Voice technology is everywhere. From Amazon, Apple, Google, Microsoft, Samsung and others, Virtual Assistants (VAs) have found a way to sneak into our pockets, homes and workplaces. Designed initially as a domestic productivity tool, they enabled us to perform everyday tasks more quickly and with less attention. VAs are powered by natural language processing and were handling 40% of all searches by 2019. However, at a time where businesses are beginning to use VAs to improve their performance, have we considered the risks these devices could introduce to our organisations?

Becoming the new normal 

When Gartner first predicted in 2019 that 25% of workers would use a virtual employee assistant daily by 2021, only less than 2 per cent of businesses worldwide had already incorporated them into their processes. 

Virtual assistants (VAs) are an example of machine learning in action. Devices that with the help of artificial intelligence use data to learn from, rather than relying on explicit programming instructions on what to think and do with the data gathered. Whenever we make a request of an assistant like Alexa or Siri, the microphone on the device we are using records our commands. These recordings are sent over the internet to the cloud to be processed. When talking to Alexa, the recording is sent to Alexa Voice Services (AVS). This cloud-based service reviews the recording and interprets your request. Then, the system sends a relevant response back to the device. 

Not the most discreet assistant 

Just like fingerprints and eye scans, voice can be used as an individual signature that authenticates the identity of its owner with a less margin of error. As a service heavily reliant on voice and listening to conversations, user privacy is not always guaranteed.

When smart speakers went into the market, we failed to realise that our devices would not only record and process our requested commands but everything they heard when the mic was switched on, to perform wake-up or keyword detection and improve user-experience by minimising false positive and false negative activations. 

It’s crazy to think of our speakers inconspicuously listening and recording everything that goes on in our homes, let alone our offices. In 2018, an Amazon Echo device recorded a private conversation between a woman in Portland, Oregon and her husband and sent it to a random number in their address book without their permission. Think of the damage a similar incident could cause to your business.

Let’s say you are having a meeting about your company’s latest revolutionary product, which is yet to launch. The details have been kept hidden from the public and your competitors. The details get intercepted from your office’ smart device and sold to the highest bidder. Or your client is dictating confidential information whilst you file a form. The conversation gets recorded and leaked, ruining your organisation’s reputation and ultimately leaving you facing costly legal proceedings. 

Voice assistants leave us vulnerable to the web-based companies that provide them and cybercriminals alike, as we give them access to a staggering amount of incredibly valuable insight (which for companies like Amazon or Google, could be used for marketing databases and targeted advertisements). 

Hidden in plain sight

But the risks that VAs pose go further than just recording our conversations. Researchers from the University of Cambridge demonstrated how smart speakers could be used to decode text, passwords and PINs by listening to our virtual keyboard taps. Sound recordings of the device were inputted into a computer for analysis and they found that the vibrations and taps from the typing could be used to guess a five-digit passcode. The closer to the device, the easier it was to decipher what was being typed. 

As scary as the sound of having your passwords decrypted with the help of our voice assistants, to obtain this information the researchers needed to physically tamper with the device to get access to the mic. Nevertheless, in a world where technology and devices are being updated rapidly, we still need to be aware of the vulnerabilities that these devices are exposed to.  

Although companies like Amazon and Google have minimised data exposure to third-party apps, that’s not to say that other providers wouldn’t give them access to our sound inputs to achieve an extension of the tasks that these devices will be able to perform. An attacker could easily install a malicious skill on our smart speakers using a third-party app and gain direct access to our microphone. So how can we protect our businesses?

Private enterprise virtual assistants to the rescue 

The only way businesses can ensure privacy and prevent hacks from happening is to run their own separate AI-based voice assistant with enterprise-grade admin controls. This system would use the necessary voice recognition and biometrics to make sure that only the people within the organisation that had the relevant authorisation could access information. Using a two-factor authentication combining an identifier with a voice sample indication that would be easy to execute and hard for cybercriminals to solve. End-to-end encryption would be included to enhance data privacy on the voice-assisted use of several different tasks. 

Bespoke enterprise assistants would have the ability to be customised to comply with data protection relevant to your business and would eliminate web companies as service providers. Protecting your data from being exploited by private virtual assistants for their retargeting purposes. 

However, for most businesses, we still have a long way to go before we will be able to incorporate such complex systems into our workplaces. That’s why services such as Alexa for Business might be the option to use in the meantime if we do weigh in the risks that introducing virtual assistants could present.

Virtual assistants included in our risk management processes 

If businesses want to manage the virtual assistant-related risks in a secure, vigilant and resilient manner, they need to analyse their risk profile through the components of their risk management framework. Virtual assistants could pose a varied level of risks within the organisation and applying the right enterprise risk management (ERM) processes will support the entire organisation in reviewing and identifying where those risks could be present.  

Also, as we are faced with the progress of virtual assistants and other artificial intelligence, as risk managers we need to add a level of broad digital understanding to our skills. This will give us the tools to work with the technical subject experts in a multi-disciplinary team, allow us to understand the enterprise risk implications and help us communicate these issues with senior management. Not only will it help us to prepare for a damaging event, but it will also help us explore the potential value of virtual assistants for risk management tasks.