Recently, the Handelsblatt published an article emphasizing the potential dangers of ChatGPT being used by hackers. By using advanced language models,
hackers could systematically program individualized conversations to imitate a service hotline or simulate a conversation with a boss. Therein hacker can attempt
to obtain credit card information or persuade users to make payments. If this topic appears new to you and you are only alerted by this article, you may
have completely underestimated the dilemma of phishing attacks and their significance.
What many of us might only associate with simple spam emails is already a major threat to individuals and organizations – especially as messages are increasingly mass-customized. This degree of systematic customization through large language models is where the supposedly new threat lies. Better conversations can lead to users being deceived even more easily. However, even without ChatGPT, phishing has been relevant for over two decades and causes billions in damage annually.
An alleged email from a boss requesting an urgent payment or an SMS from a well-known delivery service asking for a surcharge (payable by credit card, of course) for the delivery of an oversized package – if we don't expect these to be cyberattacks, we can easily be caught off guard. These two anecdotal real-life examples from my environment have a common parallel: they exploited the insecurity of those deceived. Particularly for companies, the question arises as to how such attacks can be prevented. The answer: Attacks can hardly be prevented, but their potential damage can be significantly mitigated.
In a study published early this year, we focused on employee involvement in cybersecurity . We interviewed various stakeholders in a relatively open IT infrastructure and sought to understand how users can be integrated into the cybersecurity strategy.
Notably, the statements from IT experts and researchers ultimately saw no responsibility on the part of users, as they are overtaken by technology. The experts emphasized a technical solution. From a legal perspective, the issue was assessed quite differently: The employment contract could imply an obligation for employees to prevent damage to the company, which may also include cyberattacks. The users themselves often hadn't dealt with the topic of cybersecurity at all and often desired more information.
Our insight for improving the organizational cybersecurity given the various stakeholders: The problem cannot be solved solely through technical expertise yet required additional information and a sense of responsibility among employees. But how can managers effectively implement this? In line with the immense diffuses of internet technology, the key is I-O-T : Inform, organize, train.
Cyberattacks cannot be prevented completely. Also, a purely technical solution does not appear immediately likely, given the rapid technological developments, and additional technical IT knowledge for employees is quickly outdated. Especially in the context of language models that can suggest lifelike communication, organizational structures must take the challenge seriously and adapt accordingly.