table of contents
- 01.Basic mechanism of generative AI and how to use it
- 02.Why security measures specific to generative AI are necessary
- 03.Key security risks in generative AI
- 04.Generative AI security measures that companies should take
- 05.AI-based security measures that individuals can take
- 06.To visualize ChatGPT usage, use LANSCOPE Endpoint Manager Cloud Edition
- 07.“AI Guidelines” provided by MOTEX
- 08.summary
In recent years, generative AI, including ChatGPT, Claude, and Gemini, has rapidly evolved and is now being used in a variety of situations, including business and everyday life.
Its capabilities are diverse, including text creation, image generation, and program code generation, and while expectations are high for improving business efficiency and creating new value, security risks associated with the use of generative AI are also becoming apparent.
In this article, we will explain the measures that companies and individuals should take to safely use generative AI in their work.
What you’ll learn in this article
- The basics of generative AI
- Security risks lurking in generative AI
- Countermeasures against security risks of generative AI
We also provide sample guidelines that clearly summarize, from a professional perspective, the precautions and points to check when using generative AI in business.
Please make use of this together with this article.
Basic mechanism of generative AI and how to use it
Generative AI is a type of artificial intelligence that can learn from large amounts of data and automatically generate new content (text, images, audio, video, code, etc.) based on that data.
While traditional AI mainly classifies data and makes predictions, generative AI is characterized by its ability to “create.”
Some of the most common types of generative AI are:
| kinds | Main features | Representative tools |
|---|---|---|
| Text Generation AI | ・Perform natural writing, summarization, translation, etc. based on instructions | ・ChatGPT ・Bard |
| Image Generation AI | – Generate images based on text instructions | ・Stable Diffusion ・Midjourney |
| Voice generation AI | – Convert text to natural speech or imitate the voice of a specific person | ・Voicebox |
| Video Generation AI | – Generate new videos by combining text and images – Generate short videos based on text instructions |
・Runway Gen-2 |
| Code generation AI | – Generate or complete optimal code – Detect errors and bugs and assist with code generation |
・GitHub Copilot |
Examples of generative AI usage in business situations
Generative AI is used in a wide variety of business situations across a wide range of industries and professions.
For example, in the marketing field, it is used to automatically write ad copy and blog articles, and to generate personalized emails to customers.
In customer support, generative AI is being used to automatically respond to FAQs and summarize inquiries, aiming to reduce the burden on operators and improve customer satisfaction.
In the research and development field, AI is being used to help generate new ideas, analyze complex data, and perform simulations. In software development, there have been reported cases where code generation AI has significantly improved programmer productivity.
In this way, generative AI is being effectively used in a variety of business situations, including automating and streamlining operations, discovering new insights, and supporting creativity.
However, using generative AI in business situations also entails certain security risks.
Let’s take a look at what security risks lie ahead.
Why security measures specific to generative AI are necessary
In order to use generative AI safely, it is necessary to correctly understand the security risks inherent in generative AI and take appropriate measures.
Let’s take a look at why there is a need for security measures specialized for generative AI.
Differences from conventional security measures
Traditional security measures are primarily focused on preventing external cyber attacks.
For example, the following security solutions are used to prevent cyber attacks that target vulnerabilities in systems and servers.
- Firewall
- IDS/IPS
- WAF
- EDR
- Vulnerability diagnosis and penetration testing
On the other hand, generative AI carries security risks due to the behavior of the AI model itself and interactions with the AI (dialogue and instructions).
Examples of security risks posed by generative AI include:
- “Prompt injection” involves slipping malicious instructions into the information (prompts) entered into AI
- Bias from AI training data
- Piracy
- Unintentional disclosure of confidential information
These aspects make it difficult to detect and defend against them using traditional security products alone.
In order to safely use generative AI in business situations, it is necessary to take security measures specific to generative AI.
New threats emerge when using generative AI
As generative AI becomes more widespread, new types of threats are emerging that have never been seen before.
New threats to the use of generative AI include:
| Adversarial Attack |
・An attack that adds noise to input data that is indistinguishable to the human eye, causing the AI to produce erroneous output |
|---|---|
| Data Poisoning |
・Attacks that intentionally mix fraudulent data or biased information into AI learning data to degrade the AI’s performance or lead it to a specific conclusion |
| Deepfake | ・Attacks that generate fake videos and audio impersonating real people to cause fraud or damage reputations |
Many of these new threats were not anticipated by traditional security measures, so measures must be developed that take into account an understanding of the characteristics of generative AI.
Key security risks in generative AI
While there are many benefits to using generative AI, it also poses various security risks.
In this article, we will explain some of the major security risks that lurk in generative AI.
- Risk of leaking confidential and personal information
- Risk of infringing copyright and intellectual property rights
- Risk of spreading misinformation and disinformation
- Increasing risk of cyber attacks
- Risk of vulnerabilities in AI models being targeted
- Risk of fraud due to impersonation and deepfakes
Let’s take a look at the risks involved with using generative AI.
Risk of leaking confidential and personal information
The generative AI may use the information entered by the user as learning data or store it on the service provider’s server.
For example, if confidential company information (undisclosed product information, business strategies, customer data, etc.) or personal information (names, addresses, etc.) is input into a generative AI, there is a risk that this information will be unintentionally leaked to the outside.
Additionally, the AI model itself may be attacked, resulting in the theft of confidential information contained in the training data.
Please be aware that there is a risk that information you enter, thinking that only you will see it, may be unknowingly seen by an unspecified number of people.
Risk of infringing copyright and intellectual property rights
Generative AI generates content by learning from vast amounts of data available on the Internet and elsewhere.
Therefore, if the training data contains copyrighted content, the content generated by the AI may closely resemble existing copyrighted works and unintentionally infringe copyright.
If the content (text, images, program code, etc.) created by a company using generative AI infringes someone else’s copyright, it could lead to a legal dispute, resulting in claims for damages and damage to the company’s reputation.
It is important to check the generative AI’s terms of use and rules regarding commercial use of the generated results in advance.
Risk of spreading misinformation and disinformation
Generative AI does not always generate accurate information.
Sometimes they generate plausible false information (hallucination) or information based on biased views.
This misinformation and disinformation, especially when spread with malicious intent, can cause social unrest and economic damage (fake news).
Therefore, when using AI generation for information officially released by a company, such as on its official website, on social media, or in press releases, thorough fact-checking is required to ensure that the generated content is actually correct and does not contain any false information. Be careful not to become a source of false information.
Increasing risk of cyber attacks
The advanced text writing and code generation capabilities of generative AI could be exploited by malicious third parties to carry out cyber attacks.
For example, generative AI could be used to automatically generate large quantities of convincing phishing email text or to write malware program code.
As the use of generative AI expands, the barrier to launching cyber attacks will be lowered, raising concerns that attacks will become more sophisticated and large-scale.
To avoid becoming victim of increasingly sophisticated and ingenious cyber attacks, companies need to strengthen security education for employees and remain vigilant against suspicious emails and files.
Risk of vulnerabilities in AI models being targeted
The AI model itself may have vulnerabilities, or the training data may be maliciously contaminated (data poisoning).
If the AI model you are using has vulnerabilities, there is a higher risk of unauthorized manipulation or theft of confidential information.
Furthermore, if training data becomes contaminated, it could lead the AI to make incorrect decisions or generate output that is biased towards a particular ideology.
It is important to evaluate the security measures and reliability of the provider, not only when developing and operating an AI model in-house, but also when using external AI services.
Risk of fraud due to impersonation and deepfakes
Advances in image- and voice-generating AI have made it possible to create “deepfake” content that mimics the faces and voices of real people with extremely realistic results.
If content generated by deepfakes is misused, it could be used to commit fraud by impersonating specific people or to damage a company’s reputation by leaking false information.
In companies, there is a risk that deepfakes will be used to commit fraudulent money transfer scams (business email compromise) by impersonating executives or employees.
The table below summarizes the main security risks discussed so far and provides an overview of them.
| Types of Risk | overview |
|---|---|
| Leaking of confidential or personal information | There is a risk that confidential or personal information you enter will be used as learning data for AI or will be leaked to the outside |
| Copyright and intellectual property infringement | There is a risk that generative AI will use copyrighted material contained in the training data without permission, resulting in the product infringing copyright. |
| Spreading misinformation and disinformation | Risk of generating fact-unrelated or biased information, and spreading it to cause confusion and damage |
| Increasing risk of cyber attacks | There is a risk that malicious third parties may use AI to create phishing emails or develop malware. |
| Risk of fraud due to impersonation and deepfakes | There is a risk that fake images and voices created by generative AI will be misused, resulting in fraud and reputational damage through impersonation |
Generative AI security measures that companies should take
To safely use generative AI in business, it is necessary to take security measures specific to generative AI.
In this article, we will explain five security measures for generative AI that companies and organizations should take.
If you are a company or organization that is currently using generative AI in your work or is thinking about using it in your work in the future, be sure to check it out.
Establishment of usage guidelines and thorough dissemination
When allowing a company or organization to use generative AI in its business, it is necessary to establish “Guidelines for the Use of Generative AI.”
By establishing clear guidelines that clarify “which tasks it can be used for” and “which tasks it cannot be used for,” we can expect to reduce the security risks of generative AI.
The guidelines should include the following items:
- Information you may enter
- Information that should not be entered (handling confidential information, personal information, undisclosed information, etc.)
- How to confirm copyright and intellectual property rights of the products and who is responsible
- Fact-checking procedures and disclosure standards for products
- Specify available AI tools and services (security-evaluated ones)
- Reporting and response flow when a security incident occurs
The established guidelines must be thoroughly communicated to all employees through training and other means, and they must be required to understand and comply with them.
MOTEX Co., Ltd. (hereinafter referred to as MOTEX) has prepared a sample guideline that clearly summarizes the precautions and points to check when using generative AI in business from a professional perspective.
Improve employee security education and literacy
In addition to formulating guidelines, it is also important to educate each employee to raise their security awareness and literacy.
Security awareness can be raised by providing regular training and information not only about the mechanism and convenience of generative AI, but also about the potential risks lurking in generative AI, how to use it safely, and relevant laws and ethical aspects.
In particular, it is important to thoroughly raise awareness of attack methods that can involve the misuse of generative AI, such as phishing scams and social engineering, and to be vigilant against suspicious information.
Establishment of a system for managing and monitoring input and output data
It is also important to thoroughly establish a management system for the data input into the generative AI and the data output by the AI.
In order to prevent confidential or personal information from being carelessly entered, it is necessary to introduce technical and organizational mechanisms (e.g., DLP tools, operating pre-entry checklists) and strengthen the management system.
The security risks associated with the use of generative AI can be reduced by establishing a process to check the generated content for accuracy, copyright infringement, and ethical issues before it is made public.
It is also important to regularly monitor logs to check for inappropriate use or abnormal behavior.
Selecting and introducing AI tools with built-in security features
There are many generative AI tools and services on the market. When using them for business purposes, it is important to choose a model with robust security features.
For example, check whether the following features are included:
- Data encryption
- Access Control
- Audit Log
- Vulnerability management
- Usage monitoring function
Additionally, you should check in advance the reliability of the service provider and their data protection policies (where the data will be stored, to what extent it will be used for learning, etc.).
There are plans with enhanced security for enterprises as well as AI solutions that can be used in private environments, so consider the appropriate model depending on your company’s environment and requirements.
Regular risk assessment and review of countermeasures
Generative AI technology is constantly evolving, and new threats and vulnerabilities may be discovered all the time.
Therefore, it is not enough to just take measures once and then be done with it; it is important to conduct risk assessments on a regular basis and review whether your company’s security measures are appropriate for the current situation.
We collect industry trends and incident cases, and as necessary, revise guidelines, update security tools, and update employee training content.
AI-based security measures that individuals can take
In order to use generative AI safely and appropriately, it is important not only to establish internal processes within a company or organization, but also for each employee who actually uses it to be aware of security.
In this article, we will explain four security measures that individuals can take against generative AI.
Those in charge of companies and organizations should use this as a reference when providing security education to their employees.
Do not enter confidential or personal information
The most basic countermeasure is to not input highly confidential information into the generative AI.
Highly confidential information includes not only information about stakeholders, such as customer information and business partner information, but also your own and others’ personal information (name, address, telephone number, email address, My Number, credit card number, etc.), confidential company information, passwords, etc.
You need to be especially careful when using free AI services, as it may be unclear how the information you input will be handled.
Use AI services from trusted sources
When choosing a generative AI service, make sure the company or organization providing it is trustworthy.
You should avoid using services whose operators are unclear or whose privacy policies and terms of use are not clearly stated.
Even if the service is provided by a major IT company or research institute, it is important to read the terms of use and understand how your data will be handled.
Always check the authenticity of the information generated
As mentioned above, generative AI can sometimes generate plausible false information (hallucination).
Don’t just accept information generated by AI, but make it a habit to fact-check it with multiple sources.
Careful verification is essential, especially when using it for important decision-making or information dissemination.
Check the terms of use and privacy policy
When using an AI service, be sure to check the terms of use and privacy policy in advance.
We will focus on checking items related to data handling, such as whether the entered data will be used for AI training, whether it may be provided to third parties, and how long it will be stored.
