<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

Five Chatbot Security Measures You Can Implement In-House

Most of us are familiar with chatbots, those robotic chat features that pop up on websites to answer questions or solve problems or sometimes just annoy us.

The use of chatbots can help both public agencies and private businesses reduce customer service expenses and sales cycles by handling many common questions not requiring live agents. Many chatbots can also screen and filter incoming inquiries, handle the simple, and route the more complex to live representatives.

However, as chatbots continue to proliferate, they have become increasingly attractive targets for e-skimming and other hacks. System administrators and network managers can add in-house security around their chatbot applications using five existing tools and protocols.

The Magic of Artificial IntelligenceChatbots use artificial intelligence to provide faster, better user service

Although some early-generation, rule-based chatbots are still in use, most chatbot platforms today employ artificial intelligence to enable fast, accurate answers or solutions to common, and not-so-common, questions and issues.

Through a chat application interface, an AI chatbot can be designed to simulate conversations, answer questions, and perform simple tasks in attempting to solve customer problems.

Using Natural Language Processing, artificial intelligence-based chatbots are able to understand conversational content and respond accordingly.

And by using Machine Learning, AI chatbots continue to learn as they communicate with human users. This enables them to improve customer service, speed sales, and add increasing value to the business.

Many times, it’s difficult to discern whether you are engaging with an AI chatbot or a live agent. Magic!

Major Industries Using Chatbots

Virtually any industry can employ a chatbot application on its website, e-commerce page, or customer service site. However, several specific industries have enthusiastically adopted this technology to speed sales and service. Among them are e-tail or online sales, real estate sales, healthcare services, and banking services.

E-Commerce. With the pandemic causing businesses to shift employees out of company offices to work at home, and to furlough others, millions of Americans have been isolated at home for a year or more. Online B2B and B2C sales have skyrocketed. Conventional sales support, such as phone calls and emails, has been severely challenged to meet demand. E-commerce chatbots have enabled e-tailers to shorten sales cycles, grow sales, and bank their income faster. AI chatbots also support international sales since language is no barrier.

Real Estate. The pandemic also seems to have generated a real estate boom. Smart realtors are differentiating their services by using chatbots on their websites to answer prospective homebuyers’ questions and provide other information on a 24/7 basis, at the potential buyers’ convenience. Chatbots enable potential buyers to learn about local amenities, school districts, and open house events, and to schedule viewing appointments.

Healthcare. Medical chatbots are useful in streamlining admissions, accepting documents, and sending and receiving referrals. AI chatbots can alert patients to prescription refills, update records with patient medical history, share accurate information with a patient about a specific disease, and advise of doctor or facility availability, among other uses.

Financial Services. Chatbots enable bank customers to transfer funds, verify loan status, check CD and interest rates, locate ATMs, and much more. And with chatbots available 24/7, banking can be conducted night or day as easily as sending a text.

Other Industry Users. AI chatbots are also used in human resources, educational institutions, and the travel and hospitality industries.

The number of chats grew 25% between 2018 and 2019. An informal survey of business and consumer websites indicates that chatbot proliferation is ongoing, with an estimated 80% of enterprises using chatbots in 2020. Many believe that, during the pandemic-driven spike in online shopping, the number of chatbots offered on websites maybe even higher.

Collecting User Data via Chat

Chats begin by requiring basic personal information

Central to the use of chatbots is the collection of user data. Generally, first and last name, email address, and phone number are required to engage the chatbot and open the conversation.

Account numbers and product or model numbers may be required.

As the chat proceeds, more information is shared in order to answer the question or solve the problem.

In the case of a consumer sales chatbot, potential buyers may be asked for their sizes, heights, or weights, color preferences, price ranges, and intended use. For example, is the item for an upcoming pleasure trip? An after-market addition to a vehicle? A gift for a birthday or anniversary? It’s possible that a considerable amount of personal information may be exchanged during sales consultation with the AI chatbot.

In a customer service scenario, details may be requested about the equipment or service at issue, how it is being used, in what circumstances it is causing problems, or what appears to be wrong with it. Think of the information you’d share in a phone call to customer service, and you can imagine the information you may need to share in a chat.

Phone Call vs. Chat

Phone calls to customer service can have queue waiting times of one to 10 minutes. The average wait time in 2019 was 4 minutes and 17 seconds, according to a LiveChat Customer Service Report. This is one of several reasons for the growing popularity of chatbots among businesses and their customers: the delivery of faster service.

The upside to phone sales and service is that phone calls are typically more secure than online chatting. How do we know if our online ‘conversation’ with an AI chatbot is secure? Is chatbot security even possible?

No Current Security Standards for AI Chatbots

Websites proclaim their SSL security with “https:” at the beginning of their URLs. This lets site visitors know that secure socket layer security, or transport layer security, is on the job and that the connection between their browser and the website is encrypted.

E-payment applications feature padlock or shield icons to assure visitors their credit card and personal data are safe online.

At present, there is no such security flag for chatbots. The choice is between using the chatbot, or not. Conceivably, a hacker could hijack a legitimate chatbot application or chat session and siphon off user data with no one being the wiser. Most users who opt to engage the chatbot simply trust the chatbot because they trust the website. In the cybersecurity industry, trust has never been a security safeguard.

Pressures to Improve Chatbot Security

As the business demand for chatbots continues to grow, the supply side – those organizations responsible for developing and refining the underlying chatbot platforms – is under increasing pressure to secure their platform infrastructures and provide some standard flag or identifier indicating they are secure.  

As this progress continues, on the demand side business and agency system administrators and network managers can take steps to secure the application as well as the data it collects, both in transit and at rest – in much the same way they have secured their organization's websites and networks.

Five In-House Measures for Chatbot Security

System administrators and network managers should consider the following five security measures to safeguard shared data and protect their customers, potential buyers of products or services, employees, investors, or others visiting the company or agency website and using the chatbot application.

Website SSL/TSL security

One of the fundamental security safeguards for websites also aids in chatbot security. The use of a secure socket layer (SSL) or transport layer security (TSL) is often denoted by the appearance of HTTPS at the beginning of a website URL. This indicates that a security certificate is in place and the website is secured against unauthorized access. Data is moved through an encrypted connection that cannot be compromised by individuals, devices, or applications. Transparent to the end-user, the content of the chat is decrypted using mathematical formulas or algorithms.

Before securing website connections became a de facto requirement, Hypertext Transfer Protocol (HTTP, without the S) was an accepted, although not secure, standard.

Data encryption

The use of end-to-end encryption to protect data in motion and at rest is a cornerstone of the cybersecurity and information security disciplines. End-to-end encryption (E2EE in shorthand) secures communication between two parties by coding the data so that only the two ends are able to see the information. These may be the sender and recipient, or the user and the chatbot.

Encryption prevents hackers or other unauthorized users from being able to view data if they are wandering around your network or website uninvited. It also prevents them from being able to view and use the data if they manage to exfiltrate it in a data breach.

Many regulations either require or recommend data encryption as part of an overall security program. The Gramm-Leach-Bliley Act (GLBA), governing the financial services industry in order to protect personal and institutional financial data, is just one of them.

Access controls

Anytime a user interacts with a company’s protected applications, user identity verification is vital. Requiring the user to log on to the application with a username and password helps to secure the chat session, and the use of a security token throughout the chat session adds further protection.

Setting a session time limit is also recommended. A pre-set time-out will automatically close the chat session if the user walks away from his computer, takes a call on her cell phone, or otherwise leaves the chat.

Additional security for chat sessions can be added with two-factor or multi-factor authentication. TurboTax by Intuit is one of the numerous security-conscious websites requiring chat users to verify their identity by entering a code that has been sent to them in a text, email, or phone call from the application.

Message self-destructionSelf-destructing messages enhance chatbot security

Chats with chatbots are typically short and are ended once the purpose of the chat has been achieved to the user’s satisfaction. To protect any personally identifiable information from lingering online beyond its purpose, every chat should be erased promptly. Administrators can set time limits on how long chats remain intact before self-destructing. It’s similar to the instructional tape programmed to self-destruct on the original Mission: Impossible.

Numerous regulations prohibit personal data from being retained or stored unless absolutely necessary. The Data Security Standard in the Payment Card Industry has such provisions, as does the General Data Protection Regulation (GDPR) governing data protection and privacy in the European Union and EEA.

Behavioral analytics

Behavioral analytics is another security safeguard that is still gaining traction in the information security discipline, although it has gained wide acceptance in other fields in recent years. Applications that analyze user behavior patterns can provide insights, based on unusual behavior or anomalies, that may indicate the presence of hackers or other security threats. The science of data analytics holds tremendous promise for the system, network, and website security in the near future.

Benefits of AI Chatbots

There is no standard for chatbot security, despite chatbot proliferation

Chatbots deliver substantial savings. Annually, businesses spend billions of dollars servicing millions of live customer requests. The use of chatbots can save up to 30% of customer service costs associated with answering simple questions and solving simple problems. The opportunity to expand chatbot functionality, by creating virtual customer assistants through the use of artificial intelligence, can yield savings of up to 70%, according to Gartner.

Chatbots are useful lead-capturing tools. ‍Research by Boomtown found that 58% of websites offering chatbots were categorized as business-to-business (B2B) versus 42% targeting consumers (B2C). By enabling businesses to capture business and consumer sales leads, including key contact information for each lead, chatbots help drive shorter sales cycles and increase sales.

Note: For security purposes, contact information should be offloaded to a lead spreadsheet or CRM tool and purged from the chatbot application.

Chatbots improve customer service. By serving as first-level support for a company’s service teams, chatbots free live agents to efficiently handle more complex requests.

In 2019, almost 25% of customer service organizations had enabled chatbots to reduce live agent engagement and speed customer service delivery, according to research by Salesforce. And more than 67% of consumers worldwide used a chatbot for customer support in 2019, according to invespcro.com.

Chatbots are widely accepted by users. Almost 75% of individuals prefer to use a chatbot to obtain quick answers to simple questions, rather than placing a phone call or doing a generic internet search, according to retail expert PSFK.com.

Chatbots enhance brand reputations. By offering a visually interactive chat session that proceeds rapidly, chatbots provide a user-friendly experience and quick, convenient user support. This enhances brand reputation and enables companies to build positive relationships with their user communities anywhere in the world.


Many business and agency websites employ chatbots to screen incoming inquiries, handle the simple, and route the more complex to live customer service agents. Chatbots are also used on e-commerce websites to promote sales. The use of chatbots offers important benefits, from cost reduction and improved service to lead capture and brand enhancement.

Currently, there is no security standard in the chatbot industry, and therefore no security icon or certificate denoting a secure chatbot platform. While these industry issues continue to be worked through, system administrators and network managers can add in-house security around their chatbot applications using existing tools and protocols. User access controls, end-to-end encryption, self-destructive messages, session time-outs, and even user behavioral analytics can be employed to secure the sensitive data shared during chats and promote chatbot security for your business.

Research indicates that chatbots are here to stay and that artificial intelligence will continue to make them more human-like and more useful. Just don’t name your chatbot Hal.


Rema Deo
Rema Deo

As CEO and Managing Director of 24By7Security, Inc., Rema is a highly experienced and credentialed information security professional. Among her certifications are PCI Qualified Security Assessor (QSA) from PCI SSC, Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2, Certified Information Security Manager (CISM), and Certified Information Security Auditor (CISA) from ISACA. She also holds a certificate in Cybersecurity: Technology, Application, and Policy from the Massachusetts Institute of Technology, and Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She earned her MBA from Symbiosis Institute of Business Management in Pune, India, and her Bachelor of Commerce degree from the University of Bombay. Be sure to follow the 24By7Security Blog for valuable insights from Rema and her colleagues.

Related posts

March, 19 2024
January, 2 2024
August, 29 2023

Comments are closed.

How to Defend Your Network Against TrickBot
How Healthcare Providers Can Secure Electronic Medical Devices
Subscribe to our Blog!