Why Not Prevent AI Data Breaches?

/in

Data Loss PreventionTo state the obvious, AI data breaches and leaks will damage your business. Even sharing sensitive or protected information internally will cause problems.

Less obvious is the fact that you have already shared information that should not be shared. You should expect that private, sensitive, and protected information in Google Workspace or Microsoft 365 has been shared inappropriately to people within your company, outside your company, and/or publicly.

Not obvious to most is the fact that integrated AI tools, like Google Gemini and Microsoft Copilot, will find, use, and share any information the tool can access.

Just because an employee or a customer has never reported seeing something they shouldn’t have does not mean they have not done so. Nor does it mean they will not see something that should be secure in the future.

The Problem

The problem we face: the myths we believe when it comes to our own information security and the risk of AI data breaches.

Myth 1 – Oversharing Does Not Happen

What do we mean by oversharing?  Oversharing is when somebody gives access to information (files or folders) that unintentionally gives others access to the information, directly or indirectly.  

Most often, this happens when sharing a file or folder by link in an email or chat. You are prompted by the system to grant access. Typically the prompt is to give view access to “Anyone with the link” or “Anyone within your company.” This one-click option is easier than finding the file and editing the permissions.

The risk of course is that “anyone with the link” can be anybody — inside or outside – to whom the message is forwarded or added to a reply.

And “anyone within your company” means just that. They may not see it if they never search for it or for something similar.

Myth 2 – Security Breaches Require a Deliberate Act

We want to believe that our employees would never intentionally breach security or leak sensitive information. When we equate intentional acts with deliberate acts, we forget that many user actions can, and will, intentionally share information beyond what is appropriate.

With email, we diligently warn people that clicking the wrong link is damaging and to remain vigilant. We are not nearly as diligent when it comes to files and folders. Most of us assume that the permissions set on files and folders will keep us safe.

Myth 3 – Google Workspace and Microsoft 365 are Secure

Like most myths, this myth is partially true. Both Google and Microsoft aggressively secure their cloud services and have a “shared responsibility” security architecture.

Microsoft and Google secure the services they provide to ensure only authorized users can access the services. They also provide the infrastructure for you to manage user accounts, access, and permissions. You are responsible for the security of your data within Google Workspace and Microsoft 365.

As an example, both services allow you to block external file sharing. If you choose to allow external file sharing and a file is mistakenly shared externally, this is your issue to resolve.

The Reality

When you use Microsoft Copilot and Gemini AI, the tools have access to data according to the access available to each user. If a user has inappropriate access to confidential information, Copilot or Gemini have access as well. 

Since the AI tools will collect, analyze, and integrate multiple relevant sources, the AI tools are more likely to find and use the information.

The Solution

Ensuring that your information is properly protected as you begin using AI tools is not easy. The solution for preventing AI data breaches, however, does not need to be difficult or expensive. 

Data Loss Prevention

Modern Data Loss Prevention (DLP) services give you the ability to 

  • Set policies and rules for handling sensitive and protected information
  • Analyze the content of files and folders against the policies and rules
  • Notify, report, and automatically mitigate any violations

Mitigation can include redacting sensitive information and/or modifying permissions to bring them into compliance.

More robust DLP solutions offer advanced tools to manage access and permissions, such as conditional access, time-limited access, and managed permission overrides.

DLP Options

Both Microsoft 365 and Google Workspace offer DLP features and capabilities. Most of these features are within the Enterprise tier (more expensive) subscriptions.

For small and midsize businesses using Business tier subscriptions, adding an integrated, third-party DLP service will be less expensive than upgrading. 

Third-party services offer robust management portals that are generally easier to learn and use than the built-in features.

Getting Started

First things first, do not panic. Begin by reviewing your current security and permissions policies, procedures, and top-level settings. Also, consider how you and your team are currently using Copilot, Gemini, and other AI tools, and how you expect or plan to use them in the future.

With a high level assessment, you can explore how you want to use DLP and which services will provide the most effective and affordable solutions for your needs.

Cumulus Global can assist with real-time assessments of your file and folder security to provide a benchmark and a baseline for planning and decisions. From there, we can help implement, configure, and manage your DLP services

Why Cumulus Global?

At Cumulus Global, our priority is ensuring that you have productive, secure, and affordable managed cloud services. We work to ensure that you do not overspend on services and to focus your IT dollars on the capabilities and services you need.

Let us know how we can help, or schedule a meeting with a Cloud Advisor.

We will help you adapt while keeping your IT services secure and cost-effective.

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management.