It is both frightening and refreshing when events at DEF CON — one of the world’s biggest hacker conventions — make national news.
DEF CON is considered somewhat of an anti-establishment movement that delves into the depths of security, often uncovering the most cutting-edge vulnerabilities. DEF CON is where it gets real: attendees hack into voting machines, smart home devices, cars, airplane navigation equipment, even internet-connected sex toys. (Yeah, you read that right. Don’t ask.)
News coverage of a DEF CON event is frightening. If something newsworthy happens there, it’s a serious danger. It’s also refreshing, since the more we understand about dangerous vulnerabilities, the more effectively we can protect ourselves.
This year’s DEF CON made national news with a “deepfake” video. Attendees were told that Democratic National Committee (DNC) Chair Tom Perez was supposed to be there but couldn’t make it, so he would connect via Skype instead. He then appeared on screen and began talking. But, it wasn’t Perez at all: The video used Perez’s face, with his mouth and facial expressions altered to accommodate a speech actually given by DNC Chief Security Officer Bob Lord. The audience did not appear to readily identify the video as a deepfake.
If you’re thinking that this technology can’t be used to scam your company, think again. In what’s being dubbed as the first-ever case of artificial intelligence (AI) voice fraud, the chief executive officer of a UK-based energy firm this past March transferred $243,000 to a third party, following directions from a phone call he thought had been placed by the head of the company’s German-based parent company. The voice was faked, but with a slight German accent; it was so believable that the transfer was made.
Based on the success of this attempt, expect much more to come — fast. What should you do to protect your company? Similar to defending against so many other types of threats, companies should take a three-pronged approach to AI-based voice fraud: training, processes and insurance.
Training. Yes, every article about protecting against cyber threats talks about the importance of training against phishing attacks. Rightfully so; it’s one of the most important things a company can do. But more than just training, it is critical to test that training. Create fake emails, make fake phone calls, see how effective your training is — then do it all over again. Train and test at least once a year. Get more advice on successful training from this article, “Want to reduce security risks? Emphasize training.”
Processes. Every company should have solid, tested organizational processes in place for any kind of financial transaction. Maybe it’s verifying voice instructions with a follow-up email, or vice versa. Maybe it’s purposefully using two different types of technology to verify financial instructions. Regardless of the rules your company chooses, it is critical to implement some kind of multistep authorization process for every transfer of funds over a certain amount. This should be nonnegotiable.
Insurance. The UK-based energy firm that fell victim to voice fraud had insurance which covered the entire cost of the incident. The lesson? Get insurance that covers cyber crime. Most insurance companies offer this in addition to standard corporate insurance. There’s a good chance that policy will require you to have processes in place to help prevent an attack in the first place; that’s a good thing, and it will help emphasize the previous point on the importance of processes.
At the end of the day, good cyber hygiene can help thwart so many kinds of cyber threats. And, as threats morph and change to take advantage of new threat avenues, your company’s approach to implementing and enforcing good cyber hygiene must be able to morph and change as well to accommodate the changing threat landscape. Is this daunting? Yes. Is it doable? Yes. It simply requires flexibility, diligence and tenacity — a level of tenacity to match that of a potential attacker.