Enterprise Security Considerations For Chatbot Deployment
As more companies adopt chat platforms like Slack, Hipchat, Microsoft Teams, and Google Hangouts, there is a good chance bots become a big part of these installations. As a new category of software, with a different, text based, user experience, chatbots present some unique challenges to the I.T. department that is tasked with vetting new software and protecting corporate data. As a company building an enterprise chatbot that replaces an I.T. or H.R. service desk, we’ve thought a lot about this issue. Most of us have been at enterprise software companies before and we understand the issues that affect enterprise deployments.
We wrote a full ebook about Security Considerations For Enterprise Chatbot Deployments, but if you just want the gist of it, the key points are below:
- Employees treat the chatbot as another “system” and assume that it already properly handles information that it is given. People are used to relying on system controls like roles/permissions; but regarding bots, they should be treated as people and not reveal information that is classified as sensitive.
- Chatbots can’t easily distinguish what is sensitive and what is not, potentially revealing information to the wrong parties. Does the bot have an information classification scheme?
- Chatbots by their nature are freeform and may lack data integrity/input validation controls, where data in a traditional system would be more strongly typed. Data validation becomes an issue and bot-makers need to specifically account for that. For example, a new vendor setup bot, the TIN could be entered a number of ways, bank routing code, etc. The bot should ask the user to re-enter the data to ensure it is valid.
- Ask 5 people the same question and you’ll probably get 5 variant answers. How does the bot reconcile truth, and can it be easily manipulated? Can internal company politics and decisions be manipulated by feeding the bot “your version of the truth”?
- Chatbot vendors: How do I know who has access to what? Can their employees read my interactions with the bot, knowing insider information, selling to competitors or insider trading with that knowledge? How can I trust the chatbot vendor? Is data encrypted at rest/how are encryption keys managed?
- Chatbot vendors: Now that we rely on a chatbot for business, how is chatbot availability managed? What if it goes down? Are the insights somehow backed up?
- Chatbot approval: What is the internal process for installing new chatbots? How are they evaluated, how are risks identified, who sets up? Or is it free for all like shadow IT.