Risk is a product of likelihood and impact. Something can have an extremely low likelihood of happening, like your parachute failing. But if the impact of that failure is catastrophic, then the risk itself is not low.
We can vet and monitor staff so that there is a low likelihood that they will breach our security. But if that once-in-a-blue-moon spill is of our most sensitive data, the impact will be disastrous. So even with the best personnel and perimeter security, more challenging than ever post-pandemic, we can’t manage the risk to an acceptable level.
What we must do, and can now do using artificial intelligence, is reduce the impact.
That means knowing where our highest-risk data is and who is doing what to it. We need to allow people to work and collaborate effectively, but limit their access to the riskiest data.
‘Risk’ can be many things, not just security-classified data or Personal Identifiable Information, and to date, it has been hard to quantify. We have relied on individual staff to understand what ‘risky data’ looks like and to mark or label it everywhere it appears. But AI is changing this.
- One (unclassified) federal department has identified a range of specific topics in their business that would have adverse outcomes for international relations, for example, if spilled into the public domain. As such, it has used AI to automatically detect any instances of those across the network.
- One state government department has used AI to find everything related to sexual assault across their legacy child protection databases, detecting 60,000 flags in previously unsearchable systems so that they can be preserved and properly protected.
- One university has used AI to map its secrecy obligations under Acts and Regulations to identify which data would have civil or criminal penalties for unauthorised disclosure. And many councils, regulators, and critical industry providers are now using AI to identify spills specific to their risk context so that they can be immediately treated.
Using AI means we can harden (or dispose of) the riskiest data, significantly reducing the impact of an inevitable breach.