Tackling the business threat posed by deepfakes [Q&A]
AI has become an undeniable and powerful part of the digital landscape. It makes systems stronger and more automated -- but it also has the potential to present a threat.
Some 80 percent of executives believe deepfakes pose a risk to their business, yet only 29 percent say they have taken steps to combat them. We spoke to Patrick Harding, chief product architect at Ping Identity, to discuss the security threats posed by AI and the need to take steps to properly secure identity by adding additional layers of protection.
BN: Are organizations prepared for the threat posed by deepfakes?
PH: As it stands now, organizations should be doing more to prepare against emerging security threats. The proliferation of artificial intelligence (AI) across digital channels has brought cybersecurity concerns to the forefront for businesses and ushered in a new era of mistrust. One increasingly vulnerable asset in such attacks is identity, as hackers weaponize AI to quickly take over accounts, create detrimental deepfakes, and commit identity theft.
Our recent survey revealed only 52 percent of organizations have high confidence in their ability to detect a deepfake of their CEO. AI has allowed threat actors to do more harm with fewer resources on a larger scale, posing serious consequences for businesses and consumers. As a result, innovation has been pushed into overdrive in response to new technologies like AI.
BN: What should enterprises be doing to protect themselves and their customers?
PH: First, organizations can work to secure their workforce identities. This can be achieved by implementing single sign-on (SSO) and passwordless multi-factor authentication (MFA) to all internal and external systems and services, along with solid identity governance practices, which can help secure organizations against unauthorized access.
Enterprises can also reduce reliance on traditional passwords that offer minimal protection. Organizations underestimate the risks associated with weak passwords protecting legacy enterprise infrastructure. To combat the evolving threat landscape, enterprises need to adopt more agile and effective security practices. At a minimum, these include stronger authentication and SCA workflows, increased adoption of biometrics, and, most importantly, passwordless authentication solutions.
Additionally, organizations can work to implement a zero trust framework. This type of approach ensures that every user, device, and API connects to each application securely, with layered intelligence and step-up authentication. Zero trust is mandated in the US federal government, but every industry worldwide can benefit from implementing its practices.
Lastly, enterprises can and should vet their third-party service providers. Before onboarding a third-party service provider, organizations need to conduct a risk assessment of their data protection policies, security controls, and incident response capabilities. Additionally, inform these teams of any security requirements regarding data protection, access management, and incident reporting, and review these regularly.
By following these best practices and leveraging more advanced technologies, organizations have a better chance of protecting against identity fraud tactics and threats.
BN: How about individuals? What can we do to safeguard ourselves?
PH: A recent consumer survey revealed that 54 percent of individuals are concerned about the possible use of AI technology to create fake impersonations. The first step individuals should take to safeguard themselves against identity-related threats is to incorporate preventative measures such as MFA by default. These authentication methods decrease the risk of account takeover or identity verification to combat new account fraud and synthetic identities.
Another tactic consumers can use is to scan all interactions for fraud risk, starting before login and continuing throughout the session, and aggregate multiple fraud signals into a single risk score to improve accuracy. Similarly, users can mitigate fraud risk in real time by stepping up security for suspicious users based on the level and type of risk they represent, regardless of where they are in the user journey.
As a final step, individuals can focus on password management. Similar to enterprises, traditional passwords usher in risk. While the future of authentication is passwordless, passwordless adoption is still in its infancy. Unfortunately, 59 percent of consumers are still storing passwords by memory alone, with 54 percent admitting they have too many to keep track of. As long as passwords remain a component of authentication, users must follow safe password practices. Poor password hygiene includes using weak and common passwords. Reusing passwords -- even strong ones -- across multiple websites is also unsafe. If an attacker obtains matching username and password credentials for one account, they may try the combination on other websites. It's important to note that even strong passwords should be changed frequently.
By following these best practices, consumers can have more seamless digital experiences while maintaining user security.
BN: Are deepfakes just part of a larger industry of identity theft and how much is this now driven by AI?
PH: With fraudsters getting more sophisticated and aggressive, the stakes couldn't be higher. Victims of identity theft spend an average of $1,200 to restore their identity. Recent data has put a spotlight on AI and identity fraud, and the ways in which it's impacting businesses and their daily operations. It's a challenging moment for those working in digital identity and security. Data reveals a pressing need for organizations to enhance their identity protection strategies in the wake of rapid AI adoption. Over half of organizations say they are 'very concerned' about identity threats, and 48 percent say they are not effectively managing today's security and identity risks.
On average, businesses are spending over $30M this year alone on combatting new AI-enabled identity attacks. However, AI-powered cyber threats and identity attacks are about to explode, with fraud expected to increase significantly next year. It’s why two-thirds of enterprises say they will invest more next year on advanced protections.
As mentioned previously, one area of identity threats is executive identity compromise. While some employees are confident they could detect a deep fake of their CEO, almost half of organizations don't feel they have the proper technology in place to combat such AI-related attacks.
From an identity standpoint, AI compromises trust. It gives attackers greater ability to execute attacks at scale, and it can't be ignored. As AI adoption rises, it remains one of the largest identity-based fraud concerns for organizations. The time is now to think about -- and respond to -- the challenges around security and identity fraud.
BN: Can AI be part of the answer as well as part of the problem?
PH: While AI is part of the problem, it's also part of the solution. Organizations of all sizes have to arm themselves with AI even as they look to fight against it. Security teams have an opportunity to harness this powerful, continually evolving technology as the threat landscape spreads and becomes capable of greater harm. For better or for worse, AI is the present and the future. While we can't predict its trajectory, organizations can understand what the current environment looks like.
AI-driven capabilities can help enterprises quickly identify and stop threats at a massive scale and reduce the risk of unauthorized access. Smarter protection through AI empowers IT admins to make intelligent decisions more quickly and with a higher degree of confidence, which leads to lower deployment costs and easier integration. We can use AI to make the day-to-day easier both in professional and personal terms, but we also have to look at the way it widens the risk landscape.
Undoubtedly, attackers are seizing the power of AI for their bad intentions. AI is a double-edged sword -- it will continue to redefine life as we know it. The more organizations can do to prepare today, the better equipped they will be to defend tomorrow.
Image credit: Westlight/depositphotos.com