Fifth of CISOs Admit Staff Leaked Data Via GenAI

One in five UK companies has had potentially sensitive corporate data exposed via employee use of generative AI (GenAI), a new report has revealed.

London-headquartered cybersecurity services provider RiverSafe polled 250 CISOs nationwide to compile its new report, Underfunded and Under Reported: Threats, Breaches, and Budgets.

The data leak risks of unmanaged GenAI use help to explain why three-quarters of respondents (75%) claimed that insiders pose a greater risk to their organization than external threats.

Samsung was an early and notable victim of just such a data leak incident. The tech giant was forced to ban the use of GenAI after staff on separate occasions shared sensitive data, including source code and meeting notes, with ChatGPT.

When inputted into tools like ChatGPT, there’s a risk that internal data could be resurfaced to other users outside the company.

UK CISOs are concerned not just about the risks associated with employee misuse of AI, but of the technology being used by threat actors. A fifth told RiverSafe they believe it’s the biggest cyber-threat facing their organization.

Read more on GenAI risks: Forrester: GenAI Will Lead to Breaches and Fines in 2024

The UK’s National Cyber Security Centre (NCSC) warned in January that GenAI is already being used to improve social engineering, and will “almost certainly” drive an increase in the volume and impact of cyber-attacks over the next two years.

“As the complexity of AI-driven cyber-threats continues to evolve, proactive measures are essential to safeguard sensitive data assets and mitigate the risks posed by insider threats,” explained RiverSafe CEO, Suid Adeyanju.

“A revised and up-to-date cyber strategy should no longer be a second thought, but instead a priority for all organizations to mitigate risk, especially when considering ever increasing use of AI.”

The report also suggested that AI use may indirectly be harming investment in cybersecurity.

Two-thirds (65%) of responding CISOs claimed that AI has limited their cybersecurity budget, because boards expect the technology to supercharge the productivity of existing teams.

However, those teams are already being stretched to the limit – with 83% of respondents admitting their organization currently has a cyber skills gap.