Expert Strategies to Protect Sensitive Information From AI-related Security Risks
San Mateo, CA | July 1, 2024
Kiteworks, the leader in sensitive content communications privacy and compliance through its Private Content Network, today announced data privacy is at risk more than ever before with the rise of generative AI. Over 77% of companies are either using or exploring the use of artificial intelligence, and amid this widespread adoption, more than three-quarters of these companies have experienced AI-related security breaches.1, 2
Nearly one-third of employees have admitted to placing sensitive data into GenAI tools and 39% cited the potential leak of sensitive data as a top risk to their organization’s use of public GenAI tools. With this in mind, the experts at cybersecurity and compliance company Kiteworks have shared their advice on how to keep sensitive data secure when using GenAI tools.
1. Avoid Using Personal or Proprietary Information in GenAI LLMs
Data security and privacy should be the top priority when using large language models (LLMs) and generative AI tools, which may be subject to different regulations across countries and regions.
Given the allure and ubiquity of GenAI LLMs, it’s essential for employees to remove any personal or proprietary data when using these tools. This includes customer information, financial data, proprietary strategies, personally identifiable information (PII), or any confidential documents.
This approach helps mitigate risks of unauthorized access to sensitive data, as GenAI LLMs typically store the data they’re given and can re-purpose it for similar queries.
2. Create a Company Policy on AI and Privacy
LLMs and generative AI tools present significant accuracy, accountability, privacy, and security challenges. Implementing and enforcing company policies that specify what can and cannot be shared with LLMs and generative AI tools can mitigate many of these risks. It is imperative therefore for employees and business owners to work together to ensure these policies are clearly communicated and consistently followed.
Ongoing training for employees is crucial to keep them informed about the latest data privacy standards, potential risks, and the correct usage of AI tools. Implementing data loss prevention (DLP) technologies can help in identifying and protecting sensitive information, ensuring that it is not inadvertently shared or accessed by unauthorized entities. Additionally, monitoring file activity, such as downloads and uploads, can provide insights into unusual or unauthorized actions, allowing for swift intervention.
3. Manage Data Privacy Settings
To prevent company data from being used for AI model training, it’s vital to safeguard sensitive information. Most GenAI tools have a feature that disables the tool from storing queries and information uploaded. A typical disablement feature looks something like this: navigate to “Settings” and, under “Data Control,” disable the “Improve Model for Everyone” option. Regularly review permissions to prevent unnecessary data access, ensuring privacy and thwarting unauthorized access.
Ensure chats are deleted to reduce the risk of sensitive information being stored. OpenAI typically deletes chats within 30 days, however, it is specified in their usage policy that some can be retained for security or legal reasons. To delete chats, access the AI tool’s settings, and find the option to manage or delete chat history. Periodically delete all chats to maintain data privacy and minimize vulnerabilities.
4. Regularly Change Passwords and Use Data Access Controls
Strong passwords and data access controls are vital for safeguarding accounts from cybercriminals, especially for securing accounts linked to AI systems. A six-character lowercase password can be cracked within minutes. Ensure password strength by creating long and complex passwords, with at least eight characters and special symbols.
Use unique passwords for each AI-related account, consider a password manager for tracking, and enable multi-factor authentication (MFA) for added security. MFA options like email, SMS, app, or biometric authentication add an extra layer of protection, significantly reducing the risk of unauthorized entry to AI systems and enhancing overall security posture.
5. Audit AI Interactions and Monitor Data Breaches
Private, work-related content should never be shared in public LLMs. However, almost 1 in 20 global employees (4.7%) have admitted to entering confidential corporate data into ChatGPT.3 Regularly audit activity logs to monitor suspicious file activity, particularly GenAI logins and file uploads. If the logs show these activities, investigate immediately to mitigate potential risks and maintain data integrity.
Utilize automated tools and anomaly detection systems to flag irregular patterns and behaviors that may indicate a potential breach or misuse. Conduct regular security assessments and penetration tests to identify vulnerabilities in your AI systems. Additionally, establish a response protocol for breaches that includes immediate containment measures, notification procedures, and steps for data recovery and mitigation.
Patrick Spencer, spokesperson at Kiteworks, shared his thoughts:
Ensuring data security and privacy is essential when utilizing LLMs and generative AI tools. With rigorous data privacy regulations across regions and industries, it’s imperative to use anonymized and encrypted data to mitigate risks.
We recommend organizations establish clear policies that prohibit employees from sharing specific details like customer information, financial data, and proprietary strategies to protect sensitive information. Implementing robust company policies and utilizing private AI systems can significantly enhance security and compliance, providing tailored and efficient solutions while safeguarding against breaches.
Regularly updating passwords and managing data privacy settings are also vital steps in maintaining data integrity and preventing unauthorized access to sensitive corporate data. Training employees on AI usage and data privacy is just as crucial. Start by identifying necessary or popular AI technologies. By investing up front in employee training on proper GenAI tool usage, organizations not only enhance employee skills but also mitigate the risk of exposing sensitive content.
Citations:
- Exploding Topics, “How Many Companies Use AI?”
- Hidden Layer, “AI Threat Landscape Report 2024”
- Statista, “Share of company employees worldwide using ChatGPT in work environments from February to June 2023”
About Kiteworks
Kiteworks’ mission is to empower organizations to effectively manage risk in every send, share, receive, and save of sensitive content. The Kiteworks platform provides customers with a Private Content Network that delivers content governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive content moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all sensitive content communications. Headquartered in Silicon Valley, Kiteworks protects over 100 million end users for over 35,000 global enterprises and government agencies.
Press Inquiries
Courtney Cole
Email: courtney@journalistic.org
About Accellion
Kiteworks’ mission is to empower organizations to effectively manage risk in every send, share, receive, and save of sensitive content. The Kiteworks platform provides customers with a Private Content Network that delivers content governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive content moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all sensitive content communications.
Media Contacts
Additional Resources