TL;DR
- Deepfake technology, artificial intelligence, and machine learning are moving faster than security teams can evolve.
- Most security teams have spent time and resources to build technology stacks and procedures to detect and respond to traditional cyberthreats, but not those designed to influence behavior or decisions.
- Audio deepfakes are now being used to hack into company networks to steal large sums of money, impersonate individuals, and even manipulate stock prices.
READ MORE: TAG Cyber’s Security Annual’s New Edition Focuses on Deepfakes (TAG Cyber)
Deepfakes have become increasingly prevalent in politics and the entertainment industry in recent years. However, they now threaten business and enterprise as well. According to one security expert, companies need to have deepfakes on their radar or risk getting burned.
“Deepfakes are a rapidly evolving technology that has the potential to cause significant harm,” says Dr. Edward Amoroso, CEO of TAG Cyber, in a new report. “[Businesses need to] understand the dangers of deepfakes and how to protect themselves and their organizations.”
Deepfake technology, artificial intelligence, and machine learning are moving faster than security teams are evolving. Audio deepfakes are increasingly being used now to hack into company networks to steal large sums of money, impersonate individuals, and even manipulate stock prices.
One general risk is reputational damage. Putting up a fake Tom Cruise is one thing — it’s flagged as a deepfake and it’s clearly designed for fun. But a faked video from a company CEO? That could tank the stock rating.
“Deepfake technology can be used to deceive viewers or listeners,” TAG’s chief information security officer David Neuman says. “When deepfake technology is used through the cyberdomain to target businesses with false or misleading information, it is likely to have a cognitive influence on leadership decision-making.”
The report explains that the immediate risk is that a company’s existing security team lacks the ability to determine if media is authentic. Most security teams have spent considerable time and resources to build technology stacks and procedures to detect and respond to traditional cyberthreats, not those designed to influence behavior or decisions.
Another risk is that security teams lack defined controls to mitigate the impact. Segmenting different parts of the business can be done proactively to help control the spread of a cyberattack. But how does a company proactively prepare for a deepfake?
“Procedures designed to respond to a deepfake event may not include the right teams or professionals,” says Neuman. “These are likely teams that have never dealt with such incidents and lack a set of operational and business procedures to implement.”
Cyber investigators will also need to develop capabilities to try to determine where a damaging deepfake originated and work with authorities to pursue the perpetrators. New skills, training and education are also necessary for dealing with deepfake technology.
One new twist is fake job applicants. As the paper explains, now that so much work is conducted from remotely outside the office, it’s no longer unusual for job interviews to be conducted remotely, and for employees to work for years for bosses they haven’t met and may never meet.
Last June, the FBI issued an alert that warned companies about deepfake job candidates. Complaints along these lines have been growing, the bureau noted. Once criminals obtain employment, they can look for opportunities to steal money and/or data.
Rick McElroy, principal cybersecurity strategist at VMware, says, “Organizations have spent an inordinate amount of money on these controls. Manipulation of the human is the easiest way — it’s the fast forward button.”
How can companies begin to get to grips with the problem?
A good place to start is to develop a threat model and tabletop exercise to understand the gaps and needed capabilities to deal with a deepfake incident.
A threat model is a systematic way of understanding and analyzing potential threats to an organization. It helps to identify, assess and prioritize the organization’s threats and develop strategies for mitigating or managing those threats.
The tabletop is a low-cost and simple way to understand and test the effectiveness of processes, techniques and procedures in dealing with a threat.
“These approaches are used in cyber threat environments today and would be a good starting point for teams to understand how to prepare for the next evolution of cybersecurity,” says TAG’s David Hechler.
“Responding to a cyber incident is a team sport with many players: cyber experts, sure, but also technologists, lawyers, communications professionals, CFOs and other stakeholders. It is the same with responding to deepfakes. Teams will need to develop processes to identify business-impacting deepfakes in a timely manner and move to counter them.”
TAG also includes a foreword to its report from the Dali Lama. Pictured with Amoroso, His Holiness writes:
“I read this deepfake publication with great interest — and I deeply appreciate the work that has gone into its development. I offer my prayer that you will cancel your Gartner subscription. This seems consistent with Ancient Wisdom. Divert your dollars to TAG Cyber — and you will be happy. And I’d stay away from Forrester as well. They are better than Gartner, but only a bit. Stick with TAG Cyber. For enlightenment.
“And please do not trust or believe everything you read. It could be a fake. Or a deepfake.”