Deepfakes have become the second most common information security incident encountered by businesses in the past year, trailing only behind malware infections, according to a compliance and data protection SaaS (software as a service) platform.
ISMS.online surveyed 502 people in the UK who work in information security across ten sectors including technology, manufacturing, education, energy and utilities and healthcare. The SaaS firm says that the most likely scenario for threat actors to use deepfakes is in business email compromise (BEC)-style attempts. Attackers use the AI-powered voice and video-cloning technology to trick recipients into making corporate fund transfers. However, there are possible use cases for information/credential theft, reputational damage or even to bypass facial and voice recognition authentication.
With partner data (41pc) being cited as the most compromised in the past 12 months by UK respondents, more businesses need to be vigilant when it comes to the risks posed by their third-party vendors and suppliers, especially in light of these new, sophisticated attacks, the firm adds. Nearly two-fifths (38pc) said financial allocations for securing supply chain and third-party vendor connections are set to increase by up to 25pc in the coming year – particularly as the survey found that most, 79pc of businesses have been impacted due to an information security incident caused by a third-party vendor or supply chain partner.
Employee errors continue; even well-trained employees facing challenges in identifying deepfakes. The survey found that some employees continue to use their own devices (BYOD) without adequate security measures (34pc), and 30pc are not properly securing sensitive information.
Luke Dash, CEO of ISMS.online said: “It is deeply concerning to see the number of organisations threatened by both deepfake and third-party vendor risks. To address these rising and more sophisticated threats, organisations must continue to build robust and effective information security foundations. However, it is encouraging to see businesses investing in securing their supply chains and increasing employee awareness and training.
Despite AI being part of the problem, UK respondents are also adopting AI and ML technologies to thwart threats, though they are still in the early stages. Just over a quarter (27pc) have put initiatives in place in the past 12 months, though a majority (72pc) agree that AI and ML will help to improve data security.
“It’s still unclear how new, advanced technologies like AI and ML are going to change the data security landscape. We are certain, however, that governments across the globe will push for more, not less, regulation. Standards like ISO 42001, which deals with AI, will help organisations provide assurances to partners, customers and regulators. Having these in place are truly essential to building a better business, longevity and financial success.”
