI agent or today's generative AI tool, it can be difficult to find the right balance between enabling productivity gains and doing so in a safe and responsible way. But experts say all businesses face the same challenges. And they say that it will be the best way to ride the waves of AI. The risks are authentic, but the right combination of education, transparency and surveillance allows businesses to harness the power of AI without giving keys to the kingdom.

Explore more stories from Fortune AIQ, A new series documenting how companies on the forefront of the AI ​​revolution are navigating the real-world impact of technology.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *