As ChatGPT becomes more widely used, scammers are likely to apply the technology for phishing attacks, according to experts. OpenAI, the creator of ChatGPT, restricts some misuse of the technology, but Microsoft's plans to incorporate it into Azure AI services could lead to wider use. Chester Wisniewski, a principal research scientist at Sophos, studied how easily ChatGPT can be manipulated for malicious attacks. He found that ChatGPT makes it easier for scammers to launch phishing attacks, writing often more believable phishing lures than real humans can. With the advancement of AI, it's important to consider the potential security risks and what needs to be done to combat malicious use of the technology.
Cybercrime has become the world's third-largest economy after the US and China, driven by the availability of ransomware-as-a-service and malware sold on the dark web. Even those without technical skills can launch sophisticated attacks by easily accessing these tools online. The rapid adoption of the Internet of Things (IoT) has also created security gaps that are being exploited by cybercriminals. The rise in ransom demands, due to high-profile attacks such as the Colonial Pipeline hack, has encouraged more people to enter the market, with cybercrime a growing global issue. According to recent research, the average ransom payout is now over $800,000, with the cybercrime industry set to cost up to $10.5 trillion per year by 2025.
The insurance firm Zurich has warned that many forms of cyber-attack might become uninsurable. Mario Greco, Zurich’s chief executive, explained that the devastating effects of many types of hacks are making it extremely difficult for insurance underwriters to provide sufficient cover. He pointed to the knock-on effects that many hacks can have, explaining: “First off, there must be a perception that this is not just data . . . this is about civilisation. These people (hackers) can severely disrupt our lives.” Recent attacks have led insurers to raise policy prices and limit events covered, with many now refusing to pay out if an attack is state-sponsored. Finally, Greco called for governments to prepare to handle larger attacks on critical infrastructure, such as the 2021 Colonial Pipeline attack.
In 2022, the consequences of the Ukraine-Russia war dominated cybersecurity news. There were attacks on critical infrastructure and corporations, leading to higher energy prices, monetary losses and a less robust supply chain. Overall, it highlighted the potential impact that cyber-attacks can have on the world. As such, as we head into 2023, businesses should take as much care as possible to limit their exposure to potential cyber-attacks. To emphasise the risk, a recent survey found that UK businesses are 85 per cent more likely to suffer a hack now than they were in 2019. Likewise, with insurers offering fewer cyber products and ransoms increasing, the potential for financial damage is greater than ever – making cyber the greatest risk that many companies face in 2023.
In early December, American cloud computing provider Rackspace suffered a security incident due to a ransomware attack. The breach directly affected the company’s hosted Microsoft Exchange email service, affecting a number of customers. After working with cybersecurity experts to identify the cause of the breach, it has been found that a zero-day exploit in the Microsoft Exchange version used by Rackspace. Using the CVE-2022-41080 vulnerability, attackers entered the company’s environment and deployed ransomware. Officers have named a ransomware group called Play responsible for the attack. In recent days, Rackspace declared they would move all services off the Microsoft Exchange platform.
Recent security incidents, such as the Microsoft Exchange zero-day exploit of Rackspace servers, have put Microsoft’s security efforts into focus. In 2022, the tech giant announced it would increase yearly security spending from $1 billion to $4 billion. Since then, many have questioned the Microsoft approach to security – with some saying Microsoft is focusing on the cure rather than prevention. This focus on fixing problems rather than avoiding them has been labelled the “Microsoft Paradox”. Critics have said that Microsoft should instead release new code more slowly – only after more thorough testing. Others have suggested Microsoft should work to discontinue old services sooner, or work with users to introduce more rigorous security features.
