By Michael Marcotte, Founder & CEO of artius.iD
The emergence of deepfakes fired the starting pistol in a cybersecurity arms race. Paranoia about their impact has rippled out into a range of areas, including political misinformation, fake news and social media manipulation.
Deepfakes will intensify the already acute pressure placed on trust and communication in the public sphere. This will rightly attract the attention of regulators and policymakers. But because of this focus, what risks being missed is the role deepfakes will play in corporate fraud, scams and theft.
Corporates will feel justified in delegating deepfake identification and protection to central governments and public agencies – this is where the frontlines have supposedly been drawn. If they do cede this territory to the state, they will leave themselves completely exposed to deepfake-enabled corporate fraud.
In fact, this is already happening. In February, an employee was duped into sending $25m of company funds to malicious actors after falling for a deepfake video scam, where fraudsters posed as the firm’s CEO in a video conference (The Guardian).
This attack is the canary in the coalmine – hackers have expanded their arsenal and are bringing deepfakes to the cybersecurity gunfight. Corporates cannot afford to rely on government for protection – they’re too slow. They need to develop their own multi-layered defensive strategy now.
But what does this look like?
The cornerstone has to be compliance. It’s never enough on its own, but if your employees are regularly leaving the door wide open for hackers then it doesn’t matter how much you spend on new technologies.
So, corporates need to invest in training and informing their employees about the threat posed by deepfakes and how to mitigate it. An email newsletter is not going to cut it – there should be regular, mandated training sessions. These might involve simulated phishing exercises with deepfakes or interactive workshops where employees are trained to spot red flags. There needs to be rapid internal reporting mechanisms so that employees can reach specialized IT teams as soon as a threat is identified.
Getting employees up to speed on this will be no small feat. Unfortunately, as any IT professional knows, most workers outside of the industry have a chronic lack of cybersecurity basics. It will take regular, proactive measures to ensure that they aren’t accidentally exposing the company. But if successfully done, a well-educated, vigilant workforce is the foundation of a comprehensive cyber defense.
Alongside training staff, corporates should also be onboarding the latest authentication and verification tech. Not investing in the latest defensive systems leaves corporations in the stone age, facing down hackers with AI and deepfakes at their fingertips.
These might include advanced forensic analysis tools that use machine learning and image processing to identify manipulated media content. Biometric authentication needs to be ramped up, with enhanced facial and voice recognition, to verify identities. Digital watermarking can be deployed to mark authentic content for employees.
These technologies can be rapidly integrated into company practices today. More long-term technological defenses might involve AI-powered deepfake detection tools – using machine learning algorithms, trained on datasets composed of authentic images and deepfakes, to detect fraudulent content. But these will take significant amounts of time, data and expertise to build.
Whilst these first two strategies are preventative, it’s also crucial to have damage limitation in place, should a breach occur. Corporates need to have robust access controls to sensitive information so that a successful scam at lower levels of the business does not result in high-level IP and trade secrets being lost.
Strict and defined network separation is also crucial, based on the principle of least privilege. If malicious actors gain access to a network through an employee, this should not allow them to pivot into other areas of the business. Added to this, containment measures can prevent dissemination of fraudulent media throughout the company. Takedown notices, content filters and transparent top-down communication can all contribute to putting out the fire after an initial breach.
Senior management have plenty to do to properly insulate their firms, and this will involve increased investment in cybersecurity across the board. But this shouldn’t be a hard sell to management. The threats have ramped up and the risk has increased exponentially.
Deepfake breaches will result in significant reputational, financial and regulatory fallout. No CEO will want to be at the helm for the next high-profile deepfake scam. So they need to step up to the plate now and start taking steps to defend themselves. The stakes are too high to wait for the government to do it for them.
About the Author
Michael Marcotte is founder & CEO of artius.iD. He is one of the premier cybersecurity executives in the US. After joining in 2006, Michael was Global CIO, Global CDO and President (Hughes Cloud Services) at EchoStar, the multi-billion-dollar satellite communications giant. He was one of the very first people to serve as Chief Digital Officer in a major international corporation. Michael left EchoStar in 2014 and has applied his expertise at a range of firms in technology, cybersecurity and venture capital. As well as artius.iD, he is founder, chairman and CEO at innovation lab software and venture capital firm Artius Global Holdings and cybersecurity firm Praelium Systems. Michael holds a number of public advisory positions. He is co-founder of the National Cybersecurity Intelligence Center (NCC) and was founder and chairman of the NCC’s Rapid Response Center Board. He has been a senior advisor for several heads of state and US Senators. He is also a board member at the Office of Economic Development and International Trade (OEDIT). Michael can be reached on LinkedIn.
Source: www.cyberdefensemagazine.com