DeepSeek has quickly captured the world’s attention, recently surpassing ChatGPT as the most downloaded free app in Apple's App Store.
While its low cost, advanced capabilities, and open-source approach are attracting users, organizations must understand the security implications of employees using DeepSeek.
Critical security concerns
For good reason, organizations and governments worldwide are scrambling to ban DeepSeek due to growing security concerns. Congress has banned it. So has the US Navy. Italy has also blocked DeepSeek though, once upon a time they banned ChatGPT, too.
Let’s break down the causes for concern.
Data processing in China
- DeepSeek processes user prompts on servers located in China according to their privacy policy
- However, developers can host DeepSeek local instances on servers that are walled off from the Chinese mother ship
- All data is subject to Chinese data privacy laws and regulations
- Organizations must consider compliance implications with U.S. regulatory requirements
Shadow AI risks
- Employees may download and use DeepSeek without organizational approval
- Traditional corporate bans on AI tools have proven difficult to enforce
- Sensitive company information could be inadvertently shared through casual conversations
Unlike TikTok or Huawei, the open-source nature presents different security challenges. What’s more, because of its low cost to train and run, cybercriminals can use DeepSeek to launch massive campaigns more efficiently.
Risk mitigation strategies
DeepSeek won’t be the last shadow AI app you have to worry about. So what steps can you take to ensure you can discover and stop shadow AI apps from inhaling your corporate secrets?
Immediate actions
1. Develop clear AI policies
- Create clear guidelines about approved AI tools
- Establish protocols for handling sensitive information
- Define consequences for unauthorized AI tool usage
2. Offer secure alternatives
- Consider building isolated instances using DeepSeek's open-source code
- Evaluate enterprise-grade AI solutions with proper security controls
- Implement walled-off versions that don't connect to external servers
3. Employee education
- Raising awareness about data security risks
- Providing clear alternatives to unauthorized AI tools
- Explaining the implications of sharing sensitive information with AI models
Using Varonis to discover and block DeepSeek
- Varonis can help you discover and classify sensitive data and implement least privilege in order to minimize your potential exposure to DeepSeek and other risky AI tools
- Varonis’s for Network can help by detecting DeepSeek usage with DNS and web proxy monitoring
- Varonis’ SSPM functionality detects and automatically removes shadow DeepSeek apps and plugins that users have integrated into your sanctioned SaaS apps without IT approval
- We’ll show you which users installed DeepSeek apps, when, what permissions have been granted, and what actions were performed
- Varonis can discover and classify files, source code, emails, etc. that relate to DeepSeek to uncover rogue developers or eager employees downloading and testing the code
Looking Forward
While DeepSeek's capabilities are impressive, organizations must carefully weigh the benefits against the security risks. The open-source nature of DeepSeek's code offers both opportunities and challenges:
Opportunities:
- Organizations can inspect the model weights and training code
- Possibility to build secure, isolated implementations
- Transparency in how the model operates
Challenges:
- Increased vulnerability to targeted attacks
- Potential for malicious use
- Compliance concerns with data privacy regulations
Learn more about DeepSeek with Varonis Matt Radolec and David Gibson on a special episode of State of Cybercrime.
Conclusion
While DeepSeek represents significant technological advancement, organizations must approach its use with caution.
The combination of Chinese data sovereignty requirements, open-source vulnerabilities, and potential for shadow AI usage creates a complex security challenge that requires careful consideration and proactive management.
This security advisory will be updated as new information becomes available about DeepSeek's security implications and best practices for enterprise use.
