Here’s a scary reality: cyber criminals are using ChatGPT to up their game. In fact, novices are even using ChatGPT to write malware. Phishing emails? Yes, ChatGPT is writing those too. Cybersecurity experts remind us that “the bad guys” only need to win once to wreak havoc on our businesses, data and accounts.
An Arms Race
In the rush to explore and exploit ChatGPT for competitive business advantages, it’s important to remember that criminals are doing the same. Benefits Pro shares this expert perspective on what’s happening now:
Scott Giordano, general counsel of data loss protection company Spirion, said AI’s greatest strength is its ability to quickly pore over mountains of code to find and exploit weaknesses in a company’s network before a defender can fix it. “That’s the sharpest point that AI has right now. If you’re a bad guy and you’re not using ChatGPT or other LLMs to go and find vulnerabilities, you’re probably not doing your job as a bad guy,” Giordano said.“And the converse is true for the good guys. This is an arms race and both sides need to understand how to use this technology for their side,” he said.The bad guys, Giordano said, currently have the advantage. “They only have to be right once. They only have to trick you once to start exploiting your network,” he said.
It’s likely that cyber criminals are only just scratching the surface of the possibilities of ChatGPT and other LLMs (aka large language models). Cybersecurity expert Mikko Hyppönen warns, “We are now actually starting to see attacks using large language models,” and says he has witnessed a malware writer boasting that “he’d created a ‘completely new virus,’ using OpenAI’s GPT that can create computer code from instructions written in English.” While ChatGPT might catch up with and freeze out malicious users, it’s quite possible that in the near future cybercriminals will be in action with their own LLMs! Sergey Shykevich, lead ChatGPT researcher at cybersecurity company Check Point, notes that he has seen cybercriminals bragging about their use of ChatGPT on the dark web and says:
What’s important is that ChatGPT allows everyone, even those with zero experience in coding, to develop that skill. Maybe in six months or something, it will be able to also create completely sophisticated malware that we’ve never before seen … .Now, it mostly allows people who are not software developers to create malware. That makes the threat higher because at the end of the day there will be more malware criminals in the wild and more malware criminals will try to attack corporations.LLMs also can streamline phishing attacks by composing convincing emails impersonating trusted institutions such as a bank or the Internal Revenue Service.
What’s a Business To Do?
As criminal techniques, and even the pool of would be criminals expand, cybersecurity professionals say “companies can combat this by adding AI to their directory of enterprise risks, moving to a zero-trust architecture and training their employees to flag phishing scams or anything else that looks suspicious,” and remind us “The best cybersecurity measure ever invented is an alert employee….”
Of course it is critical for benefit plan sponsors to be up to speed on the Department of Labor’s Cybersecurity Guidance, which explicitly directs plan sponsors to monitor the cybersecurity protocols of all service providers, put cyber breach response plans in place and adhere closely to all of the other recommended best practices. Plan sponsors will also find it helpful to know that in the United States, overall cybersecurity resilience efforts are led by the Cybersecurity and Infrastructure Security Agency (CISA). Small and midsize businesses that lack the capabilities of larger companies may find CISA’s associated resources especially helpful. Experts further suggest: “Plan sponsors may want to consider creating a rolling calendar via which important topics like cybersecurity and participant data are regularly brought up for internal discussion among key stakeholders including HR, finance, legal, IT and communications.”
The Society of Professional Asset Managers and Recordkeepers (SPARK) is another source of support for benefit plan sponsors.This nonprofit offers many cybersecurity and fraud resources, including a “Plan Sponsor and Advisor Guide to Cybersecurity” on its website. Specifically, SPARK provides a helpful summary, with examples, of “17 control objectives” plan fiduciaries can use to strengthen data security.
Don’t forget: Colonial Surety is here to help plan sponsors too. We include a cyber breach response plan in our affordable Cyber+Fiduciary Liability Insurance package. Along with defense costs and penalty limits up to $1,000,000, our liability insurance package for plan sponsors includes:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach.
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Obtain your DEFENSE, efficiently and affordably today:
Pension plan professional? Colonial can help you ensure your plan sponsor clients have the coverage they need—and we’ve got you covered too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liability Insurance–and more, we’re HERE with the coverages pension professionals need to keep the business going—and growing. Insurance for Pension Professionals Right Here.
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors,