One of the key issues raised during one of our recent events, in coordination with MHA Moore & Smalley and Barclays, was managing Cybersecurity at C-Suite level. This applied from a business perspective but also highlighted the risks that senior, high-ranking individuals face online.
Of these risks, the rise of ‘deepfakes’ is perhaps one of the most sophisticated and increasingly intelligent threats facing businesses in today’s online environment.
Deepfakes are the latest development in a long line of online scams such as fake invoices, phishing and fake websites etc. The trouble is however, that they are only becoming harder to tackle and are appearing across a variety of mediums.
Fake Text & Information
Chances are, you’ve probably heard the term ‘fake news’ by now. Both the 2016 US Presidential Election Campaign and the UK Brexit Referendum were riddled with fake news and propaganda, and a lot of this was generated by AI and distributed via online bots.
The issue is rife in all online avenues – with more than 50% of YouTube traffic classified as “bots masquerading as people” and less than 60% of online traffic in general being human.
This obviously highlights the extent of the influence that deepfake campaigns can have on Cybersecurity. To make matters worse, this technology is only getting smarter too.
As an example, GPT-2 is a new breed of open-source text-generation that threatens near human levels of intelligence. Used in the wrong hands, it’s this kind of technology that have an impact at scale.
For those at C-Suite, this disinformation provides a myriad of issues. Perhaps the most prevalent being the difficulty or inability classify data as real or fake.
Fake news could also be used as a distraction or diversion during a cyber-attack on the business.
Another capability is that the learning capacity of these programs may allow malware to contextualise an individual and generate targeted content to further an attack, improving the likelihood that targeted individuals will engage or interact with malicious or fake content.
Fake Voice
This is a tougher issue to tackle, partially as people may not be aware of the capabilities that malware has in constructing believable, real-time vocal communications.
This capability led to a 350% rise in voice fraud from 2013 to 2017, with 1 in 638 calls synthetically created.
For CFO’s and Finance Directors, the implications of this technology are clear.
There are ways to mitigate this threat however:
- Look at your current processes for high value financial transactions
- Revisit existing risks
- Mandate face-to-face /physical presence for critical operations or high-end transactions
- Two-person rule for critical operations or high-end transactions
- Always verify using trusted information – trust your intuition
- Work closely with your information security teams
- Plan your manual vs technical responses
- Plan your recovery if you do suffer an attack
Fake Faces & Video
Deepfake videos and images are extremely sophisticated threats and have the potential to be used in exceptionally malicious ways.
These include fraud, extortion and manipulation – with malware being able to use a victim’s imagery in offensive or obscene settings that look real and convincing to those who view it.
In particular, this can be carried out in real-time via Skype, Teams, Slack, Zoom etc. So consider this if you use this to communicate with individuals abroad, hire remote workers or conduct any other video interviews as part of the hiring process. Who are you really hiring?
You may also wish to consider some new combative Cybersecurity technologies that are starting to appear in the marketplace.
One example would be https://ambervideo.co/ – which is software that is embedded in smartphone cameras to act as a watermark to verify a video’s authenticity. By creating a digital fingerprint at the moment of a film’s recording, the software can compare any playback of the footage with the original fingerprint to check for a match. This provides the viewer with a score that indicates the likelihood of tampering.
Combined Threats
All the above threats are malicious and dangerous in their own ways but are not always used exclusively on their own. In fact, by taking a combined approach, individuals with ill-intent can increase their chances of success of bypassing or penetrating your Cybersecurity.
These can include diversionary tactics such as fake chats generated by AI, while the real attacker is installing/backdooring their computer.
Some bio-metric technologies such as voice or facial recognition may also be compromised through the use of deepfake technology – greater increasing the risk of defrauding a targeted individual.
Threat intelligence is also affected as the line between real and fake becomes increasingly blurred. Impacting on threat intelligence can easily create a knock-on effect, effectively catalysing the issues all of this technology poses – putting businesses at greater risk.
Targets and Routes to Mitigation
Celebrities, people with large online followings or people of influence such as those at C-Suite level, are more at risk than anybody else, as attackers stand more to gain.
Relying on ethics, legislation and regulation is not a route for protection either. Attackers lack ethics and they break the law.
Long-term solutions/mitigators include the improved use and implementation of Root of Trust (RoT) intertwined with traceability of provenance. More and more technical methods of verification are being adopted and will hopefully become effective in tackling all of the issues we have discussed in this article.
In the future, the current threats posed, their complexity and ability to learn may eventually inspire a complete redesign of how we create, use and share data completely.
Rowan
We are experienced in building the profiles of C-Suite individuals throughout the North West and have developed in-house capabilities to identify, assess and appoint true technical talent to ambitious SME’s.
If Cybersecurity is an issue that you require further insight on or an area you need to appoint someone in, then speak to David Anwyl or Chris Ravenscroft to discuss how an effective IT security strategy may benefit your board and your business moving forward.
