Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

How to Maintain Security When Adding a Chatbot to Your Site

Read More

Categories Arrow

All Posts

How to Maintain Security When Adding a Chatbot to Your Site

Chatbots are all the rage these days. Their ability to facilitate contextual responses makes them incredibly useful for providing proactive customer service and improving user engagement. Many companies also use them to generate leads and boost sales.

However, this surge in popularity makes chatbot technology a prime target for cybercriminals. Bad-faith actors are quick to exploit vulnerabilities, which can result in significant financial and reputation losses.

Should you embed chatbots on your website? Probably, but only after understanding the potential security risks and how to protect against them.

Collecting Data Makes You a Target

Chatbots have evolved in recent years from basic rule-based bots with prewritten questions and answers to advanced conversational AI systems capable of answering complex queries in a more human-like way.

One thing that has remained constant at every step in this evolution is data collection. Chatbots depend on the information they gather to function correctly. Some of it can contain sensitive personal information, such as when customers enter their full legal name, geo-location or payment information.

This wealth of data makes chatbots a target for hackers.

Understanding Chatbot Security Risks

Chatbots have two main types of cybersecurity risks: vulnerabilities and threats.

Vulnerabilities are unintentional flaws or gaps in a system’s security — the same way that forgetting to lock your door makes your home vulnerable to intruders.

Even the most robust systems could have potential vulnerabilities, usually from insufficient security protocols and missing data encryption.

Sometimes, vulnerabilities arise from human error, such as carelessness and cybersecurity fatigue. These inefficiencies impact productivity and can lead to more incidents of security lapses. For example, a study by 1Password revealed that 26% of employees had left work halfway through just so they wouldn't have to log in.

On the other hand, when cybercriminals attempt to exploit chatbot system vulnerabilities, their actions are collectively known as threats. Successful exploitations can result in organizations being locked out of their data. Often, the only way to regain access is to pay a ransom. Threats are also hugely problematic if hackers impersonate a company because they diminish customer trust and open the doorway to legal issues.

Examples of Chatbot Security Risks

Here are some chatbot vulnerabilities and threats an organization may be exposed to:

Source Code Vulnerability

Vulnerabilities in the source code allow hackers to attach an endpoint to extract data, tamper with the application or even erase everything.

A recent example is ChatGPT’s data breach in March 2023, which exposed sensitive user data such as leaked chat history and billing information. The attack resulted from an exploitation of its Redis open-source library.

Source code vulnerabilities often go undetected since thousands of developers access and build on them.

API Vulnerability

If you’re adding a chatbot to your site, you’ll likely do so through an application programming interface (API) integration. This mechanism allows the chatbot software and your website to communicate with each other using defined parameters and protocols.

An API is like a data bridge between your web application and customers. Exploiting vulnerabilities here allows hackers unauthorized access to sensitive information such as passwords and personal customer data. Examples of threats from API vulnerabilities include prompt injection attacks, cross-site scripting (XSS) and DDoS attacks.

Data Set Poisoning

Chatbots are trained on vast amounts of information from the internet. What happens if the source material contains corrupted data?

In February 2023, an MIT research team manipulated a chatbot into acting outside its bounds by poisoning the data set used to train the model. As a result, the chatbot output also became tainted, presenting false information, such as tagging a particular image as NSFW when it wasn't.

Malware Distribution

Hackers use malware attacks to gain access to a system’s backend. This can happen in different ways, but the underlying process involves introducing malicious code into the system, such as viruses and spyware.

One of the most common ways to initiate malware distribution is by exploiting vulnerabilities in the chatbot. For example, if a chat system allows users to upload photos or documents, hackers could use that to upload a malware-ridden file. Once in, they can infiltrate the database to steal information or manipulate the system to entice people to click on malicious links or download infected files.

Protecting Against Chatbot Security Risks

The global chatbot market is expected to reach over $3.4 billion by 2023, so it’s safe to assume that chatbots are here to stay.

There may be huge cost savings in the offing, too. Gartner predicts deploying conversational AI in contact centers will save $80 billion in agent labor costs by 2026.

The task for organizations now is to ensure they put up the necessary protection measures to safeguard their systems. These include:

1.    Install Only Certified Chatbot Systems

The chatbot system you install should meet certified security standards such as ISO 27001, the industry standard for information security management systems. This certification means the chatbot provider has a plan to mitigate data security risks.

2.    Establish Proper Authentication Procedures

Set your chatbot application to use external authentication methods, such as two-factor authentication and biometric scans. This measure adds another layer of security that can help prevent impersonation by fraudulent actors.

3.    Insist on End-to-End Encryption

This method encrypts data transfer from the origination point to the destination. End-to-end encryption ensures that only the sender and intended receiver can see the message or transaction with the chatbot.

4.    Require User to Sign Up

Cybercriminals like easy targets. Requiring website visitors to become registered users before they can access the chatbot application can be an effective measure for deterring would-be hackers.

5.    Educate Employees

Human error and negligence remain the biggest risk factor in cybersecurity. In its 2022 Global Risks Report, the World Economic Forum traced 95% of cybersecurity breaches to human error. Regularly training your employees on key processes and safety procedures is paramount in improving cybersecurity.

Take Steps to Ensure Chatbot Security

The benefits of integrating chatbots into your business processes are undeniable, as are the security risks. Implementing these measures is only a starting point. Cyber threats and vulnerabilities evolve all the time, so be proactive and commit to ongoing learning about the latest security methods to stay ahead.
Zac Amos
Zac Amos
Zac Amos is the Features Editor at ReHack, where he covers trending tech news in cybersecurity and artificial intelligence. For more of his work, follow him on Twitter or LinkedIn.

    Recent Posts

    Astronaut on a rocket

    Related Posts

    ISA/IEC 62443 and Risk Assessment: New Horizons in the AI Revolution

    Risk assessment has long been an important component of any cybersecurity program and operation for organ...
    Mohannad AlRasan Apr 26, 2024 7:00:00 AM

    Should ISA/IEC 62443 Security Level 2 Be the Minimum for COTS Components?

    A recent white paper published by the ISA Security Compliance Institute (ISCI) and its ISASecure certific...
    Liz Neiman Apr 23, 2024 5:18:27 PM

    How to Secure Machine Learning Data

    Data security is paramount in machine learning, where knowledge drives innovation and decision-making. Th...
    Zac Amos Mar 12, 2024 11:10:47 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.