Shadow AI and Insider Threat
Source: McKonly & Asbury
Artificial Intelligence (AI) is widely seen as an exciting emerging technology that is set to improve performance and efficiency across organizations when applied correctly. However, as with all new technologies, those who have malicious intentions will use it to inflict pain on organizations with surprising ease. This article defines Shadow AI and discusses how insider threat has been transformed by its use.
Shadow AI
While AI offers numerous benefits, it also presents a growing concern: the shadow AI threat. This concept refers to the potential dangers and unintended consequences of AI systems that operate without human oversight, often in the background, and can be challenging to detect and control by organizational IT shops. There are several free to use applications that use AI (e.g., Chat GPT, Bard, and more) and are capable of increasing employee efficiency; however, that is not the threat these applications represent.
Insider Threats Posed by AI
To use the famous ChatGPT as an example, it’s creator OpenAI stated that it only used data as recent as 2021 to train the AI; how much one believes that statement up to the user. The topic of concern is that ChatGPT collects both the user’s account information and conversation history. This includes a user’s email address, device, IP address, and location, as well as any public or private information used in an individual’s ChatGPT. All of this means that anyone can become an accidental or unwitting insider threat to their organization. Using free AI tools may not cost money, but there is still something being exchanged in return for their use of the program – the user’s data.
Shadow AI can be intentionally or unintentionally unleashed on company devices and the network, exploiting sensitive data and invading an individual’s privacy without their knowledge. AI systems can collect and analyze vast amounts of personal or sensitive information then through data mining and profiling. In the hands of a malicious actor or saboteur, it is a useful tool that can be employed at any stage of an attack, whether looking for targets, mining e-mails to learn how to imitate any user, mapping the network, or harvesting your most important company data.
It is not only AI’s capacity to act independently of users which presents a threat, but the ability of some AIs to produce accurate coding to the specifications of the user and in a language of their choosing is a growing concern. This places personalized coding in the hands of anyone who wants it, regardless of their skill level in programming. Even though nearly all the well-known AI developers prevent their applications from producing inherently malicious code, in many cases it is not difficult to modify scripts to fit the user’s intent.
Reducing the Risks
While multiple and specific threat examples have been discussed, the possibilities of insider threat via the use of Shadow AI are limited by the imagination of the attacker. AI can amplify the ability of anyone, regardless of skill level. However, organizations are not powerless in this struggle, as there are a number of effective measures that can reduce risk of insider threat and unauthorized AI use.
ESTABLISH CLEAR POLICIES AND GUIDELINES
Create clear guidelines about the use of AI, what constitutes AI, and potential (also unintentional) consequences of its use.
EDUCATE EMPLOYEES
Provide training to employees to help them understand the importance of adhering to AI and IT policies. Make them aware of the risks associated with shadow AI.
IMPLEMENT ACCESS CONTROLS
Ensure that access to AI tools is limited to authorized personnel. Use role-based access control to restrict access to only those who need it for their job.
REGULAR AUDITS
Conduct periodic audits to assess the use of AI tools within your organization. Identify and address any instances of shadow AI.
McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC 2 engagement or a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place and provide you with recommendations to detect, respond to, mitigate, and recover from cybersecurity events. We can answer any questions and help you determine if a SOC 2 or SOC for Cybersecurity report would be useful for your company. Be sure to visit our firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology pages, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA regarding our services.