How to fight deepfakes and ransomware: Better security training

Did you hear about the CEO who was recently duped by an AI-powered deepfake voice scam? It’s time to increase security training for everyone - especially the C-Suite
401 readers like this.

I’ve often said that the most secure network is one that is not powered on. While it may be true that every IP address has an exploit, it’s not always the operating systems or hardware that hackers target. The largest exploitable system is our users. Hackers are actively targeting users by mining website updates and social media posts on Twitter and LinkedIn.

Two days into my CIO role, I received an email from the CEO asking me to work with the CFO to initiate a wire transfer on behalf of a client.

I was two days into my most recent CIO role when I received an email from the CEO asking me to work with the CFO to initiate a wire transfer on behalf of a client. The CEO requested that I respond quickly. It’s important to note that this email was sent to the personal email address associated with my LinkedIn profile. Not today Satan, not today.

There were several red flags in the message letting me know it was not a legitimate request, but the biggest clue was that I had not shared this email address with anyone in my new organization.

Similar social media targeting is likely being used against you and your users. Hackers target users as it may be easier to have someone click on a deceptive link or share credentials than to break through firewalls unnoticed.

[ How do containers help manage risk? Get the whitepaper: Ten Layers of Container Security. ]

Deepfakes, ransomware, and what’s next?

Technology continues to innovate, and emerging innovations are quickly adapted for nefarious purposes. Recently, a CEO of an unnamed UK-based energy firm was duped out of $243,000 through a sophisticated deepfake voice scam. This executive believed he was talking to his boss and simply executing on the request. This is most likely the first known use of AI-powered deepfake technology to commit a crime, but it certainly won’t be the last.

Security tools will need to quickly evolve to detect and block such potential exploits. Until then, make sure you have a multi-step process in place before initiating wire transfers. Do not rely on a single call or email before transferring funds even to known entities.

AI allows hackers to more quickly scam unwilling victims and scale their attacks to larger audiences.

Scams using artificial intelligence will continue to increase. AI allows hackers to more quickly scam unwilling victims and scale their attacks to larger audiences. While AI-empowered attacks will increase, ransomware seems to be the attack du jour. A recent McAfee report shows that ransomware attacks have more than doubled in the past year. In fact, it seems to be the summer of ransomware. Each week a new report of an attack emerges. Recently, a coordinated ransomware attack crippled 23 Texas cities. (Everything is bigger in Texas, including ransomware.)

As attacks increase, organizations are spending large sums to keep up. Gartner predicts that the global information security market will reach $170+ billion by 2022. Security takes a multitiered approach, utilizing hardware, software, and services to secure systems and data. We can only speculate about the future technology that will be used against us, but continued education and testing of your user base must be part of your overall security strategy.

[ Read also: Why IT leaders must speak risk fluently. ] 

Security training: Make it specific and plausible

I encourage every CIO to conduct security awareness training. These training sessions must be mandatory. And yes, mandatory means every member of your organization, including the C-Suite. In fact, especially the C-Suite, as many of these execs are often targeted. I have seen countless emails posing as CEOs asking for wire transfers or to reset logins.

These training sessions must be specific and applicable. For example, does your company take credit card payments? If so, make sure PCI exploits are discussed. If you are in the healthcare vertical, discuss recent HIPAA violations. Adapt your training to include real-world attacks and security best practices.

Security awareness training platforms such as Knowbe4 and Proofpoint offer comprehensive training, but more importantly, tools for creating simulated phishing attacks. Those simulated tests can be used to reinforce security awareness and determine which users need additional training.

When security is everyone’s responsibility, behavior changes

Security awareness must be frequently tested to determine effectiveness. Use your security awareness solutions to create phishing attacks that are specific and relevant to your users, similar to how hackers could target your user base.

When March Madness occurs, use it to send out a brackets sheet.

If it is tax season, send users a link for them to download their W-2 forms. If a long-standing team member is retiring, create a LinkedIn request. When March Madness occurs, use it to send out a brackets sheet.

When users fail to detect phishing scams, enforce quick remedial training. Users who consistently fail should be brought to the attention of their manager. The goal of internal phishing tests is not to make people paranoid about every email, but to help them be vigilant and aware of how email and other exploits can be used against them. I have been called sneaky or even mean because of some of the phishing tests I have created, but seeing a decline in successful internal phishing attempts reinforces why I must continue to test and reinforce awareness.

When users realize that security is part of their job responsibilities, their behavior changes. Users begin notifying others of potential risks and suspicious emails. They take an extra few seconds to check the validity of an email or request.

Security awareness training doesn’t eliminate all risks, but in a sense, it creates a network of human sensors. Security is not just a division of IT or compliance; it’s a mindset that must be shared by everyone in your organization. Security is everyone’s responsibility.

Your mission: Keep security training interesting

Lastly, for everyone’s sake, keep security awareness training interesting. Deepfake, ransomware, and cryptojacking are all incredibly impressive and troubling security issues.

I mean, come on, this is basically a spy story in which everyone is an actor. CIOs, this is your chance to be the Tom Cruise of your organization: Your mission, if you choose to accept it, is to make every employee an active part of your overall security strategy.

[ Learn the do’s and don’ts of cloud migration: Get the free eBook, Hybrid Cloud for Dummies. ]

Jason James is CIO of Net Health. He has led IT operations for fast-growth technology companies for over twenty years.