Three key steps to protect your business from chatbot hacking

We’ve all experienced that moment when you’ve ordered food online from the likes of Deliveroo or Uber Eats, and when it turns up the order isn’t right. You go into the app to complain and you can be waiting a while for a response, which is just as frustrating as not getting the correct order. Getting an instant reply would help to counteract that, wouldn’t it? Chatbots could be the answer.

Chatbots are an incredibly useful means for businesses to deliver efficient, streamlined customer service and save time and money by automating processes. So it’s no surprise that Gartner predicts that only one in three customer service interactions will require human contact by the end of this year. Echoing this, research from Spiceworks’ also shows that 14 percent of companies are already using AI chatbots and assistants for customer service.

However, as with all technologies: chatbots are not all sunshine and rainbows. Just like Hal 9000 from Space Odyssey 2001, they too can have a dark side. Chatbots, open up new attack surfaces and threat actors have found ways to exploit them too and we’re increasingly seeing chatbot vulnerabilities and misconfigurations being exploited to inject malware or intercept data in transit.

 Here are three steps you can take to protect your organisation:

1)    Make sure your enterprise security covers bots

Essentially, chatbot hacks are attacks against enterprise applications, so first and foremost make sure that all the strategies you’ve put in place for other enterprise apps are also in place for your chatbots. As part of this it’s important to check both data at rest and data in transit is encrypted, to enforce access control and to validate every input to the backend data. If you’re using chatbots through third-party platforms it’s vital to investigate their security features to understand what further protection you need, as you can’t assume that partners have the same security levels as you. We’re seeing a rise in attacks via the supply chain and chatbots are a likely target.

2)    Check your legacy security solution really is cloud-ready

Despite moving to the cloud, many businesses are still using traditional security approaches rather than those appropriate to cloud computing. I find this concerning because a shift to cloud infrastructure significantly increases the attack surface of any enterprise, leaving it wide-open to new threat vectors. If you’re deploying chatbots via cloud-based infrastructure, have you re-examined what your legacy security solution actually covers? Something to consider is a Cloud Access Security Broker (CASB). CASB addresses cloud service risks, providing visibility, compliance, granular access control, threat protection, data leakage prevention, and encryption, even when cloud services are beyond their perimeter and out of their direct control.

3)    Educate your employees and customers

One of the biggest vulnerabilities of any technology comes from its human users. Businesses are facing an increasing risk of attacks carried out via compromised chatbots, distributing harmful links. It’s likely that in the future chatbots will be able to imitate trusted entities - both human and automated - to a very convincing degree, resulting in customers and other users sharing data with malicious bots. It’s vital to dedicate enough resources to educating employees and customers. Alongside initial training on spotting suspicious activity, you should run regular ‘awareness’ campaigns to keep staff vigilant to inconsistencies.

For more detail on how to guard against chatbot attacks, read my blog on the Netskope website.