Over the past couple of years, deepfakes – a form of synthetic media in which a person in an existing image or video is replaced with someone else’s likeness – have catapulted their way into the public imagination. While fake photo and video footage has existed for decades, artificial intelligence and machine learning have made them more powerful, convincing, and easier to produce than ever.
Thanks to a series of high profile deepfakes featuring politicians and celebrities (most notably Tom Cruise), some analysts have expressed fears that they could wreak havoc on society, dialling up the damage caused by fake news.
As scary as deepfakes might be, however, they remain a nascent threat for the moment. A far more dangerous form of deepfake has nothing to do with videos and images of powerful people – and an example of it could be lurking in your inbox right now.
Phishing out fakes
In recent months, we have seen two different documents from the UK Government on Cyber Strategy, one for its UK-wide initiatives, the other focused on protecting the government itself. Both have an inherent key theme: education. Education not only provides the UK with the ability to protect against the ever-growing sophisticated threat landscape from the criminal or nation backed adversary, but it also makes sure we can continue our maturity and abilities for the future. The recent Government Cyber Security Strategy focuses on harnessing not only the knowledge and education, but also the cyber security culture within the Government sector.
When we speak about education, we forget that we already have a network of expertise and security domain knowledge within the UK. We are not starting from the beginning. Similar to other countries like the US, the UK has an opportunity to seek the real support of the private sector as not the ones stealing talent but the ones who can share talent, technology, and experience. That way, we don’t need to wait until 2030 but implement the security controls our country requires in a matter of months.
Choosing the right technology
I am, of course, referring to phishing emails. Growing in sophistication every year, they are capable of mimicking emails from your building society, insurer, and various other service providers with unerring accuracy.
That’s a major contributing factor in its continuing prevalence, despite having existed for around 25 years. In fact, phishing has only grown as a threat. In 2020, nearly a quarter of all breaches involved a phishing attack, and more than 75% of all organisations experienced some form of phishing attack. According to the FBI, phishing incidents nearly doubled in frequency between 2019 and 2020.
While part of that can be put down to the chaos caused by the early days of the pandemic, when people were adjusting to remote working amidst a deluge of COVID-19 communication (we may never again see a spike as large as the 667% increase in attacks that came in March 2020), it’s unlikely to go anywhere.
As such, organisations need to do everything in their power to address the phishing threat. The best way to do so is by finding a balance between having a responsive third-party security team and educating their employees.
The right team
The importance of the former has become particularly abundant this year, as it’s increasingly clear that a multi-layered security approach is needed to provide adequate safety. In March for example, more than 30,000 organisations were hacked via holes in Microsoft’s email software.
When it comes to finding a security provider, it’s important to look for a couple of things. The team an organisation uses should not, for instance, just react to threats, but proactively monitor and assess them and be able to secure all aspects of the business, including email, cloud, and productivity suites.
It’s also critical that these teams regularly communicate with the organisation so that employees understand the threats facing them.
The importance of education
That speaks to the other important weapon organisations have when it comes to combating cybercrime: education. With cybercriminals increasingly capable of spoofing both internal and external communications, it’s imperative that organisations remind employees and customers of what they’ll never ask them to do via email or any other form of communication. Additionally, organisations should emphasise that employees be doubly cautious of any email that asks them to click a link, open an attachment, or verify their details.
It’s also important that businesses make it clear how and where to report suspicious emails. The faster an organisation’s security team is alerted, the more quickly it can respond and intervene to warn employees and shut down spoofed websites.
Response plans are critical
Even with those measures in place, however, organisations can’t guarantee that they won’t fall victim to a breach as a result of phishing. It’s therefore imperative that they have a breach response plan in place.
Ultimately, an organisation’s data breach response plan should allow it to go into ‘safe’ mode in the event of a breach. This, in turn, should allow it to run system checks to identify the breach, alert a task team and communicate to affected parties, service teams, the information regulator, and media accordingly.
Backing up regularly and securely is also critical to breach recovery. Your backup provider should be able to address the unique needs of laws such as GDPR and any others that impact the jurisdiction you operate in. This includes, but is not limited to, its choice of data centre, data encryption, at-rest and in-transit rules, and the ability to purge backups. Additionally, adopting a backup provider shouldn’t impact on your organisation’s ability to do business.
Preventing and limiting damage
Just as deepfakes may soon be able to do widespread damage to the reputations of high-profile people, so a phishing attack can do serious financial and reputational damage to your organisation. It’s therefore pivotal that organisations do everything both to prevent breaches as a result of phishing and to mitigate their damage when they do happen.