Alan McCafferty · uOttawa PDI News · Posted: Sep 12, 2024 3:20 PM EST | Last Updated: 7 minutes ago
We’re currently living through the Wild West of the AI revolution. New AI tools are springing up all the time and the existing ones work in ways that, if we’re being honest, nobody fully understands.
But the general principles are known, and it’s important to understand that for all the power of AI, even in its current infancy, the very nature of how it functions can potentially expose your organization and create security risks and gaps in your cybersecurity if you’re not careful about your implementation. This is only magnified in the current environment, where tools are proliferating, and regulation is still trying to catch up.
That’s not to say that you can’t or shouldn’t integrate AI tools. Especially from the business side of the equation, there’s a lot of appetite for their ability to increase efficiency. The technical side of businesses tends to be more reluctant to adopt them, given the risks they create. But it is possible to balance these two sides of the coin.
Existing Risk Is Exacerbated by Integrating AI
When it comes to cybersecurity, there’s legitimate concern that AI will provide increasingly powerful ways for malicious actors to challenge or bypass network security. But it’s crucial to understand that, when we integrate AI tools into any part of our operations, we can potentially increase our risk of being successfully attacked, whether the attacker is using AI tools or not.
Fundamentally, AI tools are predicated on predictability. They work by figuring out patterns of behavior to predict and generate desired outcomes. For example, there are quasi-AI tools available that will automatically generate and adjust schedules for you, blocking out time for meetings and to work on various projects. But, of course, these tools not only require access to your calendar, among other things, to do this, but generally you must make an account and allow the tool to gather detailed information about you and your habits.
The wealth of information required for this kind of predictability can put your organization, and even your clients and colleagues, at risk.
Unregulated Industry Creates Unpredictable Exposures
For most software, we have some idea of what kind of security risks we may be facing by using them. But in the largely unregulated and ever-growing AI industry, these risks are vastly more unpredictable.
Anyone making use of an AI tool to facilitate their business should be asking a few questions about the tool they’re using and the business that offers it, such as:
- What are you doing with my information?
- How are you protecting the information I give you?
- What certifications does your offering meet?
- How are you retaining my information?
- Where are your servers? Are they exposed to any legal risk, such as seizure by a foreign government?
The reality is that, right now, there are probably quite a few businesses offering powerful and useful AI tools that can’t answer all or any of these questions. There may even be some that are genuinely what you’d call malicious actors, which are fully intent on selling your information. Integrating those tools into your workflows, malicious or misunderstood, could put your organization at considerable risk.
Balancing Business Demands and Risks Is a Policy and Procedure Question
It’s natural to assume that we can try to address these risks and take advantage of AI by leveraging other technologies. Surely with superior firewalls and VPNs, the risks can be mitigated.
While current protection technologies can help, the cybersecurity challenges associated with AI integration are best managed through security policies tailored to protect your business in your specific industry. That’s because the risks created by introducing AI have a lot to do with the information that needs to be shared to power them and make them useful. As such, developing comprehensive policies around how to anonymize and safeguard information that is critical in your industry or to your cybersecurity is a better way to mitigate the risks, rather than simply purchasing a stronger firewall.
As I mentioned before, the key to integrating AI tools into your operation is to investigate the nature of the tools you’re integrating, and how they protect your data — or don’t. And reducing risk is not so much about managing the technology as it is about managing the people using the technology and interacting with it.
This is why the Information and Cybersecurity Program at the University of Ottawa Professional Development Institute is integrating AI-focused components into all cybersecurity courses. We sit at the intersection of the executive and technical teams, and our courses are designed to help industry professionals of all kinds balance the needs of business with both existing and emerging cybersecurity challenges.