Are Employees Thinking Before Sending Sensitive Company Data to LLMs? Think Before you Type!

We are pleased to introduce Prof. Dr. Dennis Kenji Kipker’s answers about cybersecurity, AI, LLM, and more in this interview. Prof Kipker is the Research Director at cyberintelligence.institute and Board Advisor of Nord Security. 

He remarked on due diligence obligations on the part of companies and emphasized fostering a holistic approach to solve the ever-growing puzzles of cyber threats. He expressed concern over AI users' trust in LLMs, where they enter important details that could be traced by others.

Prof. Kipker touched upon the cybersecurity legislation in the European Union and the rapid adaptation of the same among other countries for the ease of exporting digital products to the EU.

Read the interview to get more information about how Germany handles cybersecurity, and the need for companies to take the mantle on their shoulders to train employees about good cyber hygiene practices.

Vishwa: Please share your views and vision about AI and cybersecurity.

Prof. Kipker: Cyber threats are growing, as are the due diligence obligations for the companies concerned. More and more, we need a holistic view of the topic that not only looks at cyber security in terms of new threats, but also in a solution-oriented way in terms of best practices. 

Products for better protection of IT systems play a role here, such as secure and encrypted communication, but also compliance with and implementation of regulations. 

In an age of disruptive technologies - and AI is definitely part of this - we need to rethink and break new ground. And I want to achieve this with research that is as practical as possible at the interface between science and business.

Vishwa: Could you provide details about the cyberIntelligence.institute (CII), its projects, the focus on digital resilience, and your vision as its Research Director? What are the resources that are offered to newer talents to work on innovation and ideas?

Prof. Kipker: The cyberintelligence.institute (CII) sees itself as a transformation institute at the interface between science, business, politics, administration, and civil society. We want nothing more than to achieve greater cyber resilience through European innovation. 

New questions, problems, and challenges reach us every day. We analyze these based on scientific principles, but our work does not end here: 

Based on the identified structural deficits, we build solution-oriented transformation projects together with our funding partners in order to actively tackle these challenges. With this in mind, we are not only looking for cybersecurity experts, but also all-rounders with a wide range of interests who take a holistic and solution-oriented view of the issues, and are happy to think outside the box to solve problems.

Vishwa: ChatGPT-4o takes in user images to generate Studio Ghibli-style portraits. This garnered criticism from cybersecurity researchers and experts. What measures can companies take to maintain user data privacy while enjoying the freedom of exploring AI capabilities?

Prof. Kipker: AI's users are too trusting - this applies to the data entered on the one hand, but also to the results output on the other. It is not only companies that need to be much more aware of this than has been the case to date. 

For example, I have often seen company employees enter business secrets into large language models - without knowing that this data could possibly be output by another user. Companies are not only required to raise awareness and train their employees, but also to develop and enforce clear AI guidelines.

Although many companies already use AI extensively, they have not established any governance processes.

Vishwa: In what ways is the government of Germany open to working with companies and offering resources, guidelines, and help before and after it suffers a data breach?

Prof. Kipker: In Germany, we have a very strong national cyber security authority with a comprehensive legal basis, powers, and economic and personnel capacities. In the past, cooperation with industry and the affected companies has been significantly expanded in the sense of public-private partnerships in order to sustainably improve preventive cyber security.

Nevertheless, the cyber threat level in Germany is currently still high and many companies are still being successfully attacked by cyber criminals. The German cyber security authority, the BSI, is therefore providing a limited number of emergency teams and contact points to support companies affected by a cyber attack. 

The individual federal states are also responsible for this, each of which has established local cyber security contact points for local companies.

Vishwa: Could you share your observation about cybersecurity regulations based on countries that need more attention than others, loose ends to be addressed, and the workforce and expertise requirement, keeping their rate of cyberattacks over the past few years in mind?

Prof. Dennis: The level of cybersecurity currently varies greatly in a global comparison - but the fact is that the issue is being actively addressed politically and by regulation by a large number of governments, because cyber threats do not stop at national borders. 

In the European Union, we have largely uniform legislation on cyber security, but this is enforced with varying degrees of intensity by the member states. Smaller countries, in particular, have fewer capacities and options. 

In the USA, on the other hand, which has contributed a great deal to the topic in the past, we are currently seeing an increasing decline in the level of cyber security due to the massive cuts made by the new Trump administration, which is a worrying development. 

At the same time, however, we are also seeing countries around the world adapting their cybersecurity legislation to European regulations - partly to make it easier to export digital products to the EU.