Four keys to help businesses combat shadow AI

cybersecurity
Image Credit: Shutterstock (Image credit: Shutterstock)

The advent of artificial intelligence (AI) ushered in an era of unprecedented innovation and efficiency across various industries. However, alongside these advancements, a new challenge has emerged in the form of "shadow AI." This term refers to the unapproved use of consumer-grade AI tools by employees within business environments. With nearly 50% of the general population using generative AI, the phenomenon of shadow AI raises critical concerns regarding data security, compliance, and privacy.

Organizations must learn to navigate the complexities of this emerging trend to safeguard their operations and maintain control over their technology infrastructure. With that in mind, here are four key strategies for organizations to combat the threats posed by shadow AI.

Marcin Kleczynski

Founder and CEO, Malwarebytes.

1. Proactive web filtering to stop the use of AI tools

Right now, most AI use involves a web browser where employees run the risk of sharing highly sensitive data or intellectual property. Proactive web filtering can stop the use of the online AI tools. This strategy involves using DNS (Domain Name System) filtering which is a technique used to control access to websites and online content by filtering DNS queries based on predefined criteria. 

In other words, it involves intercepting DNS requests and either allowing or blocking access to specific websites or categories of websites based on policies defined by administrators. Organizations can use DNS filtering for content control to enforce acceptable use policies, restrict access to inappropriate or non-work-related content, and promote productivity and compliance.

In this specific case, IT teams can use DNS filtering to block access to AI websites such as OpenAI's ChatGPT, Google's Gemini, and others. So, if organizations want to reduce the risk of their employees potentially entering confidential company information via a browser into these AI tools, then they can use DNS filtering to block access to those web pages. In this way, organizations can significantly reduce the attack surface and opportunity for losing confidential data.

2. Regular audits and compliance checks

For any cybersecurity threat, regular audit and compliance checks are essential for organizations to maintain adherence to security standards and regulatory requirements. These audits serve as a proactive measure to identify and address potential vulnerabilities.

For shadow AI, the audit process begins with assessments tailored specifically to AI tools and infrastructure, involving systematic testing and analysis to identify any weaknesses and potential entry points. Next, compliance checks ensure that AI initiatives align with industry-specific regulations and standards governing data protection and cybersecurity. These checks verify that AI systems adhere to legal requirements, such as data privacy laws and industry guidelines.

Additionally, employees must be equipped with a clear policy on AI use. Doing this fosters ethical, responsible, and consistent application of AI technologies while also protecting data privacy and facilitating compliance with regulations.

3. Ongoing staff education and awareness training

Auditing and compliance checks are essential, but they are insufficient without continuous education efforts. An organization’s lack of awareness makes it vulnerable to cyber-attacks and hinders recovery efforts, despite the increasing frequency and sophistication of these threats. Training and awareness are critical components of any comprehensive cybersecurity strategy, particularly regarding emerging threats like zero-days. 

Regular training sessions are essential to educate employees about potential security challenges. These sessions not only help employees spot threats more easily but also foster a greater understanding of the consequences of a breach. Additionally, to support policies on sanctioned AI use, employees must be educated on the dangers of shadow AI. This ensures that all AI initiatives are approved and compliant with security measures.

Encouraging awareness leads to staff members gaining insights and feeling empowered to recognize and report suspicious activities. This proactive approach mitigates threats more swiftly, providing an additional and crucial layer of defence.

4. Fostering a culture of transparency and openness

Finally, there is no doubt that a collaborative approach strengthens any organization and a crucial component of enhancing overall cybersecurity posture. Therefore, encouraging transparency and openness is crucial for effectively managing shadow AI risks. Just like how establishing a culture where there’s open communication between IT teams and employees, promotes a better understanding of security threats and protocols, the same applies to AI applications – sanctioned, shadow, and learning to tell the difference.

So, where do we go from here? With two-thirds (64%) of CEOs worrying about cybersecurity risks associated with AI and 71% of employees already having used generative AI at work—with that number only set to increase—there is no time to waste. Delaying the implementation of these strategies will only further expose your organization to threats. It’s time to step up, acknowledge the challenges, and act.

We've featured the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Marcin Kleczynski, Founder and CEO, Malwarebytes.