NAB
Deepfakes have become increasingly
prevalent in politics and the entertainment industry in recent years. However,
they now threaten business and enterprise as well. According to one security
expert, companies need to have deepfakes on their radar or risk getting burned.
article here
“Deepfakes are a rapidly evolving technology that
has the potential to cause significant harm,” says Dr. Edward Amoroso, CEO of TAG Cyber, in a new report. “[Businesses
need to] understand the dangers of deepfakes and how to protect themselves and
their organizations.”
Deepfake technology, artificial
intelligence, and machine learning are moving faster than security teams are
evolving. Audio deepfakes are increasingly being used now to hack into company
networks to steal large sums of money, impersonate individuals, and even
manipulate stock prices.
One general risk is reputational damage.
Putting up a fake Tom Cruise is one thing — it’s flagged as a deepfake and it’s
clearly designed for fun. But a faked video from a company CEO? That could tank
the stock rating.
“Deepfake technology can be used to
deceive viewers or listeners,” TAG’s chief information security officer David
Neuman says. “When deepfake technology is used through the cyberdomain to
target businesses with false or misleading information, it is likely to have a
cognitive influence on leadership decision-making.”
The report explains that the
immediate risk is that a company’s existing security team lacks the ability to
determine if media is authentic. Most security teams have spent considerable
time and resources to build technology stacks and procedures to detect and respond
to traditional cyberthreats, not those designed to influence behavior or
decisions.
Another risk is that security teams
lack defined controls to mitigate the impact. Segmenting different parts of the
business can be done proactively to help control the spread of a cyberattack.
But how does a company proactively prepare for a deepfake?
“Procedures designed to respond to a
deepfake event may not include the right teams or professionals,” says Neuman.
“These are likely teams that have never dealt with such incidents and lack a
set of operational and business procedures to implement.”
Cyber investigators will also need to
develop capabilities to try to determine where a damaging deepfake originated
and work with authorities to pursue the perpetrators. New skills, training and
education are also necessary for dealing with deepfake technology.
One new twist is fake job applicants.
As the paper explains, now that so much work is conducted from remotely outside
the office, it’s no longer unusual for job interviews to be conducted remotely,
and for employees to work for years for bosses they haven’t met and may never
meet.
Last June, the FBI issued an alert
that warned companies about deepfake job candidates. Complaints along these
lines have been growing, the bureau noted. Once criminals obtain employment,
they can look for opportunities to steal money and/or data.
Rick McElroy, principal cybersecurity
strategist at VMware, says, “Organizations have spent an inordinate amount of
money on these controls. Manipulation of the human is the easiest way — it’s
the fast forward button.”
How can companies begin to get to
grips with the problem?
A good place to start is to develop a
threat model and tabletop exercise to understand the gaps and needed
capabilities to deal with a deepfake incident.
A threat model is a systematic way of
understanding and analyzing potential threats to an organization. It helps to
identify, assess and prioritize the organization’s threats and develop
strategies for mitigating or managing those threats.
The tabletop is a low-cost and simple
way to understand and test the effectiveness of processes, techniques and
procedures in dealing with a threat.
“These approaches are used in cyber
threat environments today and would be a good starting point for teams to
understand how to prepare for the next evolution of cybersecurity,” says TAG’s
David Hechler.
“Responding
to a cyber incident is a team sport with many players: cyber experts, sure, but
also technologists, lawyers, communications professionals, CFOs and other
stakeholders. It is the same with responding to deepfakes. Teams will need to
develop processes to identify business-impacting deepfakes in a timely manner
and move to counter them.”
TAG also includes a foreword to its
report from the Dali Lama. Pictured with Amoroso, His Holiness writes:
“I read this deepfake publication with great
interest — and I deeply appreciate the work that has gone into its development.
I offer my prayer that you will cancel your Gartner subscription. This seems
consistent with Ancient Wisdom. Divert your dollars to TAG Cyber — and you will
be happy. And I’d stay away from Forrester as well. They are better than
Gartner, but only a bit. Stick with TAG Cyber. For enlightenment.
“And please do not trust or believe everything you
read. It could be a fake. Or a deepfake.”
No comments:
Post a Comment