It’s no secret that deepfakes are getting much more believable. As J.D. Brooks, CISSP explains, the technology once reserved for big-budget blockbuster films is now accessible to and usable by a wide range of nefarious threat actors who are dead set on targeting you and your organization.

JD Brooks, CISSPIf you’re the CEO or a member of the board, there’s a target on your back from your competition and from those who seek to do harm to any reputable organization. Corporate sabotage is something you’re already aware of, but the tactics and tools available to bad actors have evolved dramatically in the past few years.

Imagine a scenario in which the CEO of a large multinational corporation announces on video that they are being acquired by a competitor: stock prices drop, the market takes a hit, and the company loses out on a major deal with clients because of this unexpected news. The problem: the announcement was a total fake. Using artificial intelligence (AI) tools to recreate the image and voice of a company’s CEO is so easy, a “script-kiddie” could pull it off. What should a leader do?

No-one can stop the creation of deepfakes. They’re only going to become more prevalent as technology improves and becomes more accessible. But you can educate your company and deploy a few techniques to help mitigate the risk to your reputation, as well as the bottom line.

Train Employees to Spot Deepfakes

Just like you might run a phishing campaign to measure the effectiveness of your cybersecurity awareness training program, consider incorporating deepfake detection training for your employees.

While subtle, there may be slight mismatches in facial movements that can be spotted by the trained eye. Often, the area of the face and mouth that move will become blurrier than the rest of the video. And AI voice synthesizers are becoming good, but they aren’t perfect: they mostly lack the ability to put inflection on the right parts of words, and they struggle to maintain a human’s accent.

Numerous tools to help detect deepfakes enter the market almost daily. Some are based on AI algorithms and claim to be able to detect deepfakes with a high degree of accuracy. Others are more loosely built; these are sometimes software development kits (SDKs) that allow developers to build out and tailor an application for this purpose. Others still are all-in-one types of solutions that are designed for non-technical personnel. There are tons of vendors out there offering these types of services, but a few include Sensity.AI, Intel’s FakeCatcher, and Google’s SynthID.     

Deploy Digital Watermarking Technology on Official Statements

Unseen by the naked eye, such pixels can be embedded into the backgrounds of images, videos and even within audio recordings, serving as a hash or verification of the authenticity of the file. The concept of non-repudiation – i.e., the idea that a person’s action online can be attributed back to that person – is key here. Like a digital signature on an email that confirms the sender’s identity, these advanced watermarks can confirm someone’s identity in a video on the internet. While this does not stop the flood of deepfake materials that are present online, it does allow for a company to quickly verify a fake.

Some tools use cryptographic hashing of metadata, embedding it into the file in a way that makes it easy to prove authenticity. Sometimes a code word is included for official communications that come from the C-Suite, but this isn’t ideal as it’s easily discovered and copied. Google’s SynthID, Descript, and Steg.AI are just a few of the applications that purport to provide this kind of service.

Work With Your PR Team to Establish Strict Rules of Authentication for Official Statements

If a CEO has a public persona such that there are many video and voice samples available online, then it’s much easier for bad actors to put together a believable deepfake. So, establish the ground rules upfront with your in-house or agency public relations (PR) personnel, so they know never to accept a simple phone call as a command.

Why? Because if a voice recording is available online from a keynote speech given at a symposium two years ago, it’s incredibly easy to generate a fake recording that says anything. If you do make a phone call, direct that no action should be taken in an official capacity until you follow up with an in-person meeting, or you send an encrypted and digitally signed email from your official account. The leader who yells into a phone or an intercom and expects action will need to adjust quickly to a new mode of operation. If a CEO is known for giving orders over the phone and expecting quick results, they will be a rich target for a deepfake.

Update Incident Response, Business Continuity and Disaster Recovery Plans

Have pre-approved channels that are vetted and understood before disaster strikes. Your incident response playbooks should include the steps necessary to authenticate communications from senior leaders to avoid misunderstandings that could cost you your business. If, for example, a distributed denial of service (DDoS) attack happens in real-time while the CEO is traveling, it’s possible that, as part of a coordinated attack, deepfake video or audio files might be used to further cause disruption to your operations.

In the movie Crimson Tide (1995), important nuclear attack orders were sent over an encrypted, classified system. The U.S. Department of Defense added another layer of protection by having a pre-set authentication code secured in a safe that required two-person control; the message from the Pentagon also required the inclusion of this pre-coordinated authentication code for an order to be verified as genuine. Your company may not be responsible for something as serious as nuclear weapons, but you should take to heart some of the operational security concerns that might impact your business.

Incorporate Deepfakes, Authentication of Official Messages and PR into Annual Social Engineering Training

If you don’t have annual social engineering training: start it now. Malicious actors don’t need to rely solely on spoofing an email address or a website link anymore. They can now easily spoof the CEO’s face, voice and mannerisms with deepfakes. Most social engineering training is a one-size-fits-all approach. Companies that don’t take the threats as seriously might rely on a single computer-based training module and call it good for the year. Others, who better understand the threats, will tailor the training based on the roles and responsibilities that the employee has. For example, the HR team will receive something that’s more focused on applying background checks and understanding insider threat reporting procedures, while the sales team might get training more focused on keeping confidential information from getting out as they interface largely with people outside the organization.

Role-based social engineering training is the gold standard today, but it’s not foolproof. An even better approach would incorporate a personality assessment. Those who rank high in agreeableness and extroversion might require a different flavor of training to ensure that they don’t fall victim to the types of attacks that persuade others to want to help. Those that rank very high in obedience, for example, might need specific insights into how to avoid the appeal to authority attack, where someone pretends to be a VIP (made much easier with deepfake technology) to obtain information from their target.

Since late 2021, we’ve seen AI become mainstream. As predicted, it has generated new tools and techniques for malicious actors, as well as countermeasures that help to defend organizations from such attacks. It’s difficult to stay up to date with things changing seemingly by the minute, but any leader who cares about their business, organization, or agency has an obligation and a duty to keep up to speed and have the right expertise available. Whether you hire a full-time CISO or call in an outside party for help, make sure that you are doing your due diligence in mitigating the risks of deepfake corporate sabotage.

J.D. Brooks, CISSP, has 27 years of experience in cybersecurity in large enterprise networks and national defense systems. He has held cybersecurity engineering roles with responsibility for defending U.S. DoD networks and advising SMBs on developing new cyber programs. His cybersecurity work spans preventing cyber attacks on the Pentagon to providing cybersecurity advice to senior leaders, both in private enterprise and government.

Related Insights