B2B AI companies need higher cybersecurity standards

AI companies often imagine themselves as the bleeding edge of the tech industry. But many otherwise fast-moving AI startups are falling short in one essential area: cybersecurity.

Companies looking to find corporate clients for their AI products too often lack system and organization controls (SOC) that specifically address AI considerations or a HITRUST certification to prove they are taking steps to secure client data gathered by an AI from exposure, mismanagement or theft. And corporate clients won’t do business with companies that can’t protect their data.

Keep reading to learn how you can take steps to improve the security of your AI products in order to meet the needs of potential corporate partners.

What are the key cybersecurity risks facing AI companies?

Data security is the main cybersecurity challenge that AI companies face. While AI itself can be used to create phishing scams or strengthen cyber defenses by reviewing code for flaws, companies need to focus on securing the data within their own systems and client-facing AI products before worrying about anything else.

• Many AI companies are growing exponentially overnight. This means they lack a strong cybersecurity foundation, even as they began rapidly collecting data from large numbers of users.
• All that newly collected data is vulnerable to cyberattack. It can also be unintentionally shared with other clients if the right controls aren’t in place.
• AI allows companies to work faster than ever. But it also makes it easier to make mistakes.
• Data access is a huge component here. Consider: Who has access to your data? What tools are being used?
• Data integrity is also an essential factor. When used for training AI models, data needs to be accurate, unbiased and inclusive in order to provide useful results.
• If your company is using third-party AI tools as part of your workflows when building your own products, you need to know whether those tools come with enterprise-grade data security. If not, that’s another vulnerability for your own data.
• Corporate clients looking to buy AI tools for their own employees expect that same enterprise-grade data security, as shown by completing a SOC audit or earning HITRUST certification. If your product doesn’t offer that, you’re out of the running.

What is a SOC audit or HITRUST certification?

If you want to sell your AI products to other companies, you need to demonstrate SOC attestation or HITRUST certification. SOC and HITRUST are two cybersecurity assurance frameworks you can use to prove to your clients that your AI product is secure.

To prove that your product meets one of these standards, you must first pass a SOC audit or earn HITRUST certification. During a SOC audit, for example, a CPA will assess how your company is controlling and protecting your data. This assessment will consider your company’s specific circumstances and will result in you either passing the SOC audit or getting recommendations to implement so that you can pass in the future.

A standard SOC audit measures five key areas:

1. Security: Your systems are protected from unauthorized external access.
2. Availability: Your systems are available for normal use.
3. Confidentiality: Data and information are both protected and accessible for those who have a legitimate reason to access it.
4. Processing integrity: Your systems operate effectively and in a timely, accurate manner.
5. Privacy: Personal information is only collected and used in accordance with an appropriate privacy policy.

How should AI companies improve data protection and cybersecurity?

If your company is building AI products, you should take steps to strengthen your data protection and cybersecurity practices. These include doing a cyber risk assessment, setting security objectives, ensuring good coding practices and ultimately, preparing for and passing a SOC audit or HITRUST assessment.

You should also think about what your end users want from your product. How are the AI tools you’re developing being used? This question matters because the answer can help you better understand how to protect those users’ data.

Creating your cybersecurity and data protection policy

If you don’t have one already, you should create a cybersecurity policy to guide your team. Key questions to ask internally as you develop a policy include:

1. What are your security objectives? Define your core challenges from a cybersecurity and data protection perspective.
2. What steps do you need to take to meet those objectives? Create the framework for a new cybersecurity policy. This will likely include a cyber risk assessment and getting a SOC report or HITRUST certified.
3. How are you going to implement your security policy? Think about the practical resources, team members and other support you’ll need to start enacting your security policy.
4. How are you going to test your AI and try to break it? Cyberattackers will likely try to get your AI product to do things it shouldn’t, like revealing client data. So you should test your AI for weaknesses yourself. Try to create clever prompts that will break your AI’s normal operating parameters or see if you can get it to disclose information that should be private.
5. What threats and challenges could interfere with your ability to meet your security goals? In addition to external cybersecurity threats, consider internal roadblocks such as a lack of awareness around the need for data protection.

A NIST RMF framework can help AI companies create a cybersecurity policy

AI companies looking to develop a cybersecurity policy can look to the NIST AI risk management framework (NIST RMF) for guidance. Following this framework is a good way to prepare for a SOC audit or for earning HITRUST certification.

There are four core functions to NIST RMF:

• Govern: Creating governance processes within your organization to support developing AI in a sustainable, ethical way.
• Map: Identifying risk areas throughout all aspects of your AI product’s lifecycle.
• Measure: Establishing KPIs to evaluate AI-related risk, privacy or cybersecurity vulnerabilities.
• Manage: Developing and implementing strategies to mitigate risk, bias and vulnerabilities within AI products or systems.

People are essential to AI cybersecurity

While AI can be used to automate certain tasks previously done by hand, AI cybersecurity itself demands a human touch. As you test your AI models for security flaws, it’s essential that human oversight remains a major part of the process, lest you miss key holes in your defense perimeter that automated reviews aren’t sophisticated enough to catch.

Here, it can be helpful to work with an outside advisor who specializes in cybersecurity. An advisor can assess your controls, test your cyber defenses and make recommendations to help you pass a SOC audit or earn HITRUST certification.

This can also save you time and money. AI is expensive — compute is a massive cost center for most AI companies — so leveraging an experienced advisor can help you avoid missteps that slow your work and strain limited resources.

How Wipfli can help

We help AI-first businesses to strengthen cybersecurity. Ask us to assess your needs and help you protect your data and pass a SOC audit or get HITRUST certification. Start a conversation.

Read more

• Key differences between SOC for cybersecurity and SOC 2
• HITRUST is essential for security compliance
• HITRUST vs. SOC 2 and the best path to data compliance