Hi, I'm Tony Morbin, Chief of News Editor for ISMG. Welcome to our podcast discussion on ChatGPT and generative AI, balancing risks and rewards. It's my great pleasure to welcome to the conversation our subject matter expert, Rodman Ramazanian, Global Threat Lead at SkyHigh Security. Thanks for joining us, Rodman.
Hi, Tony. Thanks for having me. It's great to be here. Excellent.
Now, we've chatted before on some of these issues, so I'm really interested to hear your point of view on this. What are the greatest security concerns that people have when it comes to using generative AI to boost their productivity? And are these concerns justified? Yeah, look, it's a common question.
And I mean, I would start by saying, unless anyone's been living under a rock, you surely have read or heard about ChatGPT by now and many of these AI services. It's just one of many AI-driven chatbots that's attracting millions of active users per day, and it's fueling all sorts of different ideas and use cases from writing technical business papers, inferring insights from data, explaining really complex terms in layman's words, and so much more. So as it stands, the possibilities of ChatGPT are potentially endless, but a lot of the security concerns that come from the fact that AI and, you know, I guess the sheer innovation behind it, it isn't really yet understood all that well. You know, the incredible algorithms and learning models that make it so powerful, they're all abstracted from us.
And, you know, it's almost like having the world's smartest, most resourceful person at your fingertips in this form of a black box that just turns basic requests, you know, in plain English, into really useful answers and outcomes. So, you know, as corporate employees start using AI services like ChatGPT in the workplace, security teams are concerned about where their data may be going, how it's being used in these services, what the service's own models are learning from their sensitive data, and so on. And, you know, if you imagine a hypothetical scenario where an internal engineer, you know, inputs some proprietary data into ChatGPT and it asks the bot to analyze it or carry out some sort of function. Without knowing where the data's gone or how it might be used elsewhere, it can lead, you know, to some pretty dire consequences for both the employee and the company.
So I guess to answer your question, yeah, I would say there is some substance to the concerns lately. Now, that data leakage, you know, some organizations have reacted by completely banning the use of certain generative AI offerings, in particular ChatGPT. So what are the pluses and minuses of taking such a drastic approach? Yeah, you know, honestly, here at SkyHigh Security, where we're asked at least on a daily basis about how, you know, they can reduce some of the risk space or prevent things like data loss from using something, you know, as powerful as ChatGPT.
And I would say that in short, you know, if you've got the right data protections in place, then you should really have your bases covered. Now, obviously, there are no right or wrong approaches to this. As I'm sure you'd agree, a lot of organizations have varying degrees of risk appetite and tolerance. That might be because of their industry vertical or the sensitivity of their work and so on.
And as you've said, a lot of organizations take what some may consider a heavy-handed approach of just outright blocking these kinds of services like ChatGPT. So just completely blocking access to them entirely. And, you know, you've got global companies like Apple and Samsung and Verizon choosing to take this approach. But what tends to happen, you know, going down that path is it drives people to go exploring and testing the boundaries to find alternatives.
And, you know, when you've gone ahead and explicitly blocked all the known AI services that you have some knowledge on, a lot of the unknown ones that you've probably never heard of before or have any understanding of their risks, they're the ones that are left on the table for the users to find instead. And you end up making the situation kind of worse because it forces people to the potentially riskier and, you know, more obscure options that nobody knows anything about or might be flying under the radar. And I'd also say that, you know, with the fast growth of AI that we spoke about, you know, it'll eventually make individually blocking these services pretty difficult. You know, even at SkyHigh, we specialize in this sort of thing, you know, populating web and cloud categories and assessing risks.
They've grown from, you know, 200 or so about a year ago or less than 12 months to over 600 now. And, you know, even just agnostically, whether you're using our risk register or some other third-party service, what's bound to happen is that there'll be some delta between when these things come online to the world and when they're analyzed and categorized by the service. So you ultimately face more risk by taking that blanket block approach. And to be blunt, I think any web proxy worth its weight can implement a standard block rule.
You know, there's nothing special or elegant about that whatsoever. But we mentioned there, obviously, blocking. You brought up the topic of risk registers. So what are some of the tools and approaches that we can, that are being used now to reduce the risks associated with generative AI?
And what are your views on each of these? And why do people find it so hard to tackle the problem anyway? Yeah, I think when you peel it back a layer, it's like what cloud-based emails and cloud infrastructure was back a decade ago or two. At first, the dominant view was, you know, email is far too critical to trust the cloud for.
Or, you know, we just don't need it that badly. Or it's not worth the risk. Or we don't see the business value. But if you imagine, you know, the world we live in right now, we found our emails successful by the cloud or without being able to shift our servers and workloads to the cloud.
It's just, it's not possible, you know. And there's no denying that ChatGPT and all these great generative AI services, you know, as you said, can lead to more productivity, more efficiency in the workplace. But there's this dilemma you mentioned of making sure it's only used securely without compromising corporate data or violating any regulatory policies and so on. And I think that's what makes this issue so hard to tackle with just a blanket approach.
You know, you've already mentioned what approach is just to explicitly block. Some organizations see value in permitting the use of AI chatbots, but they want to ensure that the data remains secure. And there's a couple of ways of seeing that proverbial cat today. One option is to use activity controls to permit an AI-based application like ChatGPT, but to prevent certain activities like uploading files or sending prompts even beyond a certain amount of characters.
Another recommendation is to coach users rather than just plainly saying, nope, you can't go there. So there are a number of different ways we can help organizations do that. And specifically at SkyHigh, what's your approach to help your customers get the benefits of generative AI and, as you say, retain control over their data or at the very least mitigate these risks? And also your views on walled garden approaches and the various options that there are.
You know, what would SkyHigh recommend? Yeah, well, I think the reality is that with generative AI and these chatbots being such an exciting and popular domain and, you know, adoptions and keep on growing in incredible rates, you know, to put into perspective, already, according to our global telemetry from the first half of this year alone, close to a million of our users have accessed ChatGPT through corporate infrastructures. Now, if you are a SkyHigh customer, you know, the good news is you already have the tools you need. You can use our categories.
You can use our coaching pages to create a really effective tailored education and coaching for the users. And they're really simple to enable. I suspect most people know about those already. But I'd also say that for us at SkyHigh, you know, our ethos as a company is to protect the world's data.
And I would say that with that focus specifically on data protection, we're enabling organizations to safely use and embrace these innovative technologies without compromising data security or opening the floodgates to risk. And, you know, I mentioned an example earlier that we can limit activities like uploading or submitting certain texts into these services. We can do that based on keywords, like if you've got secret patents or code words or project names, character limits. So that example we spoke about earlier about an internal engineer could be pasting source code or, you know, other proprietary stuff, regulatory checks, like if somebody pasting credit card details and financial records and so on.
We can even forcibly disable services like ChatGPT from remembering chat histories and, you know, being able to train on its data because there are disclaimers, of course, that say, you know, if you tick this box, you agree that we can retain your past submissions and requests and we can learn off that. We can even force these services to disable that feature entirely. So, again, there are a number of different ways that we at SkyHigh can help organizations do that. But I think the key is rather than, you know, taking that one size fits all approach of just blocking something or banning users from going there.
I think coaching them and providing them secure ways of adopting these things is what's gonna make the most difference. And we've been talking really there about the risks from the inadvertent risks from users. We're not really covered the risk already reality of attackers using generative AI, whether that's to search for vulnerabilities, write malware code or convincing lures, whatever they might be doing with AI. How do we deal with this new we rush into explicitly blocking things and taking those more extreme approaches of, you know, I think we should work towards adopting a mature data protection regime.
And I say that because it's a company's data that's arguably more important than anything else, you know, and when you've got these new and exciting services and apps coming online that, you know, to your point earlier, offer really great business productivity and efficiency, you absolutely should be able to embrace these kinds of things and enable secure usage without putting your business operations at risk. You know, I think that old adage of, you know, security should be an enabler and not an inhibitor. I think taking a more data-centric approach or protecting data will go a long way to tackling a lot of the concerns we spoke about today because if you're focusing on protecting your data, it really doesn't matter if, you know, if it's an AI service of today or tomorrow, or, you know, in a year's time, there's some other new flashy service. I think if you're protecting your data, ultimately, you're eliminating all the risks that come with those.
Well, that's some really good advice, sir. And I didn't realise there were 600 various generative AIs out there. Thanks for sharing your insight and expertise today. Thank you for joining us, and I hope we've provided some useful data points to help your organisation address the issue of ChatGPT and generative AI, balancing risks and rewards.
Right, MG, I'm Tony Morbin. Thanks again, Rodman.