I’m betting that we have all heard of, and have probably even played with, ChatGPT. If you are unaware, ChatGPT is a natural language, artificial intelligence, processing tool developed by OpenAI with multi-billion-dollar investment from Microsoft, and other tech firms, that can answer questions and assist you with tasks like composing emails, essays, grammar, writing code, etc. (But it will not pick your NCAA  March Madness brackets, I tried!)

The use of ChatGPT has become increasingly popular as we all have discovered how it can help us though our busy days. For instance, it even helped write this article! While it has numerous benefits, it also has security implications that cannot be ignored. For me, the most significant concern is data privacy. ChatGPT requires a lot of data to train and improve its performance, and the information used could be personal, sensitive, and confidential. According to ChatGPT itself, “It is essential to understand that the conversations on the platform are not private, and the data can be collected, analyzed, and used by third-party companies for various reasons. Therefore, users should be cautious about the information they share on the platform.”

ChatGPT is trained using all the data on the internet, real and false. According to ChatGPT, this data creates “….the potential for the platform to replicate existing biases, prejudices, and falsehoods present in the data used to train the system. For instance, if the system is trained on a dataset that contains biased language or discriminatory language towards a specific group of people, the platform may generate similar language when responding to queries related to that group. This could perpetuate and amplify existing prejudices and biases, which could have significant social and ethical implications.”

For all its wonderful potential, ChatGpt is still very new and in development. It is therefore still buggy. For instance just a few days ago a bug was discovered that allowed users to see other users’ searches on the platform. The bug was caused by an error in the platform’s code, which resulted in users’ search queries being shared with other users. This was a significant security breach as it compromised users’ privacy and could potentially expose sensitive information. Consequently, OpenAI shut down ChatGPT temporarily and disabled the site’s history function when it was brought back online.

Of course, hackers are not hesitating to act upon ChatGPTs potential. Beware! There are already tools circulating that are supposed to make it easy to integrate ChatGPT into your business. Many of these tools are front ends that intercept your data and steal your login information. Again, according to ChatGPT, “…attackers are using this platform to generate convincing phishing messages that could be used to trick users into divulging sensitive information.”

So should ChatGPT be used in my business? The answer, again to quote ChatGPT, is, “Use this platform carefully. Businesses and Developers must implement robust security measures to prevent bugs and protect users’ data, ensure that the platform is not biased or used for malicious purposes, and educate users on best practices to safeguard their accounts. By doing so, we can harness the potential of ChatGPT while minimizing the security risks associated with its use.”

We at UniVista, not ChatGPT, suggest the following measures:

1. Do not use sensitive or privileged data in ChatGPT Searches
2. Only use ChatGPT through its web interface. Do not use any unverified 3^rd part apps. Microsoft and other companies are busy integrating Chat GPT into their programs. Wait for these official integrated releases. You can see a demo of Microsoft’s integration into its Office suite here: https://www.youtube.com/watch?v=ebls5x-gb0s
3. Do not use a business account to access ChatGPTs search function.
4. Ensure that multi factor authentication is used with any account that accesses ChatGPT.
5. Double-check any output for accuracy. When I asked ChatGPT to use real examples in its responses to my questions, it cited several examples I could not verify online. 

ChatGPT has amazing potential to shave hours off our days and make us all more productive but it’s still new and buggy with major security implications. Please use it carefully. If you do I think you’ll discover its potential in your business.

Have fun, let me know what you think, and ask us any questions that you have. We’re here to help.

As we all know, probably to the point of exhaustion, is that the internet is a place filled with many threats that we all need to be aware of. Our federal government has recognized how hard it is for all of us to address all of these threats on our own by developing and publishing the 2023 National Cyber security Strategy of the United States Government, National-Cybersecurity-Strategy-2023.pdf (whitehouse.gov). UniVista strongly endorses this strategy. It’s filled with lots of good ideas, like making investments in cyber security research, training, and even making it easier to survive a cyber security incident through a federal Cyber Insurance backstop. The idea we’re particularly enthusiastic about is “Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services,” which aims to stop vendors and software providers from absolving themselves of responsibility should your network be compromised due to using their software or services. UniVista appreciates the clear focus the government is projecting onto those who provide insecure software or services, and we hope this focus will encourage all vendors and manufacturers to their products and services are secure for the sake of us all.

“Wait,” you might say, “UniVista is a service provider and your own liability could be increased by this directive!  Why would you want to endorse something that puts you in the cross hairs?” 

As your Technology Partner, we at UniVista treat your environment with the same care and accountability as our own internal network.  We’ve focused on “Best Practices” for a long time, even rolling out our “Alignment Score” as the first item on our Monthly Health Reports as a reminder to keep such Best Practices at the forefront of all our discussions.  Heck, many of our customers (and maybe even you, reading this) could recount a situation where we’ve held a new vendor’s feet to the fire, raised concerns about an insecure deployment, or even made you sign a single-purpose Security Addendum to your support agreement to underline how much of a risk was present in a decision that was about to be made. If you’ve ever been asked to sign that kind of Addendum with us, we promise it wasn’t because we were being obstinate or controlling.  In every instance, there’s been a real and tangible risk to your business operations which we genuinely felt you needed to be aware of.  It’s quite rare we go so far as to say “no, seriously, don’t do this,” but it’s a fact of reality that actions have consequences, and on computers, admin actions can have dire consequences.

Like the rest of you, UniVista has our own service providers and partners we rely on to do business and support you while keeping your costs affordable.  We’re no better positioned to develop our own remote support tool than you are to assemble your own credit card reader.  This means we all must use providers like Intel, Dell, Microsoft, Apple, or Google to create the systems and tools we use to conduct business.  However, that doesn’t mean that we are powerless in our choice of partners and providers. 

UniVista conducts business with clients who run the gamut of regulatory oversight and requirements, but we hold both ourselves and all our customers to the same standards, and we treat every environment like it is the most important environment in the world (because to you, it is).  We go out of our way to ask auditors additional questions and seek recommendations outside the strict “letter of the law” in compliance frameworks.  We challenge our vendors and seek independent verification of their claims, just like we do when you bring on your own vendors. 

We can’t promise you that we or our own partners will never be compromised in the future, just like we can’t promise you that you won’t be either.  But we can promise you that we have been pursuing – and will always pursue – every Best Practice we can to minimize all our risks!  It only makes all our jobs easier to have the feds putting pressure on developers and service providers alongside us.

The very first line of the 2023 National Cyber security Guidance Objective 3.3 says “Markets impose inadequate costs on – and often reward – those entities that introduce vulnerable products or services into our digital ecosystem.”  We get it.  It’s often so much cheaper to go with one provider over another for your software or service needs, and technology is expensive.  We’ve said for years that there are often “hidden costs” associated with going with the “cheap” or “easy” options for software and services, by way of cut corners and questionable commitments… so we simply cannot be anything other than thrilled that the government aims to hold everyone to the same standard to which we’ve already been holding ourselves.  If this means that everyone takes security and Best Practices as seriously as we do, then we all win.

What’s the next step? We at UniVista will keep monitoring the process and keep you informed as our government develops this strategy into a series of directives and laws. In the interim, we’ll keep advocating for you to whoever can help, giving you the best advice we can, and doing our best job for you.  

If you have any questions or would like to have a more in-depth conversation about our best practices, or anything at all, then please do not hesitate to reach out to us.