The deepfake threat is here! You might be used to trusting photos and videos of leaders. However, deepfake technologies raise new doubts and a heightened need for critical thinking. There are many implications to be considered from deepfakes such as the potential for new laws, improvements to education and more. Let’s focus on the deepfake threat and what it means for IT security professionals.
Defining the Deepfake Threat
Picture the following scenario. Jane, the IT security analyst on your team, receives a phone call on your company phone. She answers the call after seeing a call display showing a company phone number. The caller identifies herself as the chief financial officer of the company.
She states that she’s traveling and needs a new password right away to prepare some time-sensitive work for the board. Before your analyst can say anything else, the caller demands fast action.
In this situation, the IT security analyst is probably going to feel pressure to help a superior quickly. The analyst may decide to skip over usual safeguards because the call sounded urgent. If that request is granted, the threat attacker could obtain access to an executive’s privileges and do severe damage.
Impersonating phone calls is one way you may encounter a deepfake threat. USA Today has already reported on the rise of “fake audio” as an emerging threat in 2020. That’s just the tip of the iceberg, unfortunately. In 2019, CNN reported on a significant effort at the Pentagon to fight deepfake videos. The implications are clear. Just imagine if an enemy created deepfake videos impersonating a senior military officer and used such videos to issue false orders. Such a move could cause chaos!
From a corporate security perspective, deepfake technology represents a new type of social engineering. In the past, threat actors had to rely on emails and phone calls to evade security defenses. That’s starting to change today. As deepfake technology becomes cheaper and more widely available, you will need to update your security safeguards.
Three Lines of Defense Against the Deepfake Threat
To resist the deepfake threat, the first step is recognizing that traditional methods are not good enough. Instead, you will need to update your processes, training and technology to combat this threat. Before introducing changes to the rest of your organization, start by educating yourself on the nature of the deepfake technology.
To bring the deepfake threat to life, develop a few scenarios that show how this type of threat could hurt your organization. For example, fake videos of your executives could request confidential information or create confusion inside the organization. Alternatively, the deepfake threat could serve as a part of a broader strategy. For example, a deepfake video could send your entire team into crisis mode. Then, a few hours later, a secondary attack could begin using other methods. In this case, your IT security response capabilities may become overwhelmed.
Process Defense Against Deepfake Threats
Strong process discipline represents your first line of defense against deepfake technology. For example, equip your staff with robust standard operating procedures relating to password changes and access change requests. These procedures will help you stay focused and avoid common mistakes, like making too many exceptions.
Tip: Asking multiple challenge questions and leverage multi-factor authentication (MFA) will also help reduce the chance of a deepfake threat succeeding.
Enhanced IT Security Training
There are two layers to providing enhanced IT security training to combat deepfake threats. Start by equipping your cybersecurity specialists to evaluate these threats. Since this is an evolving threat, there are currently limited formal educational materials available. Therefore, you will need to make do with limited scope training such as a lunch and learn introduction.
The next layer of enhanced IT training will vary depending on how you assess the IT security implications of deep fakes. In the short term, you may decide it is reasonable to require greater adoption of MFA by all employees. As part of your introduction for such a change, explain why you are asking staff to spend a bit more time on security procedures.
Technology vs. Technology: The Ultimate Line of Defense Against Deepfake
Since advances in technology created the deepfake threat, your solution to it must include enhanced technology. Today, there are relatively few options that directly detect and defeat deepfake videos, audio and other uses. As a consequence, you will need to use security software indirectly to respond to this threat.
The Way to Free Up Time to Deal With Deepfake Threats and Other Emerging Security Problems
Responding to deepfake threats requires more human effort and analysis. If you already have a full plate of IT security responsibilities, what can you do? Naturally, your first thought might be to hire more staff. However, that proposal may not be well received if you have recently expanded your team. Instead, you will need to use technology to free up your team’s time and energy.
Start by automating the most repetitive tasks, such as password administration. Use an IT security chatbot like Apollo to handle this task for you. A chatbot may have limitations, but it cannot be compromised by threats or intimidation, which may be used in deepfake messages. Once you have this technology implemented, keep on reading, because there are other opportunities.
Reducing the amount of damage an attacker can achieve is one way to keep your data safe. That’s why it is a smart idea to apply the principle of least privilege for your user accounts. By comprehensively auditing all user accounts, it is easy to tell when there is a gap compared to your policy.
Worried that your international users will not be covered by security software? Avatier software is built to support more than 30 languages, including Spanish, French, Japanese and Chinese.
Obtaining budgetary approval to buy new software might be a roadblock for some. After all, choosing the wrong security software may give you a false sense of confidence. To guide you through the process, use one of our business case articles to get started, such as Build Your Business Case for Multi-Factor Authentication in 5 Steps.