Federal Law No. 152 “On Personal Data” is in force in Russia, recalled Konstantin Larin, head of Bastion’s Cyber Intelligence department. It establishes that it is prohibited to collect, process and use personal data: names, addresses, date of birth, etc. – without the consent of its owner. If the user has given consent, the service must ensure the protection of information during processing.
Technically, a chatbot is equivalent to any service or website on the Internet. Like other solutions, it works with databases to provide a response to the user. Consequently, at the legislative level the same data protection requirements apply to it, explained Flowwow technical director Dmitry Shesternin.
To ensure protection, an end-to-end cybersecurity infrastructure at various levels is needed, said Maxim Buzinov, head of the research and development laboratory at the Center for Cybersecurity Technologies of the Solar Group of Companies.
First of all, this concerns the protection of the communication channel using data encryption technologies and WAF class solutions. When attacking users, hackers exploit vulnerabilities in the authentication systems of personal accounts and chatbots and “hijack” cookies to control accounts and gain access to communication history. The most vulnerable industries in this sense are fintech and e-commerce, since they massively use open source in the development of online services and applications for clients.
“An additional risk is unverified data sets used to develop scripts in chatbots. And if developers skip the stages of verifying code and data sets, there is always the risk of triggering “flags”, which will lead to the loss of personal data. of users,” Buzinov added.
The second line of protection should be provided by data storage infrastructure: DLP platforms, solutions for managing access to user data.
In addition, some companies often outsource chatbot support services to contractors, so they should also be included in the end-to-end cybersecurity infrastructure, the expert clarified.
Additionally, developers can use the accumulated data to further train their chatbots. In this case, all data entering the training set must be anonymous and free of sensitive information, Larin said.
However, no technology guarantees complete protection. According to Stanislav Polyansky, product owner DION.Chat of corporate communication platform DION (T1 Holding), employee awareness of cyber threats is important.
As for chatbots in Russian companies, it is still difficult to talk about their complete security, the interlocutor believes. Most of them operate on third-party platforms, for example, on public instant messengers, which limits the monitoring capabilities of information security specialists.
“It is essential that companies use corporate unified communications platforms; it is precisely these solutions that make it possible to provide the necessary level of protection and control over chatbots, as well as successfully integrate them into the organization’s IT infrastructure,” emphasized the expert. .
As explained by Alexander Strelnikov, an expert in the field of artificial intelligence at Axenix, cloud bots and on-premise bots. In the first case, there is a risk of personal data leakage, but in the second, “the situation is much better”, since everything remains within the client’s circuit, nothing escapes. All large companies in Russia focus on local bots. They can only use cloud robots as chat rooms.
To avoid accidentally becoming a victim of chatbots, Buzinov recommended not revealing personal data, personal information, payment information and contacts in conversations with them. It is also worth checking the authenticity of the resource in advance.
“The user should trust confidential data in correspondence with a chatbot only if it is a communication channel with large and trusted companies, for example, banks or technology corporations. These actors have a high priority to ensure security, which is often a complex and expensive process. “, – added Arseny Kondratyev, senior director of Axenix’s software development practice.
