Tech Insights with Alisha Christian
In today's rapidly evolving tech landscape, staying informed is more important than ever. "Tech Insights" by Mercury IT is your go-to podcast for expert analysis, industry trends, and actionable insights from top technology professionals.
Whether you're interested in cybersecurity, IT infrastructure, emerging technologies, or digital transformation, this podcast covers it all. Tune in to stay ahead of the curve and navigate the complexities of the tech world with confidence.
Tech Insights with Alisha Christian
When Algorithms Meet Shadows: The Hidden Business Impact of AI
The AI revolution is here, and it's already reshaping how businesses operate—whether you're aware of it or not. In this eye-opening conversation with cybersecurity expert Chris Haigh, we explore the startling reality that approximately 70% of employees are currently using AI tools without their company's knowledge or approval.
We dive deep into the cybersecurity implications of this "shadow AI" phenomenon and why it represents a significant risk to your business. When employees feed company proprietary information or personally identifiable data into free AI models, this sensitive information can be used to train the models, potentially making it accessible to others. Even with paid versions of tools like ChatGPT, your data might still be training models unless you specifically change the default settings—a crucial tip that many business leaders miss.
The discussion examines AI's dual nature as both a potential security threat—enabling more convincing phishing attempts—and a powerful tool for enhancing security operations. Before implementing AI solutions, businesses need thorough preparatory work including proper data classification, permission settings, and information governance. Without these foundations, AI tools might inadvertently expose sensitive information or bypass security controls.
While most executives (78%) acknowledge that AI will be necessary for business growth, only 48% believe their organisations are prepared—and even that figure likely overestimates actual readiness. Chris outlines essential elements of an AI strategy that business leaders should prioritise developing before year-end, including auditing current usage, implementing appropriate policies, and providing adequate training.
Register for Chris's upcoming live event on AI readiness to receive practical advice on building an AI strategy.
Access the free AI readiness assessment tool, and an AI usage policy template for your business here
Don't wait until you're falling behind—now is the time to understand and prepare for AI's transformative impact on your organisation.
Welcome to Tech Insights. In this episode, chris and I talk about AI readiness for your business, whether or not your staff are using AI without you knowing, and what things are to come. I hope you enjoy the episode. Hi, chris, great to see you today.
Speaker 2:Thank you.
Speaker 1:So you've been in cybersecurity for 25 years plus, right?
Speaker 2:Yep.
Speaker 1:So I would say you're pretty much an expert, yeah getting there.
Speaker 2:I think a few more years yeah.
Speaker 1:So you've seen a lot of changes though over the last few years with AI, and did you ever imagine that AI was going to take such a strong role?
Speaker 2:Honestly, no, you know, like AI has been around for a very long time and I think it's always been that kind of utopia of like we're going to get to somewhere with AI. But you've got to remember that they've literally been saying that since the 50s.
Speaker 2:Yeah, you know building AI, as to whether it's, you know, playing checkers, chess, then go and so forth, just go like on and on and on. So I think for me it kind of only dawned like a lot of people kind of late to the game when ChatGPT kind of came out.
Speaker 1:Yes.
Speaker 2:So, even though you had AI algorithms already running on Facebook and your Insta and it's doing all those you know ad recommendations and so forth was all you know, kind of. Ai driven or machine learning driven. It's kind of that ChatGPT moment for a lot of people. So what was that? The end of 22, something?
Speaker 1:around there. Yeah, I think so.
Speaker 2:When it came out, that's for me when I was like, okay, I'm going to need to get across this a lot more.
Speaker 1:You definitely know a lot about AI, don't you? You've been looking into it quite a bit.
Speaker 2:Yeah, I have kind of thrown myself into it quite a bit. Doing looking into it quite a bit. Yeah, I have kind of thrown myself into it quite a bit, doing mostly just self-study. So, going into you know what is agentic AI and writing that and how does it integrate with your tools? How can you actually use automations and AI to get things done in a business? And like, definitely, yes, you need to be looking at it. So I do think it will be be the future and it's not a not so much a future, it's it's kind of here.
Speaker 1:You need to be on it, so do you think when, um, when chat gpt first came out, did you think at the time wow, this is going to make a huge impact on businesses yeah, I really did that.
Speaker 2:that was actually quite a almost a shocking moment, like on there going like hearing about it and go like, oh okay, because I think I kind of jumped onto it maybe a week after it was released, something like that.
Speaker 1:Yeah, okay.
Speaker 2:And I was like test it out, and I was like whoa, like hold on a second. That is so different from what we had already seen. So, yeah, it was a kind of an eye-opening moment. It was like, okay, that's different.
Speaker 1:Yeah, for sure. And so what sort of impact do you think like with security for businesses around? You know, obviously using AI, have you seen?
Speaker 2:Oh, it's quite a difficult one. There's quite a few implications here and kind of from a security like, if you take from a threat perspective, you know, just as like any good tool, so AI is a tool that you can use. It can be used for good and it can be used for evil. It's like fire. You know it's this same situation. So you do have your threat actors being able to craft, you know whether it's phishing emails etc. And they can make it very, very convincing very convincing.
Speaker 1:Oh, I've seen some of them so you know it's.
Speaker 2:It's that kind of thing that is going to make it a lot harder for our people and, at the end of the day, you know, cybersecurity is about protecting people. Yes, it's like you're protecting systems and it's this and it's very technical and it's like, yeah, but ultimately, why are you protecting the systems? It's to protect people. It's always about people at the end of the day, you know, whether it's their data or their ability to work or whatever it impacts.
Speaker 2:Yes, well, that's right so you know that's where it comes down to. As for the flip side, on the security side, same thing. So I can use AI to help look for problems or suggest solutions to potential cybersecurity problems. So it does go both ways and how you can use it. So why?
Speaker 1:should it be such an important thing for business owners and executives to get their potential cybersecurity problems? So it does go both ways and how you can use it. So why should it be such an important thing for business owners and executives to get their head around, like some business owners will be like well, we're not using AI, why should I worry about it?
Speaker 2:Yeah, look, great question. And you might not be. It really does depend on your business. You know the recent stats are read out of a report and you know I'll we'll put in the comments on linkedin of what you know in the show notes or whatever on the podcast of where we can get these reports. But there's a, there's a report of stats. It was done globally and it was something close to 70, if not 70 of employees use ai without the say-so of their business?
Speaker 1:I would believe it.
Speaker 2:They're not asking their boss whether they can use it. They're using it right, and I think that's a reality.
Speaker 2:you've got to be aware of the concern from a cybersecurity perspective is are they feeding in company proprietary information or feeding in personal identifiable information, even if it's around businesses et cetera? That's the concern, because if you're feeding it into a free model, it's going to take that information to retrain the model, which means that data is actually available to anyone that requests it. So that's where it can become a problem. So why should you worry for that? Data leakage is going to be a problem, loss of proprietary information and again coming down to if you don't have a policy in place and so forth, and your people are just using it right.
Speaker 1:Yes.
Speaker 2:What if you then get found out at some point? Or what if they just take whatever's coming out of ai verbatim, because it's not always right no, that's, it's very true.
Speaker 2:It is not always right so you've got to be careful of like hallucinations is what it's called, where. Um, because ai is designed, it's almost like to please right? I will answer you regardless, even if I have to make up the answer. That's basically what it's coming down to. So, yeah, you can be trained to prompt questions better, to get a better response, to double check the responses. You can do all of that. But if you've not trained to do it and you're not educating people to do it, then you could get terrible output.
Speaker 1:Well, that's true because even seeing how you use the AI tools and the prompts that you use and the information that you get back, I find that really quite amazing because you obviously know how to drive the tool and it is something that you get back. I find that really quite amazing because you obviously know how to drive the tool and it is something that you need to learn.
Speaker 1:It's not necessarily something that comes naturally to get the information that you want and, of course, as you say, the right information. Yeah, absolutely. So. That's a really valid point and I'll tell you what.
Speaker 2:Like you don't need to pay for course, like I haven't paid for any course, the information is out there. You know, at the end of the day, as weird as it sounds, you can literally ask uh, chat, you know gpt or claude or whatever you want to use grok, doesn't matter.
Speaker 2:You can literally ask it to train you how to prompt better and it would do a really good job of training you how to actually prompt, because there's a lot of prompt kind of frameworks, let's say, that you could follow, and you just find one that you're comfortable with that works and gets the right output and so forth, and and you kind of stick to that. What I can say is the the does become longer. You have to think more and be more specific about what you need in there to get a good output, but it's definitely available.
Speaker 1:And I guess this is one of those things too. It's a little bit of trial and error to sort of get what you want.
Speaker 2:Yeah, exactly, Absolutely yeah.
Speaker 1:Yeah, interesting. And another thing that we've spoken about, we've touched on lightly previously, is shadow IT. Can you explain a little bit about that?
Speaker 2:Yeah, I kind of think I've said it before that AI is like your new shadow IT and that's just purely around your employees using it without your knowledge.
Speaker 1:Yeah.
Speaker 2:That's the key problem. I would say, and you know, if you're a business owner and you're listening to this, you definitely want to do some sort of audit and check where you are with this sort of thing. You know there's strategies out of Gartner, there's reports from you know, uh, harvard, business, etc. That will lay out what you should be doing, how that looks, how do you audit uh, etc. So it's kind of the usual like strategy, people and culture, even competition, uh, you know, looking at, are your competition using ai, are they getting?
Speaker 2:ahead of the game because they're using it. So there's all those bits and pieces, so it's it's kind of I've actually I've actually put together an ai assessment tool which I'll be I'll launch soon and again I'll we'll put it out there so people can use it. Where it's got 25 questions around these sections, that actually then rates where you are in your strategy for your business and then creates a report for you of recommendations going forward and what you should be doing. Okay. So things like even just auditing, uh, or questioning, uh, doing a questionnaire for staff going, are you using it?
Speaker 2:what are you using it for? Where's it helping? Where doesn't it help? Would it be useful if you had a paid for tool versus just trying to do it? On your phone like you're gonna. It's difficult. Staff are gonna have to be honest oh, it's just.
Speaker 1:You must be reading my mind, because I was thinking well, that's gonna have to be framed a certain way, because people are going to be um thinking oh, am I gonna get in trouble if I say yes, I am using it?
Speaker 2:yeah, absolutely, but I'll tell you what. The only way to get to the bottom of it is then, from an executive level, to embrace that situation, go out there going. Look, we know people are using it. Let us know what it's for, maybe we can help, etc. From a business owner perspective. You want to get to a point that nobody's using a free tool ideally.
Speaker 2:You do want a paid for tool that you have a bit more control over is going to be better. Now I don't know the ins and outs of all the models. There's literally thousands. So I've got some of the models that I have used. But if you take ChatGPT just as an example, because it's probably the most common one most people are using, if you're using the free tool and you're kind of just chucking stuff in there, right, it is going to be used to train the model. If you've got a free version, like a team's account, like a business account, you even at the bottom, you know, in small writing at the bottom it says, hey, the output could be wrong, check your work yeah, noise puts it there.
Speaker 2:Top of it, it will actually say your data will not be used to train the model.
Speaker 2:So it's quite important and be careful if you've got a person, if you're paying for your own account because you're going like no, I need this, and you're even paying for it to help with your work. There is a setting in ChatGPT by default it trains on the data you have to go and switch off. There's a setting that you need. So go into settings and there'll be a setting in there that you need to slide it off going. You know data training I can't remember what it's called. You'll see it. There's not a lot of settings to work through, but there's a specific setting where it will not train on, even though you're using a paid account. So you've got to go and check that sort of stuff as well oh man, that's a excellent tip, because I didn't know that so yeah I will be going to have a look at that and sliding that off.
Speaker 1:So, yeah, do you think that um executives and board members are underestimating how much people are using it?
Speaker 2:definitely like I. I mean some probably not if they've used it themselves. But you know, you still come across people that have never used it. Really yeah yeah, I've come across someone just last week and they were like what? And we were like chat to you if he's here and no.
Speaker 1:Wow.
Speaker 2:No clue.
Speaker 1:Maybe it's because I work for an IT company.
Speaker 2:Exactly, and no clue. Maybe it's because I work for it companies, so that's, and that's the thing that you got to, you got to be aware of. You know, if you approach a business and you know most of their work that they do is, uh, tradie type work you know, they're going out digging trenches to lay in cables and stuff.
Speaker 2:You'll be like no, they don't use it, they don't need to. But then you go, okay, but what about the rest of the business? Yes, there might be marketing, there might be sales, there might be um, you know, accounts departments are they using it? So you, you could think to yourself, oh no, we don't use it. We do this whereby, like, half your business may very well be using it. So it's worth a question.
Speaker 2:So do you underestimate how much? Yeah, probably. I would say it's kind of question. So do you underestimate how much? Yeah, probably. I would say. It's kind of similar to the estimation of if you look at executive estimation of, do you think AI is going to be necessary for growth and sustaining your business, you get like a 78% response of yes, we will need to embed AI somewhere within the business I don't know where or how or what that looks like, but I know it's probably coming but 48% say that their business is ready for it. So there's this huge gap between we need it, we're not ready for it, and I would argue that even the 48% that go, yes, we're ready to do it, they're probably not.
Speaker 1:They think they're ready, but they probably haven't thought about all the ins and outs of especially the security aspect of it. Yeah, I know you mentioned about obviously being on the paid versions of any of them that you're using. What other sort of security things do people need to be aware of with regards to AI? A quick example would be like let's say, you're using, what other sort of security things do people need to be aware of with regards to AI?
Speaker 2:A quick example would be like let's say you're using Microsoft 365, you've got a Microsoft tenant and you want to just use Copilot because it's nice and easy. You can license it and you know the back end is open AI, so it's kind of ChatGPT. So you're like sweet, I don't need a separate account for ChatGPTR can use Copilot and it's embedded. It's embedded in Teams.
Speaker 1:It is pretty handy. It's right there, right.
Speaker 2:It's right there and there's a free version as well as the paid version and all that sort of stuff. So you go, okay, we'll do that. But even then some of the pre-work that needs to be done you've got to go through very, very carefully from an IT strategy perspective and that's around like permissions and the data right and classification of data. So, for instance, I would want to be in a position whereby I know that a staff member can't take something that's proprietary and put it into like co-pilot right, because I don't want it out there. Or what if I'm? If I've developed a co-pilot agent that's going to help me with my emails and stuff, like I don't want it attaching a document that's meant to be internal and send it automatically by the agent out. Like what if it does that by mistake? So the way you stop that is, you could do classification on documents so that the agent respects the classifications that are put in place. Where an internal document just won't allow to be sent and that's not necessarily the agent, that's the overlying security in the system, like Defender and so forth that you have built in there that's going oh, that's a classified document for internal, so I'm not going to allow that to be sent out via email as an example.
Speaker 2:Another example which is a common one I use, which is whereby your permissions are either wrong or you've made a mistake.
Speaker 2:Now you've either made a mistake, so you've put someone in the wrong group, so they've got access to documents that they shouldn't have, right? But let's say, I hire a new salesperson, right, and I put them in the sales group and by accident, I put them in the management group, right. So they're busy doing their work, they've got access to the sales share and sharepoint and they do their thing. They're not going to necessarily go and look for a management share or anything to do with management because they're hired as a salesperson, yes. But if they've got co-pilot and they just ask a question about something and co-pilot's like, oh yeah, that's the management share here, it is because, because the agent co-pilot in this case, right, the agentic agent is going to take on your persona and your permissions and go and grab that. So you as a person might not have gone and looked, because you don't have malicious intent well, that's it exactly but co-pilot just like oh yeah, there you go and that can be a problem.
Speaker 2:So if your data is not sanitized, it's not classified properly, et cetera.
Speaker 1:So there's a lot of work to do yeah before you actually are AI ready, Because businesses grab so much data, like you know.
Speaker 2:Look at Mercury IT. We've been around for 20 years. We've got a lot of data. You just do. But you know we go through a lot of processes of archiving data out and making sure it's not available. We take it offline. We look at data destruction policy like, okay, this data can be deleted after X number of years. Or you know whether that's seven years for the accounting records or if there's whatever other data we have to keep longer for whatever reason.
Speaker 2:Yeah, and that's the type of stuff from pre-work that you would need to do so that you're ready for ai yeah, which a lot of businesses probably are not aware that all of this has to happen before you actually secure which I guess with the ai readiness um checklist that you are putting together that will help sort of find the holes.
Speaker 2:It definitely it definitely raises the questions at least. So you go like, okay, you need to be thinking about that. It's kind of like checking on competition yeah like you know, you could be using uh, you could even use an ai agent to actually go and check your competition's website and like the keywords that they're using and so forth, and report back if it changes I mean, there's so many amazing things about AI, isn't there?
Speaker 1:Like it's such a time-saving thing and being able to, you know, work through information so much quicker. But yes, obviously it doesn't come without its security issues.
Speaker 2:And it goes both ways right. So your competition's doing the same thing to you. So you need to be aware of it. You've got to be across it and definitely working towards it. I think if you don't have a strategy in place, I would be working pretty hard. It would be one of my priorities as a business owner to make sure that that strategy is bedded down, my staff are trained, etc. By the end of the year. I wouldn't even wait longer than that. So you've. You've got uh chat gpt's, uh version 5 coming out next month, august, um, and that's going to be another leap forward and it's it's not going to stop. Unfortunately, like these, these um things and innovations and uh new features and what it can do is literally weekly keep keeping up with.
Speaker 1:It's really, really hard yeah, that's why I have you, because if I didn't work for an it company that was so invested in keeping on top of ai, I would I mean, I probably would have had a dabble on chat gpt, but I definitely would probably not be aware of all the other tools that are out there and just you know the things that they can do and obviously, absolutely.
Speaker 2:Look from a basic, basic, basic level, like interviewing staff around their processes and what they do. A lot of that can be automated. A lot of it can be automated, and it's not necessarily just AI. It's using automation tools along with ai together to actually accomplish certain things. And yeah you, you could be saving like a set, like even if you just achieved a 20 saving on people's time it's huge.
Speaker 1:Well then, they got more time to put into more creative.
Speaker 2:You know more time actually speaking to a customer, because exactly I'll tell you what, with a lot of ai deep fake and pushing out fake videos and fake voice and data, people are going to get tired of it yes, real quick yeah so what's going to become important is people are just going to push back to in-person real connection and talking.
Speaker 2:That's what I want my sales people doing yeah like the easy stuff where it's like doing the background leg work and all that time. Speed that up, automate it, get it done like and and then spend time with the customer actually deliver value well, I think that people do see a lot of value in that face-to-face now, because we went so far the other way, after COVID and all that sort of thing, that now face-to-face is you know it has a lot of value.
Speaker 1:I'd rather meet with someone in person than talk to them on a video call.
Speaker 2:Absolutely. It's kind of like you know you make that call and it's like press one for this, press two for that, because I tell you what the AI agents are going to take that as well. You're just going to be talking to an agent and, you know, you might not even know Like it should get good enough that you're just going to be talking to someone and it's like, yeah, yeah, I'll put you through to wherever.
Speaker 1:Too bad when you do say should we meet up in person? Yeah, exactly.
Speaker 2:It's like well, that'll be hard.
Speaker 1:Maybe not. Is there anything else that, before we move on to our exciting news, is there anything else that you'd like to add that you think executives or business owners should be aware of around AI and cybersecurity?
Speaker 2:No, not more than what I've already said. There's definitely a risk. I was going to say the threats there, risk is there, et cetera. So it's got to be treated as such from a cyber security lens. Uh, but then also having a strategy and actually not like not sticking your head in the sand and ignoring it yeah, it's very important.
Speaker 1:Yeah, well, I think that is the thing, isn't it? People have some. People have probably tried to pretend it's not happening, but it's coming fast there's a lot of oh.
Speaker 2:We'll wait and see yeah, and I I think you you're going to be on the back foot if you wait and see any more. Yeah, I think you need to be moving, so even if you put the plan in place and then it kind of like you know, this has all been too much hype yeah, and it all falls flat. Well, at least you had a plan, in case it went forward.
Speaker 1:Then you, you know what you're doing that's if it all falls flat, then cool like just shred your plan and move on, carry on, and I think, like you said, the most important thing is finding out what your staff are doing and what they're using. Absolutely, I mean, that's so important. So we do have some exciting news. You are going to be hosting a live event in a few weeks' time.
Speaker 2:Yeah, absolutely what I? A live event in a few weeks time? Yeah, absolutely. Uh, what I wanted to do is take what we've been speaking about and actually give a little bit more pragmatic advice around building out a strategy, what that looks like, what you need to be thinking about, so just spending a little bit more time going through getting ready. So, um, I will, I'll do a live event and, and, if you can't make it, obviously sign up and we'll send you the event after and, like you know, the AI readiness assessment that I've built out will be ready.
Speaker 2:Off the back of that, we're just tweaking out a few little things at the moment, and then I'm bundling in an AI kind of usage policy as well for staff, if you don't have one. So you can have a template. So I'll be giving that away as well for free, so you can actually come and listen, I can give you some advice on what you need to be looking at, give you access to the AI assessment that you can go through yourself, you can get a report, you can book time with me if you need to. Off the back of that, if you wanted to speak about it a bit more, and we'll give you access to the policy templates as well.
Speaker 1:Yeah, well, sounds pretty beneficial to register then. Yeah, like I would.
Speaker 2:If you certainly not thought about it or you're starting to think about it, or wherever you are, this will just at least give you a bit of a boost. It's it's always helpful, you know, and every ai training that I've done this year like it's mostly been for board and executive teams, but it's definitely been an eye-opener to see where it's going, what's happening. And then I haven't had a single company going okay. Well, that's not for us. All of them are going. Okay. We need to be using this and getting on top of it and putting in some sort of plan.
Speaker 1:Well, even just to be able to do that AI readiness, just to see where you're at. Yeah, absolutely I mean, that's a great thing to be able to give to people complimentary. So we will be posting about it on our LinkedIn on Mercury IT, We'll. We will be posting about it on our LinkedIn on Mercury IT. We're posting it on your LinkedIn, Yep. So who should come along to that?
Speaker 2:Look, I think it's generally executives, but also IT managers and so forth will also suit. But yeah, business owners, executives, board directors, cisos, cios, it managers, et cetera. I think it's all a good, because a lot of this is grassroots driven as well.
Speaker 2:In other words, you'll have the IT. People might be across this a bit more than any other staff in the organization, so quite often they drive really really good initiatives that can get quick wins uh through the door. Uh, because sometimes if it's driven from a not understanding perspective and you just it's a little bit flaky, let's say yes, it doesn't go well because there's not enough understanding and guardrails of where it's going to go and what you're going to do yeah, it's kind of like isolating out.
Speaker 2:Here's a work function that we can push forward and actually get full benefit from really, really quickly. So quite often that is driven from an R&T perspective as well.
Speaker 1:So basically, what we're saying is everyone should register, definitely no it'd be great.
Speaker 2:It'd be great to use your time. I mean, we'll probably keep it around 30 to 40 minutes.
Speaker 1:Yeah.
Speaker 2:And then I think there'll be some really useful information there.
Speaker 1:And we'll record it. So yeah, if people can't jump on at the time, then we can send that out. Yep, excellent, well, certainly covered a lot, yep, and we'll pop some of those show notes that you're talking about.
Speaker 2:Yeah, the reports that I was talking about, absolutely.
Speaker 1:We'll pop that in there. And yeah, if people want to reach out to you on LinkedIn prior to the event, they can do that, or they can reach out to us at Mercury IT. So thanks for coming along again today.
Speaker 2:Awesome. Thanks for having me.
.png)