TLDR: Generative AI tools like ChatGPT, while boosting productivity, pose significant cybersecurity risks for South African businesses. Experts, including Integrity360 CTO Richard Ford, warn that attackers can exploit employees’ personal AI interactions, creating ‘blind spots’ for traditional security measures. The accumulation of personal data shared with AI for non-work tasks can be leveraged for highly personalized social engineering attacks, as highlighted by recent Microsoft SharePoint hacks.
While generative AI tools such as ChatGPT and Copilot are increasingly recognized for their ability to enhance workplace productivity, experts are issuing a stern warning to businesses in South Africa regarding the new cybersecurity risks they introduce. Richard Ford, CTO of Integrity360, emphasizes that these tools, while serving as ‘go-to assistants’ for many office workers in tasks ranging from drafting emails to brainstorming, create a significant and often ‘overlooked cybersecurity risk’ stemming from employees’ ‘unsupervised’ digital lives.
Ford highlights that the core of this emerging threat lies in the ‘subtle, continuous stream of data’ employees share with generative AI for personal, non-work-related activities. This includes using AI to plan holidays, summarize personal documents, or even generate social media posts. ‘Many are even, disconcertingly, starting to use AI as therapists,’ he noted. Each such interaction, though seemingly innocuous, contributes fragments of personal information – including interests, communication styles, routines, and even emotional states – to a larger digital profile.
This accumulation of personal data presents a ‘goldmine’ for cybercriminals. Ford explains that if attackers gain access to this ‘treasure trove,’ potentially through a breach at a major AI provider, they could ‘leverage the aggregated personal data… to craft hyper-effective and deeply personalised social engineering attacks.’ He clarifies that the risk extends beyond employees accidentally inputting company secrets, which is a ‘known risk.’ Instead, an attacker scraping personal AI chats could uncover deeply personal details, such as upcoming travel plans, children’s school attendance, frustrations with internal systems, or an employee’s state of mind.
Also Read:
- Generative AI Fuels Rise in Phishing Attacks, New Reports Indicate
- Securing Non-Human Identities: The Challenge of AI Governance in the Enterprise
Traditional corporate security measures are largely ‘blind to this,’ as they are not designed to monitor personal devices or activities. This creates a critical ‘blind spot’ for organizations, which Ford suggests only specialized cybersecurity providers can effectively address. The warning comes in the wake of recent hacks on Microsoft SharePoint servers by Chinese ‘threat actors,’ which targeted business data. Microsoft responded with security updates and advised on-premises SharePoint server customers to install them, cautioning with ‘high confidence’ that unpatched systems would remain targets. Ford views this breach as a ‘powerful reminder that even the most robust digital ecosystems are not invulnerable,’ and that such compromises could expose ‘a vast amount of seemingly benign data to malicious actors – perhaps even the treasure trove of personal AI data.’
