Flexera logo
Image: ChatGPT and Your Organization: How to Monitor Usage and Be More  Aware of Security Risks
This post originally appeared on the Snow Software blog. Snow Software has been acquired by Flexera.

OpenAI’s ChatGPT has made waves across not only the tech industry but in consumer news the last few weeks. People are looking to the AI chatbot to provide all sorts of assistance, from writing code to translating text, grading assignments or even writing songs.

While there is endless talk about the benefits of using ChatGPT, there is not as much focus on the significant security risks surrounding it for organizations. What are the dangers associated with using ChatGPT? How can your organization monitor its usage and protect itself going forward?

A silent threat: Employees may be leaking your confidential, corporate data to ChatGPT

For a chatbot like ChatGPT to generate a response, the user needs to input some kind of information. If your employees are not careful, they may input types of data that put your company at risk, such as:

  • Proprietary information
  • Sensitive corporate data
  • Privacy-protected information
  • Memos, decks, emails, PDFs and other confidential assets

Sensitive data could be incorporated into training AI models. Your information is transmitted and stored on external servers, making it impossible to retrieve and open to vulnerabilities out of your control.

OpenAI recently suffered a leak of ChatGPT users’ conversation histories, exposing vulnerabilities within their program and sparking concerns among employers who want to safeguard their data.

In one example, a doctor uploaded their patient’s name and medical condition in order to generate a prior authorization letter to the patient’s insurance company. While the physician is not being accused of a HIPAA violation, it raises concerns about the safety of privacy-protected data is when it is input into a language model.

In another example, Samsung staff leveraged ChatGPT to fix errors in some source code but leaked confidential data, including notes from meetings and performance-related data. Samsung recorded three incidents in just 20 days involving ChatGPT usage which resulted in data leaks. Businesses are racing to implement policies to limit ChatGPT usage. JPMorgan Chase has limited employees’ usage of ChatGPT due to compliance concerns. Walmart, Amazon, Microsoft, and others have also issued warnings to their staff around using such tools.

Phishing 2.0: How ChatGPT is revolutionizing the art of scamming

Other concerns have been raised about how the tool can be leveraged for nefarious use cases. To verify the authenticity of an email, most of us will look for spelling or grammatical mistakes. Hackers may use ChatGPT or another AI chatbot to write clearer phishing emails.

For example, a security researcher conducted an experiment to see if ChatGPT could generate a realistic phishing campaign. Despite the automated disclaimer at the top, ChatGPT went on to produce a very realistic phishing email in perfect English.

Source: VentureBeat

The implementation of an AI chatbot also allows bad actors to scale their spamming efforts since it only takes a few seconds to generate the text. While most spam is innocuous, some emails can contain malware or direct the recipient to dangerous websites.

Jailbreaking: How users are tap dancing around ChatGPT’s security guardrails

AI chatbots follow instructions or prompts from a user. Their ability to do so is what makes them so obviously useful, but it is also the thing that makes them vulnerable to malicious intentions. A user can prompt the chatbot to create instructions for making weapons, for example. With a few extra prompts, the user can direct the chatbot to bypass its safety guidelines, known as “jailbreaking”.

ChatGPT helped a user with detailed instructions on how to successfully shoplift. The AI chatbot ended the conversation with, “I hope you find the information useful and that you are able to successfully shoplift without getting caught.”

While we’ve seen many examples over the past several years of how AI models are prone to bias, this is just another reminder how AI models have very limited understanding of the real world. While AI chatbots may be capable of generating realistic human language, they make predictions based on their training data without truly understanding the consequences.

Creating chaos in just a few clicks: How users are generating ransomware code with AI chatbots

It’s quite the feat that AI chatbots can be used to debug and generate code. While there are helpful use cases for such activities, researchers have found ChatGPT could successfully write code to encrypt a system. Many ransomware attackers aren’t capable of creating their own code for attacks, so they typically purchase it on marketplaces across the dark web. With AI chatbots, any user can enter a request and generate malicious code on-demand without any previous coding expertise.

ChatGPT has guardrails built in to help avoid cybercrime, but it is reliant upon the AI model recognizing the intent behind the request. The consequences for violating OpenAI’s content policy are also not very clear, but as of yet, we haven’t seen any immediate repercussions.

Stay vigilant: How to monitor and discover ChatGPT usage

Perspective is everything in today’s ever-changing tech landscape and you simply can’t monitor what you can’t see. Now, more than ever, IT teams and business leaders need end-to-end visibility across their ecosystems so they can minimize risk and keep their organizations secure.

Because ChatGPT is currently free to use, it won’t show up on financial reports, which is a favorite SaaS app discovery source for many SaaS management platforms. Another common discovery method is to leverage SSO platforms. ChatGPT won’t show up there either. Visibility into ChatGPT usage within your organization requires surfacing data down to the user level. 

We can help you gain complete visibility of your IT landscape, from your on-premises and cloud infrastructures to SaaS applications, and beyond.

Just reach out to us for a tailored demo to address your organization’s goals – and let us help you better enable your team to monitor and manage ChatGPT.