About: Deepfakes are exposing businesses’ cyber security skills gaps. Cyber security experts share their insight into how businesses can protect themselves against a growing risk.
Deepfake crime is a real and present danger for businesses. Last year, it cost one bank alone $35 million in a single scam, yet many businesses are still ignoring the risks, partly thanks to a lack of cyber security skills at leadership level.
With Deepfake technology becoming more sophisticated – and readily available to criminals – businesses need to see the technology as a current threat and not a future concern. Here, cyber security professionals based in the UK and Singapore, look at the steps that every business needs to take now to protect themselves against Deepfake intrusions before it’s too late.
Understanding the Deepfake threat
Unlike established cyber-security threats – eg malware, SQL injections and database hacking – Deepfakes are still easy to dismiss from cyber security strategies. A relatively new technology, their introduction as a fun, viral video phenomenon hasn’t helped businesses to realise the severity of the threat they now pose to security. Yet several high-profile cases have emerged in recent years that illustrate just how dangerous Deepfake can be.
In 2019, a UK-based CEO was conned into transferring $243,000 to a malicious actor, thanks to advanced Deepfake voice technology convincing them that they were speaking to their parent company’s chief executive. Different types of Deepfake known to be used against businesses currently include ghost fraud (where the criminal steals a deceased person’s identity), identity imitation (like the examples above), new account fraud, and virtual identity fraud (where criminals ‘create’ a new identity by combining information and images from multiple people).
Highlighting growing concerns at government level, the FBI last year released a stark warning of the dangers of Deepfake in a six-page report, while the UAE’s National Programme for Artificial Intelligence and the Council for Digital Wellbeing issued guidance to raise public awareness of the security threat.
How cyber security teams need to respond to Deepfake
While technology is at the fore-front of most businesses fight against cyber crime, there is no software or system that businesses can ‘buy-in’ to seal their business against Deepfake threats. While they are a cyber security concern, their success currently relies on ‘human error’: namely, using technology to trick individuals into taking action.
James Foster, Client Partner, Cyber Security at global tech recruitment firm RP International, advises: “The key to protecting your business against Deepfake risks is educating your employees on how to spot a Deepfake in action – and knowing when they need to be extra vigilant. At present, most Deepfakes do have tell-tale signs that something isn’t quite right with a call or video if you know what to look for, but these technologies are becoming more sophisticated. You need to make sure you keep evolving your armour against it. Having the right cyber security skills in your business, at both support and leadership level, is the best way to ensure that you are staying ahead of scammers.”
However, thanks to ongoing advances in the technology, Deepfakes could soon pose a risk to automated activity, too, with the potential to help cyber criminals pass video and audio security protocols.
Cyber Security specialist James Bore CSyP, comments, “Any time someone asks you to do something like transfer money or share data on a phone or video call, verify it elsewhere. Email them directly, drop a note to their PA, just get that extra verification. There’s no guaranteed method to spot a Deepfake, as the technology is changing all the time, so the key thing is changing your culture to educate everyone about the risks.”
Cyber security needs people, not just technology
With cyber security threats constantly evolving, businesses need to have the right people on board to track threats and develop defences against them.
Zero-trust policies are a big step towards educating every individual on the risks posed by cyber scams (Deepfake or otherwise) but they need to be led by people with the right tech knowledge and soft skills to engage employees across the business – especially at board level. Deepfake fraud is perhaps disproportionately aimed towards senior professionals compared to other cyber crime methods, as these high risk, high value targets can provide a more significant return to criminals who have invested in the technology.
Jaqueline Chaw, RP International’s cyber security specialist based in Singapore, comments, “Many organizations haven’t recognized “Deepfake” as a cyber security risk, so technology to detect it isn’t as prevalent as conventional cyber security tools. Educating your cyber security team, as well as business users, on Deepfake technologies is crucial to protect your organization. It’s also essential to have a robust team of cyber security talents that are trained and combat-ready for modern-day security threats.”
With cyber security leadership talent in high demand and short supply across every sector, businesses need to act now to educate their employees and secure the skills they need to face Deepfake security threats – or risk falling foul of synthetic content attacks in the near future.