Defending against AI’s dark side

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

February 8, 2023 - Whilst artificial intelligence (AI) is still new and exciting, it's no different from any other technology. If you decide to implement it within your organization, make sure you're aware of the potential risks of exposure.

We’re aware of the benefits of AI, but with 35 percent of businesses now embracing it, the focus must shift towards how to prepare for when something goes wrong. This includes understanding how AI can be exploited to deceive, manipulate, or harm organizations, and tools to help defend against and mitigate risks.

AI being used disingenuously

A major risk associated with AI is the ability for people to pretend to be something they’re not. For instance, AI can make CVs (or resumes) look fantastic and the process of building them much quicker. In an increasingly competitive job market, graduates are using the likes of OpenAI or ChatGPT to write cover letters alongside CVs. Though this helps some advance through recruitment screenings, businesses find that when a candidate is called for an interview, there’s disparities between the qualifications on paper and the person sitting across the desk.

Similarly, financial institutions often use online forms and AI to determine whether to grant someone a loan or credit. Automating processes like this means that companies aren’t always meeting people face to face, making them a prime target for those wanting to exploit the system.

In a twist on traditional whaling attacks (a type of spear-phishing attack targeting senior executives), there are recent reports of fraudsters using AI to deepfake requests on behalf of the Chief Financial Officer (CFO).

These examples highlight the need for businesses to be cautious, implement robust screening processes, and provide stakeholder training.

Unethical business practices

AI can maximize business advantages through improved online dynamic pricing strategies. Ninety-four percent of shoppers compare prices of products while online shopping, and algorithms monitor that user behavior to offer personalized pricing based on spending habits. However, businesses may be tempted to engage in deceptive pricing strategies, exploiting the algorithms to gauge consumer willingness to pay instead of offering the appropriate price.

This manipulation extends beyond price adjustments. Companies could employ sophisticated algorithms to predict and influence consumer behaviour, potentially crossing ethical boundaries by capitalizing on individual preferences or vulnerabilities.

Insider and third-party risks

Insider threats add another layer of complexity, where disgruntled employees with access to AI algorithms could sabotage operations or compromise sensitive data. By intentionally feeding confidential data into generative AI systems, employees could expose organizational secrets to potential hacking, threatening businesses and clients with significant security risks. In early 2023, a global electronics company banned employees from using AI after it was identified that sensitive internal information had been leaked by an employee using AI for work-related purposes.

Many companies depend on third-party providers for essential data and services. However, this partnership introduces risks as the third party may have different biases and a risk tolerance that doesn’t align with the company's expectations or standards. This mismatch can lead to vulnerabilities, including rushed development that’s lacking in security measures and increased susceptibility to manipulation.

Risk defence

Security is based on three principles: confidentiality, integrity, and availability, and any controls being put in place are to protect these. As techniques advance in the ability to attack those principles, defences must become more advanced. Companies can mitigate risks through:

  • Comprehensive defence strategy: It's important for businesses to vet and monitor AI systems, assess the reliability of third-party involvements, and support against a wide array of potential threats, including those posed by disingenuous users and corrupted algorithms.
  • Responsible governance and disclosure: Threats to cybersecurity and moral dangers need balanced governance. The absence of proactive measures could lead to not just reputational damage but also an erosion of trust in entire industries.
  • Responsible AI practices: From developers to businesses, responsible AI practices such as a human-centered design approach, privacy and security of data, transparency, and accountability must be ingrained at every value chain stage.
  • Regulatory compliance: Stay up to date with evolving regulations and standards related to AI and cybersecurity, such as ISO 27001 or the National Institute of Standards and Technology (NIST) cybersecurity framework. Ensure compliance with relevant regulations to avoid legal and regulatory risks.

The transformative power of AI is undeniable. However, its responsible operation demands a collective effort and balance between technological advancement and ethical responsibility. Only through proactive and robust defence and an industry-wide commitment to ethical AI practices can businesses and societies harness its full potential while safeguarding against the inherent risks.

Read more on how AI is impacting organizations in Unlocking trust in AI by Mark Brown, Navigating generative AI and compliance by Conor Hogan and The impact of AI and ML on cybersecurity by Alessandro Magnosi.

Visit BSI’s Experts Corner for more insights from industry experts. Subscribe to our Experts Corner-2-Go LinkedIn newsletters for a fortnightly roundup of the latest thought leadership content: digital trust, EHS, supply chain.

Terry Minford

Terry Minford

Terry is an international IT security and compliance professional with 17 years of experience managing IT risk, audit, and compliance functions and 26 years of IT security and commercial experience overall. Terry has extensive knowledge in the areas of security, governance, ISO 27001 certification, PCI certification, IS training, risk and compliance, including regulatory, data protection and internal audit, reporting directly to the CEO/board-level of the business in the role of CISO and Data Protection Officer.

Ask the Experts

We want to hear from you! Our experts have over 50 years of combined experience in the environmental, health & safety, digital trust, supply chain, and security & resilience industries. Take advantage of their knowledge; submit a question today.

Ask now