Most people know what a deepfake is but have not put much thought into how it could affect business operations. Deepfakes are videos, pictures, or audio that have been convincingly manipulated to misrepresent a person saying something they never said or doing something that they never did. Machine learning tools make connections between the subject’s physical attributes, sounds, and other unique identifiers to create extremely realistic outputs. Historically, deepfakes were used for things like movie dubbing. Now, cybercriminals use deepfakes maliciously for various reasons from impersonating political figures to scam attempts.

But how worried should organisations be about falling victim to deepfakes and what are the potential repercussions? Analysts would say to be very concerned, with 66 percent of participants in a 2022 VMware survey reporting that their organisation experienced a deepfake incident. This year was a 13% increase over the year prior, a significant leap over a short period of time. Organisations should include the risk of deepfakes in their cyber readiness initiatives if not doing so already. Proactive planning prior to an incident can save precious time and ensure smooth service delivery when it counts most.

Risk Analysis

To appropriately evaluate risk, it is key to understand how certain attacks can infiltrate and affect an organisation. Cybercriminals can access public company data and make changes or synthesise new content.

Here are examples of how deepfakes can materialise:

• Using manipulated audio to sound like a direct manager, member of the legal team, or client to deceive that person into revealing sensitive information. This could lead to a data leak, fraudulent financial transactions, and more.

• Creating a fake video or audio recording of a C-Suite member to paint the organisation in a bad light or make statements that do not align company culture, product launches, or that otherwise damage reputation.

• Enabling various phishing campaigns and business email compromises.

• Perpetrating fake interviews, taking a licensing examination under a false identity, or bypassing authentication controls to access personal identifiers or sensitive business data.

The types of losses to anticipate with these types of security compromises are financial and reputational. It can be hard to detect the losses as more threat actors of every sophistication level learn to create deepfakes and when employees are not educated about the risks of these attacks. Even after proven false, damage occurs and sometimes it is hard to overcome the mistrust, rebuild image, or execute necessary financial mitigation. It is crucial to understand threat potential and evaluate how much damage a deepfake could cause in order to prepare accordingly.

Remaining Cyber Ready

Clear information governance, cyber incident investigation, and data breach response plans are critically important to limit the consequences that could result from a substantial data breach. Deepfakes and other trending attack methods carry not only cyber risks, but also legal risks. Failure to safeguard certain data can result in regulatory violations, contractual defaults, and other legal exposure.

Below are three ways organisations can mitigate the risk of a cyber incident involving deepfakes and be more prepared in the event one transpires:

1. Partner with a service provider that can provide both proactive and responsive services. This may include reducing the volume of data stored internally in a legally defensible manner; creating, evaluating, and assessing the organisation’s cyber incident response plan; and leveraging AI tools that can identify deepfakes.

2. Educate employees about the existence of deepfakes, how to spot an attack, and reporting protocols. Also ensure that company leaders, legal, finance, and IT staff have extra education on this topic.

3. Deploy extra security measures such as a detailed unique process when dealing with money transfers, restricting access to personal data and trade secrets, monitoring social media and news outlets for mentions, and utilising identity verification technologies.

The most important thing to remember is that even a small amount of preparation will go a long way and can help save an organisation’s reputation, business, and assets. With deepfakes, what was once akin to a prank phone call can now be used as a powerful tool to defraud and damage individuals and businesses. Organisations must have dedicated personnel and external partners to keep up with the evolving threat landscape and deploy strategies and tools to mitigate risk.

While no organisation can eliminate cybersecurity risk, applying professional teamwork to the problem can lessen the blow. In today’s digitally driven world, breaches will happen. Having professional staff and outside partners with the right knowledge and resources is the key to advancing good cyber health and remaining compliant. Cybersecurity is a work in progress requiring teams to constantly improve cyber compliance efforts.