Surge in ‘Shadow AI’ Accounts Poses Fresh Risks to Corporate Data

The increasing integration of artificial intelligence (AI) in the workplace is driving a surge in data usage, presenting new challenges for safeguarding sensitive information.

A recent report by the data security firm Cyberhaven, titled “The Cubicle Culprits,” explores AI adoption trends and their associated risks. The report, released in May, is based on usage data from three million workers and examines how AI adoption impacts data security in corporate settings.

As AI technology evolves, it resembles past technological advancements like the internet and cloud computing. Similar to the challenges faced by early adopters of these technologies, companies today are grappling with the complexities introduced by widespread AI use, according to Cyberhaven CEO Howard Ting.

“Our findings on AI usage highlight both the transformative effects of these technologies and the emerging risks, which could mirror those experienced during previous technological shifts,” Ting told TechNewsWorld.

AI Usage Outpacing Corporate IT Oversight

The “Cubicle Culprits” report highlights a rapid increase in AI adoption within workplaces, often surpassing the oversight capabilities of corporate IT departments. This trend is leading to the proliferation of risky “shadow AI” accounts, which handle a growing amount of sensitive company data.

AI tools from major providers—OpenAI, Google, and Microsoft—account for 96% of workplace AI usage. Research indicates a dramatic 485% increase in the entry of sensitive corporate data into AI tools between March 2023 and March 2024. Despite this growth, AI tool usage remains limited, with only 4.7% of employees in finance, 2.8% in pharma and life sciences, and 0.6% in manufacturing utilizing these tools.

Notably, 73.8% of ChatGPT usage occurs through non-corporate accounts, which integrate shared data into public models, raising significant security concerns, Ting warned.

Sensitive Data Exposure Risks

The report shows that a substantial portion of sensitive corporate data is being sent through non-corporate accounts, including about 50.8% of source code, 55.3% of research and development materials, and 49.0% of HR and employee records.

Data shared through non-corporate accounts often ends up in public models. The proportion of non-corporate account usage is even higher for Gemini (94.4%) and Bard (95.9%).

This trend indicates a critical vulnerability, as non-corporate accounts typically lack robust security measures. The rate of sensitive data input into AI tools has increased from 10.7% a year ago to 27%, with significant risks related to confidential documents. For instance, 82.8% of legal documents entered into AI tools were sent to non-corporate accounts, potentially exposing them publicly.

Challenges in Data Protection

Ting highlighted the challenge companies face in controlling the flow of sensitive data. Many rely on data security tools that only scan for content type without considering the context of data movement—such as whether it originates from a corporate or personal account.

Educating employees about data leakage risks can be part of the solution, but effectiveness depends on timely intervention. Ting noted that immediate feedback, such as popup messages during risky activities, can reduce problematic behavior by 90%.

Cyberhaven’s Data Detection and Response (DDR) technology provides a contextual understanding of data movement, distinguishing between corporate and personal accounts. This enables companies to enforce policies that block sensitive data from being entered into personal accounts while permitting its use in enterprise accounts.

Surprising Findings on Insider Risks

Cyberhaven’s analysis also revealed unexpected findings regarding insider risks based on workplace arrangements. Contrary to the assumption that remote workers pose the highest risk, in-office employees are now leading in data exfiltration incidents.

Office-based workers are 77% more likely than remote workers to exfiltrate sensitive data. Moreover, when these workers access systems from offsite locations, the likelihood of data exfiltration increases by 510%, highlighting a critical risk period for corporate data, Ting noted.

By editor1

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *