Many organizations use artificial intelligence (AI) to optimize processes, analyze data, diagnose and treat patients, and customize user experiences.
We recently wrote about the privacy and cybersecurity risks with AI. Since that time, the use of AI has continued to expand, and the Canadian Centre for Cyber Security has now issued an awareness bulletin on the significant risks posed by generative AI.
In this blog we provide an overview of the risks outlined in the bulletin and what your organization can do to mitigate those risks.
What is generative AI?
The bulletin focuses on generative AI – this is the type of AI that is used to generate new content by modelling features of data from large datasets fed into the model (think ChatGPT, Bard and Bing). This AI can be used to generate content in many forms including text, image, audio and software code. As a result, it is currently used in a number of areas including health care, software development, online marketplaces, business, publishing and media, education and cybersecurity.
What are the risks?
The Centre emphasizes that, while the capabilities of generative AI present great opportunities, they also bring many concerns from a cybersecurity standpoint.
Some of the key risks in generative AI that the Centre has identified are as follows:
- Using content for misinformation and disinformation and as part of scams and fraudulent campaigns against individuals and organizations
- Creating sophisticated and highly realistic phishing emails and scams that lead to identity theft, financial fraud and other cybercrime
- Users supplying confidential corporate and personal information in queries and prompts, allowing threat actors to harvest and misuse this information
- Creating malware for use in targeted cyberattacks
- Deliberately or inadvertently introducing unsecured or buggy code in software development
- Injecting malicious code into datasets which undermine the accuracy and quality of content and boost the chance of large-scale supply-chain attacks
- Fundamental bias and prejudice as a result of reliance on content
- Stealing corporate data faster and in bulk, including proprietary business information and intellectual property
How can you mitigate risks for your organization?
The Centre recommends the following to minimize the risk of compromise resulting from cyberattacks that leverage generative AI:
- Implement strong authentication mechanisms including multi-factor authentication (MFA)
- Apply security patches and updates
- Stay informed of latest threats and vulnerabilities
- Protect networks using network detection tools to monitor and scan for abnormal activities
- Train employees on the risks and how to respond to attacks
- Establish and implement generative AI usage policies that include guidance on how to use technology in a way that avoids compromises to your organization’s data and intellectual property and to improve the quality of outputs
- Choose tools from security-focused vendors
- Avoid the use of sensitive corporate or personal information with AI
If you’re interested in learning more about generative AI and mitigating the risks within your organization, the lawyers in our Privacy, Data Protection & Cybersecurity group have wide-ranging experience helping a variety of organizations in this area. We can help you implement these recommendations and establish AI policies for your organization. Contact us to learn more.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.