The meteoric rise of artificial intelligence (AI) has not only revolutionized industries but also unleashed a Pandora’s box of potential threats. Among the most insidious is the emergence of deepfakes, AI-generated synthetic media that can convincingly mimic real people, their voices, and their actions.
From white papers issued by The Department of Homeland Security detailing the increasing threat of deepfakes to false images of Taylor Swift prompting the EU to get real about AI, deepfakes have garnered significant attention for their potential to spread disinformation and manipulate public opinion.
The implications of deepfakes to the cybersecurity community cannot be underestimated. Phishing continues to be the number one attack vector for cyber-attacks, showing that despite years of knowledge and training, most cyber-attacks still take place presenting false information to trick a user.
In an era where distinguishing between reality and fabrication is getting harder, deepfakes present a formidable challenge for cyber pros who are already wresting with complex roles that are often underfunded and hyper scrutinized.
The Escalating Deepfake Threat
Much like a phishing email a decade ago was easy to spot because of a mis-spelled sender’s name or a badly photoshopped banking logo, deepfakes used to be crude and easily detectable. Now they have evolved into sophisticated attacks capable of deceiving even the most discerning eye. This rapid progression poses a significant challenge, as traditional methods of authentication and verification – even live video – may no longer suffice.
We don’t need to imagine a scenario where a deepfake video of a company executive authorizes a fraudulent wire transfer. That happened earlier this year, when a finance worker for at UK engineering firm, Arup, was tricked into transferring $25 million by a video conference request from the organization’s CFO that turned out to be an AI-manipulated version of existing video.
And, research continues to show that AI-driven deepfake attacks are more common than we know. Third party research from my own company shows that deepfakes had been experienced by 35% of cyber pros, making them the second most common cybersecurity indecent encountered by businesses in the past 12 months. Other reports show that the cost of deepfakes will grow from $12.3 billion in 2023 to $40 billion in 2027.
Deepfakes and the Cybersecurity Landscape
Cybersecurity is a constantly changing landscape that wears down even the most committed and passionate practitioners. The introduction of deepfakes risks enhances the burnout these professionals feel as these threats truly blur the lines between reality and deception. While we long ago learned that trust is not a generally accepted term in the cybersecurity business, even employing a zero-trust policy is a challenge in a deepfake world. Consider the challenges these attacks pose for our cyber teams:
- Circumventing Security Protocols: Deepfakes can be leveraged to bypass security measures that rely on biometric authentication, such as facial or voice recognition. This could enable unauthorized access to sensitive systems and data, potentially leading to devastating breaches.
- Sophisticated Social Engineering: As the Arup example above shows us, deepfakes can be used to create highly convincing phishing scams or impersonate trusted individuals, manipulating victims into taking actions that compromise security. The realism of deepfakes makes these attacks particularly insidious and difficult to detect.
- Weaponizing Disinformation: Deepfakes can be used to spread false information, sow discord, and manipulate public opinion, potentially leading to social unrest, political instability, or even impacting the outcomes of elections. In a global environment that is already highly heated, adding unwanted fuel to the fire is entirely unwanted.
- Reputational Warfare: Deepfakes can be used to tarnish reputations, undermine trust, and cause significant harm to individuals and organizations. The potential for deepfakes to be used in smear campaigns, to ward buyers off a competitive brand, or to discredit individuals is a serious concern.
Building a Robust Defense
Deepfakes are a serious problem, but hope is not lost, and we are able to take steps to effectively combat them.
As is always the case when working to thwart cyber risks of any kind, security practitioners must adopt a proactive and multi-layered defense strategy. Employees can only recognize what they are aware of, so raising awareness about deepfakes, and putting plans in place to report suspicious activity is paramount. Since deepfakes are so similar in nature to phishing campaigns and social engineering programs, take steps to ensure your security awareness training programs include content about deepfakes.
Additionally, organizations should implement multi-factor authentication and other robust verification processes that go beyond simple biometric checks. This could include behavioral biometrics such as a signature or handwriting sample, knowledge-based authentication that asks questions like “who was your third-grade teacher,” or even the use of hardware tokens. Investing in advanced detection technologies that can help identify deepfakes based on subtle inconsistencies or artifacts is an important consideration. Machine learning algorithms, as well, can be trained to recognize patterns and anomalies that distinguish deepfakes from genuine media.
Collaboration between industry partners, researchers, and government agencies is critical to developing effective countermeasures and staying ahead of the evolving threat. Both state and federal government agencies are working to put governance in place around AI to help prevent usage like deepfakes, but the U.S. is not yet at a place to give clear instruction on how AI should be built or used. Because of this, enterprises can help themselves by working with existing standards like ISO 27001 for information security and ISO 42000 for responsible AI usage.
The Unending Battle
The deepfake threat is not a passing fad; much like ransomware, it is an ongoing challenge that will continue to morph and will require constant vigilance and adaptation. Cybersecurity professionals must remain proactive in their defense strategies, continually updating their knowledge and tools to keep pace with the rapid advancements in deepfake technology.
By raising awareness, strengthening authentication, investing in advanced detection, fostering collaboration, and considering legislative measures, we can mitigate the risks posed by deepfakes.
About the Author
Luke Dash is the CEO of ISMS.online. Prior to this, they were the Chief Operating Officer and Chief Revenue Officer at ISMS.online, overseeing operational leadership, support, and driving revenue channels.
Before joining ISMS.online, Luke was the Sales Director at Lead Forensics, where they integrated with major CRM platforms and maximized ROI on sales and marketing efforts. Luke also worked as the Chief Commercial Officer at The Indigo Group, providing end-to-end solutions for contractors, freelancers, and agencies. Luke’s experience also includes their role as a Sales Director at Ascential, where they were responsible for providing construction project sales leads and industry data.
Luke began their career at IQPC, where they served as a Divisional Sales Director and Sponsorship Manager, driving sales growth and managing events and conferences for global corporations. Throughout their career, Luke has demonstrated strong leadership skills and a focus on achieving strategic and performance goals in various industries. Luke can be reached on LinkedIn and at our company website https://www.isms.online/
