ChatGPT as amplifier for cyberattacks? Strategies for organizational resilience

Recently, the Handelsblatt published an article emphasizing the potential dangers of ChatGPT being used by hackers. By using advanced language models, hackers could systematically program individualized conversations to imitate a service hotline or simulate a conversation with a boss. Therein hacker can attempt to obtain credit card information or persuade users to make payments. If this topic appears new to you and you are only alerted by this article, you may have completely underestimated the dilemma of phishing attacks and their significance.

What many of us might only associate with simple spam emails is already a major threat to individuals and organizations – especially as messages are increasingly mass-customized. This degree of systematic customization through large language models is where the supposedly new threat lies. Better conversations can lead to users being deceived even more easily. However, even without ChatGPT, phishing has been relevant for over two decades and causes billions in damage annually.

An alleged email from a boss requesting an urgent payment or an SMS from a well-known delivery service asking for a surcharge (payable by credit card, of course) for the delivery of an oversized package – if we don't expect these to be cyberattacks, we can easily be caught off guard. These two anecdotal real-life examples from my environment have a common parallel: they exploited the insecurity of those deceived. Particularly for companies, the question arises as to how such attacks can be prevented. The answer: Attacks can hardly be prevented, but their potential damage can be significantly mitigated.

In a study published early this year, we focused on employee involvement in cybersecurity . We interviewed various stakeholders in a relatively open IT infrastructure and sought to understand how users can be integrated into the cybersecurity strategy.

Notably, the statements from IT experts and researchers ultimately saw no responsibility on the part of users, as they are overtaken by technology. The experts emphasized a technical solution. From a legal perspective, the issue was assessed quite differently: The employment contract could imply an obligation for employees to prevent damage to the company, which may also include cyberattacks. The users themselves often hadn't dealt with the topic of cybersecurity at all and often desired more information.

Our insight for improving the organizational cybersecurity given the various stakeholders: The problem cannot be solved solely through technical expertise yet required additional information and a sense of responsibility among employees. But how can managers effectively implement this? In line with the immense diffuses of internet technology, the key is I-O-T : Inform, organize, train.

    1. Targeted information - Due to the omnipresence of cyberattacks in media coverage, employees are sensitized but often cannot associate the risks with their immediate tasks. Therefore, it is necessary to specifically highlight attack scenarios at one's own workplace to which employees easily relate.

    2. Resilient organizing - If employees fall for a fake email from an alleged boss with an urgent request for a payment, one must wonder why no one became skeptical. Blaming the naïve employee alone overlooks part of the problem: hierarchy tends to be perceived more strongly from below than from the management level. Why is it not categorically excluded that a manager initiates payments via email? Clear rules for communication can help: For certain predefined amounts (e.g., any amounts greater than 200€), payment approval has to be discussed personally or via video call . Clear processes or even time windows that every employee knows could be established, e.g., no urgent instructions only via email after 6:00 PM? What sounds simple, provides employees with guidance. Employees don't fall for attacks out of stupidity, but because they don't know what to do. Lived rules provide support and promote healthy skepticism.

    3. Practical Training – We tend to overestimate ourselves and misjudge risks, especially when nothing has ever (or very rarely) happened to us in a familiar situation. Phishing tests and attack simulations can create additional problem awareness, especially for employees in the "it only happens to others!" category.

Cyberattacks cannot be prevented completely. Also, a purely technical solution does not appear immediately likely, given the rapid technological developments, and additional technical IT knowledge for employees is quickly outdated. Especially in the context of language models that can suggest lifelike communication, organizational structures must take the challenge seriously and adapt accordingly.

Kim Strunk is Manager at SKAD AG. He supports organizations in IT-transformations, software development and data analytics. He holds a PhD from the University of Passau, and his research focuses on human computer interactions and technology for transforming work. His work is published in leading scholarly journals such as Information Systems Journal, Organization, MIS Quarterly Executive and Computers in Human Behavior.

If you have any further questions, please feel free to reach out to Kim via Email to k.strunk@sk-advisory.com.