Donny Chong, Product & Marketing Director at Nexusguard: “To get a handle on deepfakes, we need to hit them from all angles”

As Davey Winder wrote in a piece on this site earlier today, deepfakes are on the rise due to the numerous elections this year. But, as Donny Chong, Product & Marketing Director at Nexusguard, explains in this interview, it’s not just voters who need to be wary: businesses are under attack too.

One of the problems is that people get tired of hearing this all the time. Donny calls this problem “security overwhelm”, where every day brings a new story about ways companies are being attacked. So what do you do?

“To combat this, you need to bring it back to your organisation,” says Donny. “What are the crown jewels to defend? What data is the most important to protect, and what applications would hamstring the business if they went down? Start there and move outward.”

As he points out, fighting attacks is like fighting “a physical illness… the earlier you spot it, the easier it is to treat”. So the quicker you read this interview, the better off your company will be.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

From a young age, I’ve had a passion for technology. Growing up, my first encounter with a computer was a Commodore 64 at the age of eight, trying to hack my way into the games I was playing during my adolescent years, and was really hooked on the internet right from the beginning.

Despite graduating with a degree in Marketing, my career has been firmly rooted in Information Technology. My professional journey includes working with network infrastructure, physical access control, surveillance systems, the nascent stages of biometric security and even the transition from analogue to digital video.

In 2010, I embraced an opportunity to step into the cybersecurity field, and I haven’t looked back since.

What do you think are the best approaches to combating deepfakes?

Deepfake is going to be everywhere. Therefore, in order to get a handle on deepfakes, we need to hit them from all angles — tech, law and public awareness. On the tech side, we’re talking about rolling out some really smart detection tools. These tools use machine learning to spot the tiny details in images and videos that scream “fake” – stuff our eyes can’t even see. Big players like Google and Facebook are on it, but this is a game of cat and mouse, and the tech needs to keep getting better, as the fakers will too.

Then there’s the legal bit. We need laws that are tough on deepfake misuse: laws that protect people from being embarrassed or harmed, keep our elections clean and safeguard our businesses from fraud. But making laws isn’t enough if they’re only local. This is a global problem: deepfakes can come from anywhere, so countries need to work together on this.

We also have to get everyone up to speed on what deepfakes are and the kind of trouble they can cause. It’s about teaching people to think twice when they watch videos online — could this be too wild to be true? Schools, tech companies and governments could do a lot more to spread the word and teach people how to spot the fakes.

Lastly, there’s the ethical side. People making and using this tech should stick to some ground rules, like always being clear when a piece of content is a deepfake. It’s about keeping things transparent so everyone knows what’s real and what’s been cooked up.

Worth a read: Microsoft Recall: spyware or helpful tool? Regulators want to know

What are the biggest cybersecurity challenges those in leadership roles are facing?

There’s a lot. You see headlines about new threats, successful attacks or new areas of focus all the time. This can often create a sense of “security overwhelm”. The cybersecurity space is fast-moving, there are new threats, new environments to protect and new technologies constantly changing the picture. Staying educated and abreast of all of this is good practice for sure, but often this can lead to a sense of overwhelm.

Insight and awareness are good, but remember that vendors contribute to this – they’ll highlight the threats or trends most relevant to their solution or service. To combat this, you need to bring it back to your organisation. What are the crown jewels to defend? What data is the most important to protect, and what applications would hamstring the business if they went down? Start there and move outward.

Even then, the list of technologies to implement, or processes to update, is sometimes daunting. It can be hard to know where to start. The most important thing is to start, there can be so many priorities or mission-criticals that it can lead to inaction; you might not be able to do everything in a day, but it’s always better to patch a few things or put contingency plans in place than do nothing. 

What are some prevention strategies you believe every business should adopt?

Despite cyber threats getting more advanced and scarier all the time, basic principles still make a difference. Regular software patches, employee training, good data hygiene across the business, and strong firewalls and antivirus all still make a difference.

However, you can’t stop at prevention anymore. Things will slip through the cracks, so you have to be prepared to deal with anything that does. The first step in this is having A-grade threat detection. Sometimes this will stop attacks before they happen, but other times it will catch an active incident – like a breach or a DDoS attack – early. Like a physical illness, the earlier you spot it, the easier it is to treat. Some ransomware attackers, for example, can be inside a system for months before encrypting files and springing the trap properly.

Once you’re made aware of an attack, then it comes down to how good your incident response processes and tools are. Exactly what this looks like will depend on the nature of the incident. Ransomware, for example, is all about having backup and recovery processes in place, but a DDoS attack comes down to your system availability, redundancies and direct mitigation tools.

Worth a read: Dr Ellison Anne Williams, CEO of Enveil: “Stopping every breach is virtually impossible; ensuring protection for your sensitive data is not”

What is it about generative AI that makes it so prone to exploitation by threat actors? Conversely, how can it be used for good?

GenAI removes barriers for the threat actors. It can help with social engineering, target reconnaissance and coding. First and foremost, this lowers the bar of entry for would-be-attackers, helping bridge the skills gap needed to, say, code ransomware or search for vulnerabilities in a system.

The other barrier it removes is the language barrier. When it comes to social engineering like phishing, those poorly written and easily seen-through emails in bad English are a thing of the past. GenAI will make social engineering far more effective, making training and data hygiene more important than ever. 

Any tools that allow attackers to amplify their impact without having to commit as many resources (time, money etc) will always be popular with threat actors. That’s why in the DDoS space we see such a proliferation of (the appropriately named) amplification attacks which create attacks far larger than the resources you have to put in. GenAI ticks this box, and it’s also readily available.

While it does have uses for security, it is AI of the broader definition (not strictly “generative” like ChatGPT) that could have the biggest impact.  Security solutions are increasingly leveraging machine learning and AI to detect, mitigate and adapt to threats in real-time. This was happening way before generative AI became a household term, but the tech will continue to develop and improve.

Which cybersecurity best practices are being adopted with the most success by companies?

There are very few one-size-fits-all strategies for security. There are some, like zero-trust, but exactly what this looks like depends on the organisation and the environment. It could quickly become a buzzword – something an organisation says but doesn’t really do.

Still, at a higher level, frameworks are useful to ensure you have a holistic approach that doesn’t leave gaps. For example, most are familiar with people, processes and technology when it comes to security culture. It gets talked about a lot, but that’s a good thing. It shows our collective understanding as an industry, that you can’t be secure by just buying a solution or doing phishing training. You need to cover all three bases.

The other framework I’d like to see talked about more is the CIA triangle. No, not the US intelligence agency, but the information security framework. It stands for Confidentiality, Integrity and Availability.

Confidentiality is all about access and privacy, so things like multifactor authentication and encryption come into play. Integrity is how safe you keep data and systems. This isn’t just security but your ability to view and restore assets from things like injection. Finally, availability is something that can be slept on – outages and downtime from attacks like DDoS cost businesses a lot of money and can even be used to lower defences for other attacks.

So make sure your prevention strategies follow the rule of three. They need to cover people, processes and technology and ensure the integrity, confidentiality and availability of your systems and data.

Next, read Donny’s article on three technologies making critical infrastructure vulnerable.