This article was written by James Farr, Senior Security Consultant.
The sky is falling and Artificial Intelligence (AI) is the reason, or so it has been said. In reality, threats from phishing, malware, and data exfiltration have been around for years. The introduction of AI is just the next phase in this cyberthreat evolution.
It’s Not All Bad
AI has the ability enhance many activities by using human-like thought processes to assist with tasks such as forecasting sales, performing repetitive tasks, and providing automated assistance to enhance customer support. Capturing the upside of this technology requires careful planning and executive leadership.
Assess Your Risks
As with adopting any new technology, an organization should perform a risk assessment to help identify any risks associated with using or not using the new technology. NIST released the Artificial Intelligence Risk Management Framework (available at https://www.nist.gov/itl/ai-risk-management-framework) to provide “guidance to address risks in the design, development, use, and evaluation of AI products, services, and systems.”
Policies and Procedures
Once the risks are addressed and the adoption of AI is in place, your organization should implement policies and procedures to outline the responsible use of AI, including what types of data are allowed and restricted. Additionally, your vendor management process should be updated to include a review of how vendors are using AI and evaluation of any risks that could result from the use of AI.
During the implementation phase, you should have regular talks with your team to highlight the advantages and drawbacks of your selected AI tool. AI tools are trained to work with specific data sets. AI will attempt to provide answers even if they do not have complete data sets. The age of the data will impact the quality of the results. Additionally, it is possible for AI to return results that contain copyrighted and open source materials that are not properly referenced. All results should be verified prior to use.
Be Security Aware
AI has great potential for good, but threat actors are already looking for ways to use these tools to exploit people and processes. A layered security approach will include traditional network and workstation hardening techniques and solutions. You will need to include AI training in your annual security awareness materials to help ensure that your users are ready for potential phishing, voice cloning, and deepfake scams.