Since the introduction of ChatGPT last fall, organizations around the globe are grappling with the dos and don’ts of incorporating generative AI into their services and workflows. Tools like ChatGPT offer great promise to businesses - by allowing them to operate more efficiently, and to create new products for their customers - but they are not without their problems.
The main reason why companies might be cautious about allowing employees to use a tool like ChatGPT is the risk that they might leak sensitive data. This would occur if an employee composed a prompt to a chatbot that included confidential information. If you are wondering why a scenario like this would be considered a ‘leak,’ it is because anything that you share with ChatGPT becomes the property of OpenAI! OpenAI retains what you share with it, using it as training data. This is precisely what happened recently to Samsung, leading the company to throttle employees’ access to it. Other companies, like JP Morgan, Bank of America, CitiGroup, and Apple have taken a similar stance. Many large organizations like these are actually considering building their own internal generative AI tools. However, given the resources involved in such an undertaking, this may not be feasible for everyone.
In this blog post, we’ll look at how organizations can configure Umbrella to regulate access to tools like ChatGPT. The Umbrella team recommends that before blocking or allowing use to ChatGPT, you first discover and assess how it’s being used in your organization.
The first step is to discover how ChatGPT is being used by employees. To do so, you can use the App Discovery report. The App Discovery report allows you to monitor the cloud apps being used in your environment, based on DNS log activity. This will give you insight into who is using ChatGPT, their frequency of use, as well as the devices they are using to access the app.
In Umbrella, navigate to Reporting > Core Reports > App Discovery.
App Discovery has visibility into over 30,000 discover apps and has blocking control over 3000 apps. On the App Discovery dashboard, you can see the total number of apps that have been discovered in your environment.
If you scroll down, you can see DNS requests by app risk, as well as Apps by category and risk.
Now that you have an understanding of how ChatGPT is being used in your environment, you are ready to assess the risk it poses to your environment. To do so, you can leverage Umbrella’s data loss prevention (DLP) functionality.
The best practice is to begin by monitoring ChatGPT usage for all data classifications of concern. You can use an existing DLP monitor rule or create a new one. It is recommended to activate the rule initially for only a short period. This is to avoid overwhelming the event log. Based on the results, you could activate the rule again for a longer timeframe.
Let’s look at how to create a new DLP monitor rule.
In Umbrella, navigate to Policies > Management > Data Loss Prevent Policy.
Click Add Rule, and choose Real Time Rule.
First, you will want to name your rule and set the severity level.
Next, you will configure the data classifications or file labels or both that will apply to the rule. You can use a built-in data classification or create a custom data classification.
Next, select which identities you want the rule to apply to.
Under Destinations, click Select Destinations List and Applications for Inclusion. Search for ChatGPT and select it.
Finally, under Action, select Monitor. Don’t forget to Save your new rule.
Umbrella gives organizations the ability to block ChatGPT use altogether. If you have heightened concerns about data leakage, this might make sense for you. You can do this by customizing a DNS Policy or a Web Policy.
Let’s look at how to block ChatGPT by setting up a new web policy.
In Umbrella, navigate to Policies > Management > Web Policy.
Expand your policy, and click on Add Rule.
Click on Edit Destination and click on the numbered arrow next to Application Settings.
You could search for ChatGPT specifically, but I would recommend searching for the Generative AI category. This will allow you not only to block ChatGPT but also competitor chatbots like Google Bard. Select the category and click Apply.
Finally, don’t forget to enable the rule. Click on the … next to the rule, and Enable Rule.
Of course, you may want to allow the use of ChatGPT, to take advantage of the promise of this exciting technology. The goal should be to maximize worker productivity while minimizing the risk of sensitive data leakage.
The most straightforward way to do this would be to re-configure your DLP monitor rule to a block rule.
In this blog post, we have looked at how you can use Umbrella to discover, assess, block, and allow ChatGPT usage in your organization. The goal is to maximize worker productivity while minimizing the risk of sensitive data leakage.
Note that OpenAI has recently amended their data use policy to give users the ability to turn off chat history, and is planning to offer a subscription to organizations that will give them even more control over how their data is used on the platform.
Concerned about how tools like ChatGPT are being used on your network? Schedule some time to speak with one of our cybersecurity experts.