Tool Approval: You could include a note about a procedure to approve AI tools before they’re used, especially for work that involves private or company-sensitive information, such as “Before using a new AI tool, check with the security or IT team… Make sure it’s on the approved list.”

Human Accountability: Consider stating that they, the person, not AI, are ultimately responsible for decisions and documents they send out. AI suggestions should be reviewed by someone who understands the context, especially since AI is prone to hallucinations, trying to please the user, and being out of alignment with your culture. For example, “If an AI tool writes an email or gives advice… read it before sending it out or acting on it.”

Confidentiality Protection: Remind employees not to share confidential company or customer information with AI platforms unless approved. Such as “Don’t copy and paste customer names, contracts, or financial reports into any AI tools unless explicitly approved in writing.”

Incident Reporting: To help drive home the seriousness of privacy, tell them to notify you with wording such as “If an AI tool shares the wrong info or leaks something by accident… report it like you would a security breach.”

Usage Boundaries: You could state what activities are acceptable to use AI (e.g., summaries, brainstorming) and where AI is not allowed (e.g., signing contracts, making hiring decisions) such as “AI can help draft ideas or summarize documents and produce narratives… but don’t use it to make final calls on people or legal stuff.”

Work Documentation: Consider telling people to save a copy (or cc someone) of all AI-generated work outputs, especially if they’ll be used in decisions or presented to clients. For example, you could say, “If an AI tool creates something you plan to use or send… save a copy of the input and output so we can check it later if needed.”

Ethical Guidelines: Include something about the ethical use of AI tools, such as: “Only use AI tools in ways that are ethical, fair, and respectful of others. Just because a tool can do something doesn’t mean it should.”

Risk Assessment: You could also get them to think a little more by saying, “Before using AI for something any task… ask yourself: could this create bias, mislead someone, or share something private? Ask us if you have any doubt.” (you might want to replace “us” with a specific person).

Harassment Prevention: Address using AI for harassment or anything that violates someone’s rights. For example: “Never use AI tools to create or spread harmful, threatening, or harassing content. Report it right away if you see it.”

Societal Impact: You could also include text to get your team thinking about AI’s effects on people and society. For example, “When using AI, ask whether it could hurt someone’s rights or reputation or lead to larger problems in society… If in doubt, stop and ask.”

Mandatory Training: Providing training is essential for AI use. Include a clause that employees must participate in training about responsible AI use. You could phrase it: “We’ll offer training to help you understand how to use AI safely and fairly… and you must participate.”

Approved Tools: Mention the AI tools you have approved. You might say, “The only allowed AI tool(s) at (your organization’s name) is/are the (tool or tools) using the identity and credentials you’ve been provided by (your organization’s name). No other versions, nor any other AI tools, are allowed and are expressly prohibited unless explicitly approved ahead of time by (person’s or department’s name). Don’t sign up for AI tools using your work email or passwords unless approved.”

Usage Monitoring: Some tools help your IT team track and block access to AI tools. You might consider adding some accountability, such as: “AI usage can be so dangerous that we are keeping records of which tools you use so we can refer to that information later if there are any problems.” (This is an example of when it is essential to ask your organization’s legal counsel whether monitoring what sites they go to is okay.)

Data Ingestion: Caution them about the ingestion of data. An example would be, “Be aware that AI tools with document or email access permissions may ingest, index, and learn from content you create, even if you delete it later, from documents you save, including spreadsheets and letters, and unsent emails. Even if you delete content later, the information may remain accessible through AI systems that have previously processed it. Never enter sensitive, confidential, or potentially problematic content into any document or email draft, even temporarily. If you use the previously common practice of typing emotion-filled documents while “venting,” even if you never intend to share the information, use handwritten methods rather than documents or email messages.”

Meeting Privacy: Be sure to address that online meetings are no longer completely private due to AI. Something like, “Know that meetings are no longer private spaces to have conversations. Content discussed in meetings may be captured in AI-generated transcripts, summaries, or recordings, making even previously casual conversations potentially discoverable in legal proceedings. Avoid discussing sensitive personnel matters, confidential information, or ‘off-the-record’ topics in meetings where AI transcription or summarization tools are active. With some commonly used operating systems and tools, this recording is always enabled and difficult to block.”

Summary Review: Give guidance on meeting summaries, such as “Disable automatically sending AI-generated meeting summaries to attendees. As the meeting organizer, you must review summaries to ensure accuracy before sending them. AI technology can be prone to hallucinations and errors in transcription, especially if the audio quality is less than optimal. People may use the summaries to make decisions, so the summaries must be accurate.”

Policy Updates: Document that you’ll be updating your policy regularly. You could include “Check this policy at least once a month or when we ask you to. We will update it as new tools, laws, risks, or AI-related situations arise.”

I’m not a lawyer, and this is not legal advice; check with your legal counsel. These are essential aspects that some organizations later wish they’d included after they experience a bad outcome. As you review this list, you may think of other aspects specific to your organization or industry that you want to include.

A solid AI policy is essential. Please forward this to your friends so they can help ensure they’ve included often overlooked parts, too.

The post The Executive’s AI Policy Checklist: Is Yours Missing These Essential Clauses? appeared first on Foster Institute.

AI models are trained to align with human values and never tell people how to cause harm. This is called “AI Alignment” training. New research reveals advanced AI models can give answers that demonstrate harmlessness during training and testing, only to drop the “harmless” act while operating in the real world. This doesn’t mean AI will hurt us all soon, but it raises serious concerns about whether the models are actually aligned with human interests.

To score well on your exams, did you ever choose answers you knew the professor wanted, even if you disagreed? Surprisingly, advanced AI systems seem to have developed a similar capability, giving fake answers to match what trainers want during AI alignment training. Scientists at Anthropic, an AI company valued at $18 billion and backed by Amazon and Google, explored this phenomenon in their paper “Alignment Faking in Large Language Models” in December 2024.

But hold on; those two paragraphs are written from the perspective that AI is like a human. It is essential to remember that AI models don’t have intentions or motivations like humans do. The observed behavior is not a conscious decision to deceive humans but results from the training process. Rest assured that scores of people are working on solving this problem and keeping AI results “safe” for humanity. When alarmist people predict AI will get out of control, it is more that our programming is flawed; most of us do not believe AI is making conscious decisions.

For businesses using AI tools, this means, from now on, to use AI responsibly, you must evaluate AI answers in two ways:

1. As always, check if the AI is hallucinating and giving wrong information accidentally
2. And now, pay attention to whether the AI’s responses align with your values and safety guidelines

The research published in the aforementioned article suggests that in regular conversations when AI doesn’t “think” it is being trained or tested, it’s more likely to give straightforward responses based on its core training.

Unfortunately, the discovery that advanced AI has evolved to give fake answers gives skeptics another reason not to trust AI.

As AI becomes more powerful, business leaders must be cautious and aware of risks as well as benefits.

My speeches about AI have focused primarily on its benefits. I’m creating new presentations about managing the emerging AI security risks that responsible business leaders must consider.

As AI becomes more powerful, business leaders must be cautious and aware of risks and benefits. At least I know my dog isn’t lying to me… I hope.

The post Your Advanced AI Models Are Now Learning to Give Fake Answers appeared first on Foster Institute.

Considerations for Workplace Operations

Loss of Electricity: Without power, most businesses would experience an immediate halt in operations. This affects everything from lighting to the operation of computers and machinery. Companies that do not have backup power sources might be unable to continue any form of production or service delivery.

Water Supply Disruption: The loss of water would impact sanitary conditions and halt processes that require water, affecting sectors like manufacturing, food and beverage, and healthcare services. It also raises serious concerns for employee welfare at workplaces.

Natural Gas Outage: For companies relying on natural gas for heating or as a part of their production process, a disruption would halt operations and affect the heating and comfort of work environments, especially in colder climates.

Communication Breakdown: The loss of phone and cell services would severely disrupt communication, both internally among staff and externally with clients, suppliers, and partners. This could lead to breakdowns in coordination, missed opportunities, and a drop in customer service quality.

Shipping and Logistics Challenges: The inability of shipping companies to operate would disrupt supply chains, leading to shortages of materials and products. This would cascade, causing production delays and potentially leading to financial losses.

Food Service Disruptions: If restaurants and food services cannot operate, it could affect food availability for employees, especially for businesses that rely on nearby food services for staff meals.

Manufacturing Disruptions: Manufacturing operations would be severely impacted, especially those reliant on continuous processes. This could lead to significant financial losses and contractual penalties.

Financial Impact: The cumulative effect of these disruptions would be substantial financial losses due to halted operations, spoiled goods, contractual penalties, and loss of business opportunities.

Unusable Work Environment: Inability to see or work due to power outages, coupled with extreme hot or cold conditions, would affect productivity.

Employee Safety and Morale: The safety and morale of employees would be significantly affected. Companies may face challenges in maintaining workforce engagement and productivity during such crises.

Employee Prioritization of Family Needs: With schools closing and potential dangers at home, employees would naturally prioritize the safety and well-being of their families. This would result in increased absenteeism and a significant decrease in workforce availability.

Dependency on External Aid: Companies would be heavily reliant on external assistance, whether from government aid, emergency services, or community support, to navigate through the crisis.

Long-Term Recovery Challenges: Even after services are restored, businesses would face challenges in resuming operations, managing backlogs, and dealing with the financial and operational aftermath.

Challenges You and Your Employees May Face in Personal Life

And just as important, how will you support your workers as they face the challenges at home with their immediate and extended families? How will you take care of your family? Here are some of the challenges that company leaders can consider to help employee well-being:

Food Supply Issues: The lack of electricity would lead to food spoilage at stores and homes, creating a food scarcity crisis. Companies should consider ways to support their employees with necessities in such scenarios.

Cooking and Sanitation Challenges: Without electricity or gas, cooking would become a significant challenge. Lack of water would also impact basic sanitation, including dishwashing and toilet flushing.

Automobile Fuel Shortage: Fuel pumps would cease to function without electricity, leading to a fuel shortage. This would impact employees’ ability to commute, further reducing workforce availability and potentially halting any operations involving transportation. Work from home is not an option when Internet connections are down.

Increase in Crime: A breakdown in public services could lead to increased theft and other crimes, as law enforcement may be overstretched or focused on their own families’ safety. Companies must enhance their security measures to protect their assets and personnel.

Hygiene and Health Concerns: The lack of water and proper sanitation facilities could lead to hygiene issues and the spread of diseases. This would have a direct impact on employee health and absenteeism.

Inadequate Healthcare Services: Healthcare facilities might be overwhelmed or incapacitated, limiting access to medical services. This could exacerbate health issues among employees and their families.

Payment and Transaction Challenges: With credit card machines down, transactions must be conducted in cash, a medium that might become scarce. This would affect both personal transactions and business operations.

Lack of Resilience and Knowledge: Most people are accustomed to modern infrastructure and might not be resilient to such a drastic change. This could lead to widespread panic and confusion, affecting mental health and the ability to cope with the situation.

Influx of Refugees: Should your area maintain functional infrastructure, expect an influx of refugees from impacted zones. This could stretch your community’s resources thinner, intensifying issues like food scarcity, healthcare access, and public safety.

Steps to Take:

Be sure to see the article about ways to make your organization more resilient https://fosterinstitute.com/executive-guide-to-navigating-power-internet-and-infrastructure-disruptions/

Conclusion:

The ramifications of a disruption in a nation’s infrastructure extend far beyond the workplace, affecting every aspect of employees’ lives and, by extension, the overall resilience of the business. Leaders must, therefore, not only focus on fortifying their operational infrastructures but also invest in strategies that support their workforce in times of crisis.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Consequences of Infrastructure Disruptions: A Realistic Assessment for Business Leaders appeared first on Foster Institute.

Envisioning the Business Impact: Understanding the potential consequences of an infrastructure attack is critical. This includes being aware of how a loss of electricity or water supply, communication breakdowns, or disruptions in shipping and logistics can impact your business. It’s not about anticipating doom; it’s about recognizing and planning for possible business interruptions.

Interrupted Cloud Connectivity: In this digital age, many companies have transitioned to cloud-based operations. It’s crucial to acknowledge that while cloud services offer tremendous benefits, they also present unique challenges, especially in scenarios of power failures and internet outages. Be sure your business continuity and disaster recovery plans consider periods of limited or no access to cloud services, including critical functions like email.

Emergency Communication Plan: Diversification in communication methods is key. Developing a plan that extends beyond digital and cellular networks can ensure continuous operations. Alternatives like two-way radios, messengers, and satellite phones for key personnel are not just about crisis management, but about maintaining uninterrupted communication channels under various circumstances.

Financial Resilience: Financial strategies that encompass scenarios like cash-based transactions and alternative payroll methods demonstrate foresight in financial planning. It’s about ensuring that your business remains operational and your employees are taken care of, regardless of the situation.

Supply Chain Resilience: In the face of fuel shortages and electricity disruptions, rethinking your supply chain is vital. Local sourcing can reduce dependence on long-distance transport, while increasing buffer stocks of key materials ensures consistent supply flow. Adapting to manual or low-tech inventory management maintains operational continuity when digital systems fail. This strategy is not just about responding to crises; it’s about proactively creating a robust and flexible supply network for any situation.

Employee Support and Training: In any challenging situation, the well-being of your workforce is paramount. Educating employees on fundamental resilience skills and establishing support systems for essentials like food and water are not only about disaster readiness but also about nurturing a strong and supportive corporate culture.

Regular Drills and Plan Updates: Engaging in routine exercises to test and update disaster recovery plans is not just about remaining resilient in worst-case scenarios. It’s about ensuring that your team is ready and efficient in any form of business interruption, maintaining agility and responsiveness.

Supporting Employees in Crisis: In any significant disruption, employees will prioritize their families’ needs. Acknowledging and planning for this – through support in food supply, healthcare, and security – is an integral part of maintaining a resilient workforce. The support you provide will encourage employees to remain engaged and productive at your organization during challenging times.

Conclusion:

This article offers essential insights to help your business thrive amidst a wide spectrum of operational challenges. Please forward this to your friends so they can increase their organization’s resilience too.

Comprehensive List of What to Expect:

https://fosterinstitute.com/consequences-of-infrastructure-disruptions-a-realistic-assessment-for-business-leaders/

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Executive Guide to Navigating Power, Internet, and Infrastructure Disruptions appeared first on Foster Institute.

To combat this, Apple’s iOS 17.3 introduces “Stolen Device Protection”. Here’s why activating it is crucial:

1. Face ID/Touch ID Requirement: Your iPhone will require your Face ID or Touch ID to turn off lost mode or erase the phone.
2. Time-Delay Security: Changes to your Apple ID password, iPhone passcode, and key settings now have a one-hour delay.

Settings for Theft Protection:

• Quick Tip to find specific settings: Open Settings, swipe down slightly, and use the search box that appears at the top. You will find all of the settings in bold text by searching in Settings:
• Software Update: iOS 17.3 enables Stolen Device Protection.*
• Backup: Check your backup status by searching for Backup in Settings.
• Use Face ID or Touch ID so potential thieves won’t see you enter your passcode.
• Activate Stolen Device Protection:This is the new setting that spurred me to write this blog for you
  
• Ensure “Find My” is enabled on Apple devices. Use iCloud.com/find or the Find My app to be sure tracking works.

Other Essential Steps:

• Have alternate login methods for resetting passwords for apps and websites that use multi-factor and two-step logins.
• If you use authentication apps, ensure you configure ways to generate codes or recover keys if you lose or erase your phone.

If Your Phone is Stolen:

• Act Fast: Use iCloud.com/find or the Find My app to enable “lost mode” and track your phone.
• Consider Carrier Notification: They can disable phone calls and cellular data but might limit Find My functionality.
• Device Erasure: If you have backups, and ways to recover keys in authentication apps, use Find My to erase your device to help prevent data access.
• Password Resets: If not erasing your phone, consider resetting passwords for critical accounts if passwords are stored on the phone or if apps login automatically.

As always, threat actors will seek ways to bypass this protection. As of now, this feature is a huge leap forward to protect an iPhone and iPad from thieves who see the passcode. Congratulations, and thank you, Apple!

*If your phone or tablet is too old to update to iOS version 17.3 or newer, see https://fosterinstitute.com/be-prepared-know-the-impact-of-iphone-theft-and-what-to-do-right-now/. for recommendations.

Note: Testing the Stolen Device Protection feature at home may not work, as Apple devices might waive the strict requirements in familiar locations like home or work. You can read all of the details about Apple Stolen Device Protection for iPhone here: https://support.apple.com/en-us/HT212510

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Safeguard Your Apple iPhones and iPads: Activate the Latest Theft Protection Setting Now! appeared first on Foster Institute.

SolarWinds is a well-respected organization, and many organizations utilize their products. Not enough details are known to discredit their organization. Clearly, attackers see them as valuable enough to use as an infection vector.

This is called a supply chain attack because bad actors use a trusted product in an organization’s supply chain to attack the organization. A similar well-publicized attack happened with a popular tool, with many benefits, called CCleaner. The attackers successfully compromised 2.3 Million PCs.

The CCleaner supply chain attack is an illustration of dwell time. Attackers waited five months from the time they gained access to CCleaner before they launched the attack on CCleaner users. Many computers were safe, but not 2.3 Million of them.

Remember: Just because your organization fixes a vector through which the infection came does not eliminate damage already done. As an analogy, if you were the king or queen of a castle, and you found that attackers entered your castle walls to attack your city, raising the bridge over your moat does not eliminate the attackers who already made it inside.

Supply chain attacks are one of many reasons to eliminate as much software as possible at your organization. If a program is not essential, remove it asap. SolarWinds is vital for many organizations.

Please forward this to your friends so they can alert their IT departments to address this situation, and know to remove all non-essential software from all computers.

The post Emergency Update if Your IT Team Uses SolarWinds Products, and How to Protect Against Supply Chain Attacks appeared first on Foster Institute.

When another family member shares a work-from-home computer, it magnifies your risk exponentially. If users already work from home using personal home computers, there are potentially cost-free steps to help protect your organization. Consider allowing them to take their work computer home. If their work computer doesn’t have wireless access, you can provide an inexpensive USB wireless adapter.

Allow your IT professionals, or IT consultants, to monitor and maintain the security of those computers. Many protection tools support remote users, so you might already have what you need.

Dedicated work computers must remain off-limits to other family members. Set a firm boundary that your workers are not authorized to use the computers for any purpose other than working.

Please forward this to your friends, so they know this cost-free way to help protect work-from-home users.

The post One Nine-Year-Old Checking her Email can Breach Your Entire Organization, and How to Protect Yourself appeared first on Foster Institute.

Believing that small to mid-size businesses are not targets helps business owners and executives sleep better at night. The thought is comforting.

However, the reality is that instead of choosing targets based on organization size, the majority of attackers choose soft, easy to breach, targets. In particular, that category includes work-from-home computers.

In our consulting business, we’re seeing many firms suffer major breaches that originate at an unsuspecting work-from-home user’s computer.

Please forward this to your friends so they know that it may feel comforting to believe attackers only go after the big companies, that belief is putting their organization at tremendous risk.

The post Be Smart and Avoid This Comforting Belief appeared first on Foster Institute.

You’ll make your computer less attractive to attackers, and it limits the window during which they can attack. You have nothing to lose, and you might even reduce your power bill!

Please forward this to all of your friends, so they know this simple step to protect themselves.

The post Power Down to Boost Security appeared first on Foster Institute.

I’m in San Francisco right now at the RSA cybersecurity conference. Hand sanitizer is everywhere, and people are using it.

Italy shut down some towns. There is a possibility, however remote, and perhaps not for months, that US cities might shut down too. Prepare for the potential impact on your organization. For example, if schools shut down, will some of your workers, including IT team members, be unable to come into work because they need to stay at home to watch their youngsters?

Make sure all of your network users can work from home concurrently. Your IT team might need to increase the capacity of your servers to handle the additional workload. Can your workers use their phones to conduct business remotely? Does your IT team need to set up remote VoIP phone clients? Are IT team members cross-trained to be able to cover other workers’ duties? Does everyone know who to contact at your company for the most current information?

Even if your workers can work, they will put the safety of their families first. When Italy shut down some towns, the grocery stores ran out of food and supplies quickly. Encourage workers to stock up on food and products they usually buy, including non-perishables. They need to have enough medications. Once their family is taken care of first, then your workers can devote attention to work.

Prepare for loss of, or delays in, sales and income. Develop contingency plans. Would the loss of one of your primary suppliers devastate your business? Are you prepared if some essential piece of machinery, or network server, needs repair and you cannot get spare parts? Assign someone or develop a team at your company to focus on the risks and develop contingency plans. Remember IT.

Warn your workers that there will be an increase in spam and phishing as bad actors prey on their worries of the virus. They must be vigilant to spam and fake news.

For more information, Homeland Security offers suggestions at ready.gov/business/implementation/IT CDC provides a useful document at CDC.gov/flu/pandemic-resources/pdf/businesschecklist.pdf

Notice signs of things to come including a potential reaction to the virus. The falling stock market is a sign, Italy closing cities is a sign, and San Francisco declaring a state of emergency is a sign. Prepare now in case things start happening rapidly.

Please forward this to your friends so they can prepare their organizations for possible public panic and quarantines over Coronavirus.

The post Prepare Your Organization for a Reaction to Coronavirus appeared first on Foster Institute.