AI Security Concerns: Real Threats or Distractions? Also – unhinged security teams! – ESW #395
In the enterprise security news,
- Change Healthcare’s HIPAA fine is vanishingly small
- How worried should we be about the threat of AI models?
- What about the threat of DeepSeek?
- And the threat of employees entering sensitive data into GenAI prompts?
- The myth of trillion-dollar cybercrime losses are alive and well!
- Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity
- Thanks to the UK for letting everyone know about end-to-end encryption for iCloud!
- What is the most UNHINGED thing you've ever seen a security team push on employees?
All that and more, on this episode of Enterprise Security Weekly.
Hosts
- 1. FINES: UHG Increases Change Healthcare Data Breach Victim Count to 190 Million
"The maximum financial penalty for a HIPAA violation set by the HITECH Act is $1.5 million, and adjusted for inflation is just over $2.1 million."
Do WHAT? If this was the EU, UHG would be getting hit with a $1B+ fine. I had no idea that HIPAA fines had so little bite. Why bother even fine - it's less than 10% of the ransom they paid the attackers!
- 2. THREAT OR DISTRACTION?: Harmonic Security – From Payrolls to Patents: The Spectrum of Data Leaked into GenAI Copy
"8.5% of prompts into GenAI include sensitive data"
Okay, and what percentage go into Google searches? Into Dropbox? What percentage of what Grammarly sees is sensitive data? How about that Dictionary.com Chrome extension?
Our data goes into a LOT of services that are controlled or managed by other organizations. It seems like a distraction to hyperfocus on Generative AI services just because they're new.
- 3. THREAT OR DISTRACTION: Open Source AI Models: Big Risks for Malicious Code, Vulns
TL;DR
- models themselves are not dangerous, it's how they're packaged
- use safetensor, not pickle
- 4. THREAT OR DISTRACTION: DeepSeek app, safe to use?
Is everything you're typing into the DeepSeek app, API, or website going directly to folks in China?
Yeah, I think it is safe to assume so.
Is that worse than your data going to Meta? Or Google? Or some startup with zero reputation that you just started using because it looked cool?
That's a tougher question.
We're bad at assessing risk, especially in the moment, without comparisons, and with all our geopolitical biases present. Does this analysis of the DeepSeek app look bad or inappropriate?
I'd argue most of us aren't equipped to answer that question. How often do we view analysis like this? How does this compare to all the other apps on our employees' devices? All these GenAI apps request camera permissions, because there's always a "tell me what I'm seeing" or "translate this sign" use case.
- 5. MYTHS AND LIES: The cost of cybercrime to reach over $12tn by 2025
There's a new source for overinflated claims of losses to cybercrime.
It also has no methodology and makes no effort to provide details on how the number was estimated.
Show your work or GTFO with these bajillion numbers.
- 1. SURVEY: What is the most unhinged thing you’ve seen a security team push on people trying to be productive?
- 2. NEW FEATURES: Kagi Privacy Pass
- 3. OLD FEATURES: The UK and Why You Might Want to Use Advanced Data Protection for your iCloud data
Been around since 2022, but most people are just finding out about it because of the UK's demand for a back door into ALL Apple users' data, globally.
