How are you updating your security awareness training to address deepfakes, synthetic media or other tactics? Are you adding specific modules to educate staff on these risks (or other emerging attack methods)?
Sort by:
To add to my earlier point, while we are not using any specific deepfake detection technology, we do task our social media monitoring teams with this responsibility. We leverage products like Cyber and Google Threat Intelligence for social media and brand monitoring. This is part of our standard operating procedures, where we look for things like typo-squatting domains and take them down through these services. These tools also help us detect misinformation or any deepfake content involving our executives that may appear online.
Our approach is similar. We believe our best defense is our people, so we focus on training employees to report any anomalous activities, including those that could be related to deepfakes. Currently, deepfakes are not at the top of our risk register. We regularly review our risk register to ensure appropriate prioritization and monitor global threat trends, but we have not seen significant attacks in this area. If the risk landscape changes, we would adjust our priorities accordingly. For now, we prefer to leverage existing platforms and tools rather than invest in new solutions, but we recognize that this is an evolving area and are keeping a close watch on developments.
There are a number of digital reputation protection organizations and services available that not only detect deepfakes but also monitor where and how they are emerging, even if they are not directly targeting us. As we evaluate these platforms, we look at their ability to integrate with our awareness programs, HR systems, and messaging teams, as well as how well they can be contextualized for our specific business. We have run some proof-of-concept trials with these services, and the feedback has been positive. Ultimately, the key criteria for us are the malleability of the platform and its ability to fit our environment and business needs.
I am aware that some deepfake detection tools exist, but we are not currently leveraging them. Our approach right now relies strictly on manual controls to identify and mitigate deepfake threats.
We have observed and consumed intelligence where deepfakes are being used to target organizations, particularly in financial contexts. Our approach has included not just awareness campaigns but also simulations. For example, we have impersonated our CFO in targeted messages to accounts payable staff. We also ran a simulated meeting invite, though we did not use AI-generated personas. In that case, many employees received an urgent invitation from their boss in the middle of the night, prompting confusion and a flurry of questions. These exercises are accompanied by guidance on how to handle such situations appropriately. These are signs of the times, and the pace of these threats is accelerating.
We view deepfake detection as an emerging technology and are monitoring the space closely. There are many startups with interesting solutions, but for now, we are taking a wait-and-see approach. Our main investment remains in user training, as we believe people are the key risk factor. While we are keeping an eye on deepfake technologies, it is not currently high on our risk list.