Technologies like AI can be game changers in any business environment—but it takes an experienced, trusted partner to harness that power by developing innovative solutions that incorporate data and cybersecurity components. That’s a mega opportunity for MSPs over the next several years and now’s the time to get started.
Tycho Löke, pre-sales consultant at PeopleRock, shared several strategies for implementing effective data classification and access controls, while addressing the risks of freeware AI tools and shadow AI, in a session at the CompTIA EMEA Member & Partner Conference. He will also present the strategies at the CompTIA Community – Benelux meeting 6 February in Mechelen, Belgium (register now).
To start, MSPs need to know what AI can do, should do, and can’t do, Löke said.
“AI is doing good things. I still get stupid answers, and I know how to prompt. Right now, generative AI is a high schooler using AI. It will get better, but it cannot determine what’s critical for your organization,” he said. “I asked AI for every financial document in my organization. I didn’t get it because it didn’t have access to everything. That’s important. If unauthorized AI applications bypass your security measures, they could gain insights into how you’re safeguarding your organization's data. Leveraging AI responsibly, data classification and access control are all important.”
Löke shared six overarching strategies to harness AI, data and access control effectively:
- Get a security-first culture
- Lead by example
- Promote open communication
- Provide regular training/awareness
- Embed security in your daily operation
- Recognize and reward secure behaviour
Data Classification
Data classification is a way to organise your data by naming and tagging it to access and monitor it. One process MSPs can follow for data classification is to:
- Identify sensitive, high-value data
- Discover or know your location and accessibility
- Classify according to the data’s value in the organization
- Secure through control and protection measure
- Monitor, measure and evolve security practices
“A lot of people forget about monitoring it. They think, ‘Cool. I tagged it’ and that’s it,” Löke said.
Classifying your data to leverage AI is critical because AI takes all your data and analyses it to provide answers to your questions or business problems. The better your data is classified, the more reliable your AI output will be, according to Löke. “The whole reason for AI is to be a better search engine than a person.”
Once your data is organized, determining who can access it and when and for how long becomes important. For example, you wouldn’t want just anyone to have privileges to view all a company’s financial records.
“By classifying what you can access, makes it more precise and useful to your company,” Löke said.
A common access structure for data is public, internal, confidential and restricted, Löke said.
“Public data you share with everyone. That’s your company logo, which is probably not going to be restricted. Internal data, you don’t want people seeing your price list. We don’t want to show that around the whole web. Restricted data, you’re thinking only the CEO can see it or the CFO and no one else.”
Combining AI, data classification and access control are core building blogs to developing regulatory-based solutions that can help organizations achieve GDPR, ePrivacy or other compliance regulations. “in the Netherlands, we have six or eight different health care laws alone,” said Löke.
A quick poll of attendees at the EMEA session highlighted that most MSPs have a lot of work to do around data classification: 92% were either not confident or somewhat confident about their organization’s current data classification practice. Only 8% were very confident.
Access Control
Giving the wrong people the wrong access to your company’s data and ruin your reputation—or worse. The largest GDPR-related fine to date, about 35 million euros, is the result of an organisation that didn’t classify its data and had insufficient compliance controls, according to Löke.
“Plus, you have the operational costs to fix it, and there’s no trust now. Nobody wants to go there anymore,” he said.
Access control determines who can access data and what actions they can perform, guided by the data’s classification. It’s essential for enforcing data classification rules and ensuring that both human users and AI systems interact with data appropriately.
Löke shared several access control protocols for MSPs, including:
- Role-based access control: Access based on user roles
- Attribute-based access control: Access based on user attributes and data classification
- Discretionary access control: Access determined by data owners
AI Tools—The Good and Bad
When it comes to choosing AI tools or applications, start testing/using some internally, pick what works best for you and then introduce it to clients.
There are many freeware tools available but keep in mind that you may not know how those tools are accessing and sharing any data you input—including proprietary information for you or your clients. That becomes problematic—or worse—if you’re living under compliancy regulations or laws.
“If I share my whole marketing strategy with a free AI tool, I probably would not have a job much longer,” Löke said. “Be aware. Everybody in your company has probably touched a freeware AI tool.”
He noted a colleague that put all their passwords and user logins in an AI tool and asked, ‘Can you help me make my passwords better.’”
“That’s really scary. Now that information is available, and it allows to link your personal accounts and data. It’s difficult to prevent ‘shadow AI,’” Löke said. “Make people aware AI is not a magic tool, freeware and shadow AI are not magic tools. It’s critical to know what data belongs to your company, and where it is.”
Actionable steps for organizations considering AI to take are:
- Conduct a data inventory
- Define data classification categories
- Implement access control
- Train employees on best practices
- Regularly monitor and audit data
“It’s a circle. That’s why data classification, access control and AI go hand in hand,” Löke said. “AI cannot determine what’s critical for your organization, but access is important. I asked AI for every financial document in my organization. It didn’t because it didn’t have access to everything. AI is something you consolidate in a container. I still get stupid answers, and I know how to prompt. It will get better, but right now think that generative AI is like a high schooler using AI.”
The Role of Culture in Data Security
Finally, Löke discussed the importance of culture in data-secure environments and organisations:
Get a security-first culture in your organisation. “It’s not easy, I know. Security is everyone’s responsibility, not just security personnel.”
Lead by example. “Brag about it. if you caught a legitimate spam email, make your coworkers aware you got this. It’s very easy to click one button.”
Promote open communication. “Please, talk with each other to promote cybersecurity within your company.”
Provide regular training/awareness. “Do those tests!”
Embed security in daily operations. “We have an automated security system that sometimes turns off non-critical things in the system. So, test it, regularly, not once a year. It can’t be ‘Yay, we did a phishing test two years ago.’”
Recognize and reward secure behaviour. “Gamify it. Have people that report spam and do something fun with it. The person responsible for reporting the most spam gets a bottle of champagne or something like that. The more you report that something seems sketchy, the smarter everyone gets. The biggest challenge your organization faces in data security.”
Overall, it behooves MSPs to get started—do something—as opposed to waiting for … something.
“Time is precious. I get that. But it’s creating a mindset,” he said. “Start with something easy. Just be aware there are threats. Done, simple. Talk to your neighbour, let them know there are threats. Then start looking at tools.”
Hear Tycho Löke speak at CompTIA Community – Benelux meeting
6 February │ Mechelen, Belgium
Add CompTIA to your favorite RSS reader
