AI-based data incidents are on the rise in Australia. 60 per cent of Australian organisations who have deployed AI assistants beyond a pilot stage have stated that they are not confident that they have adequate security controls.
AI assistants are closely following email, SaaS and cloud applications as the most common attack vector for Australian organisations. Without significant change in the security of AI systems, breaches are likely to become much more common. Running untrusted code, mishandling sensitive data and losing control of credentials are the challenges that AI is executing at machine speed and scale.
What you can do as an employer
People, not technology, present as the greatest vulnerability to an organisation’s security attitude with 74% of all data and security breaches having a human element. This should be addressed by focusing on effort and investment in initiatives to reduce human-centric cyber security risk and uplift an organisational security culture.
As an employer, three things you can do prevent cyber breaches and address AI security risks include:
Training
In adequately training your employees on AI, they will be educated on safe practices to mitigate risks of a breach, whilst equipping them with the knowledge to innovate, improve decision-making, and solve complex problems through AI.
To effectively roll out cybersecurity and AI training, you can:
- Create live training scenarios
Test the readiness of your organisation to implement AI by creating live scenarios and problem solving. Test the ability of your workforce to deal with real-world situations by having your IT provider send out fake phishing emails to staff. This will enable you to track how many people click on them and determine what is catching people out and then tailor further training to the problem areas.
- Communicate regularly
Make sure you communicate to your staff the latest developments in cybersecurity as new cyber threats are appearing all the time.
- Offer continuous training
Offer cybersecurity and AI training throughout the year, which is specific to the levels of roles within your organisation.
- Make cybersecurity part of company culture
From the moment someone is onboarded, make cybersecurity and AI training part of the onboarding process to embed it as part of your company culture.
Policy Enforcement
An important step to undertake to address the risk of cybersecurity and AI breaches is to have an AI Use policy and roll it out for immediate enforcement. An AI Use policy will provide the following range of benefits:
- Legal and regulatory compliance
Currently, Australia does not have specific, mandatory AI legislation. However, AI does fall under existing laws such as privacy and consumer protection. As a result, having an AI policy will work to keep your organisations practices in line with laws, as well as Australia’s AI Ethics Principles.
- Data privacy and security
Organisations should have policies to ensure that there are clearly defined processes around AI use and the measures that are in place to prevent data breaches.
- Risk management
Having clear, internal policies minimises operational risks and prevents the misuse of AI from employees which could then lead to errors, delays, data breaches or safety issues.
- Ethical and transparent decision-making
Additionally, having the correct policies in place for AI will enforce responsible development and deployment of AI across your organisation, and will clarify accountabilities and responsibilities regarding AI use within your organisation.
General Awareness
Increasing employee awareness leads to the biggest improvement in cyber security. Through training and policy enforcement, you will develop a greater awareness of AI and cybersecurity risks. Additionally, you can create general awareness by incorporating AI breach risks into standard conversations in the workplace. When new projects or work is undertaken, it should be standard to discuss where there may be risks of cybersecurity and AI breaches and thus what needs to be done to mitigate such risks. In having these conversations, general awareness of AI and its proper use will increase and a strong company culture on cybersecurity will grow.
How to address a breach
If you encounter a breach within your workplace, the steps to undertake in response to it as an employer include:
Reporting
If your organisation is bound by the Privacy Act 1988 and a breach occurs, you must promptly notify any individual who is at risk of serious harm as a result. In addition to this, you must also report it to the Office of the Australia Information Commissioner (OAIC) if the breach is identified as eligible.
A breach is considered eligible for reporting when the following criteria are met:
- Unauthorised access to or disclosure of personal information held by your organisation.
- It is likely to result in serious harm to any of the individuals in whom the information relates.
- Your organisation has been unable to prevent the likely risk of serious harm with remedial action.
To notify OAIC, you must fill out the online form and include the following information:
- Organisation name and contact details.
- A description of the breach.
- The kinds of information involved.
- Recommendations about the steps individuals should take in response to the breach.
In addition to notifying OAIC, you should notify the Australia Taxation Office (ATO) so they can apply measures to protect client accounts. The ATO may then apply treatment options to any files impacted by the breach which may include additional proof of identity, additional monitoring processes, additional security measures and the appointment of a data breach manager.
Performance management
When a breach occurs that is a result of human error, it is crucial that you address it with the individual who was involved. Engage in conversation with the individual to obtain understanding of what they did that caused the breach, and work to identify where they failed to meet internal policies.
Based on the situation, you can then evaluate and determine the next steps to manage the employee moving forward, whether that be dismissal or a written warning. It is important that you do not dismiss the severity of the situation and that you make it explicitly clear it cannot happen again.
Additional training
When a breach occurs, it is important to assess where additional training is required to prevent a repeat situation. Engage employees in further education on how to handle sensitive information and reinforce company policies around AI use.
If you would like more information on AI data breaches and how to best mitigate those risks as an employer, contact us via the link below.