Website of ChatGPT on screen showing AI and data leak

How to Reduce Data Leakage Risks of ChatGPT and Copilot AI

As businesses embrace the transformative potential of generative AI, CEOs and CFOs are particularly enthusiastic about its ability to significantly enhance employee productivity and achieve the much-desired goal of “doing more with less.” The promise of Microsoft’s Copilot and ChatGPT Premium to significantly streamline workflows, automate routine tasks, and foster innovation has captured the attention of top executives, who view these technologies as key drivers of competitive advantage and efficiency.

However, this optimism is not universally shared across the executive suite. Chief Information Security Officers (CISOs) are understandably sounding the alarm on a critical concern that accompanies the adoption of these advanced AI tools: the heightened risk of employee “data leakage.” While generative AI offers unprecedented opportunities for growth and efficiency, it also opens new avenues for data breaches, unauthorized access, and the potential misuse of sensitive information. CISOs are acutely aware of the delicate balance between leveraging AI for its immense benefits and safeguarding their organization against the potential damages that could arise from compromised data security. Their focus is on navigating the complex landscape of AI integration, ensuring that the drive for productivity does not come at the expense of the organization’s most valuable asset: its data.

The expanding AI threat landscape

A report from Group-IB revealed that over 200,000 compromised ChatGPT credentials were up for sale on dark web marketplaces in 2023. These credentials were compromised through malware such as LummaC2, Raccoon, and RedLine, indicating a significant rise in the abuse of AI tools for malicious purposes. This surge in compromised credentials underscores the critical vulnerabilities associated with AI tools the escalating need for robust security measures.  Employees often enter classified information or proprietary code in chatbots for work purposes, potentially and unwittingly offering bad actors access to sensitive intelligence.

Data risks with Microsoft Copilot

Microsoft Copilot deployment presents new challenges for data security within enterprises. For example, the Copilot for Microsoft 365 AI tool can access sensitive corporate data from sources such as the company’s SharePoint sites, individual employee OneDrive storage, and even Teams chats. The obvious business value here is that Copilot AI analyzes all of that data to generate new content in the context of a particular company and their business processes.

However, it’s also obvious how this intense level of data scraping potentially leads to oversharing and unauthorized access. To be clear: Copilot does not change a company’s existing settings in Microsoft 365 to make it easier to find an employee’s personally identifiable information (PII) or alter how files are shared.  However, Copilot AI does quickly find, analyze, and interpret data that was already available on a corporate network. So, it’s logical to assert  that a significant portion of an organization’s business-critical data is often at risk when Copilot AI is introduced due to existing and frequently overly permissive data access policies, highlighting the need for more stringent access controls and data management practices.

The need for independent AI evaluation

A proposal from MIT’s AI Safe Harbor initiative underscores the importance of independent evaluation of AI systems for ensuring their safety, security, and trustworthiness. The initiative calls for AI companies to provide basic protections and more equitable access for good faith AI safety and trustworthiness research, emphasizing the role of independent evaluation in fostering transparency and accountability in the use of AI technologies.

Crafting a comprehensive security strategy

Given these insights, business leaders must prioritize the development and implementation of a comprehensive security strategy to address the unique challenges posed by AI tools. At a high level, a comprehensive AI data security strategy should include:

  • Robust access controls: Implementing strict access controls and permissions to limit access to sensitive data and AI tools, ensuring that only authorized personnel can use these technologies.
  • Continuous monitoring and threat detection: Establishing systems for continuous monitoring of AI tool usage and data access patterns to detect and respond to suspicious activities promptly.
  • Data management and classification: Adopting rigorous data management practices to classify and protect sensitive information, preventing unauthorized access or leakage.
  • Employee training and awareness: Educating employees about the potential risks associated with AI tools and promoting best practices for secure usage.
  • Collaboration with AI providers: Engaging with AI technology providers to understand the security measures in place and advocating for features and policies that enhance the security and privacy of corporate data.

As AI tools like Microsoft Copilot and ChatGPT Premium become more integral to business operations, CISOs and CEOs must collaborate and take proactive steps to safeguard their organizations against data leakage and other security threats. By implementing a comprehensive security strategy for internal processes that addresses the unique challenges of AI technologies, businesses can leverage the benefits of AI while ensuring the security and privacy of their corporate data.