Sam Peters, Chief Product Officer at ISMS.online: “Due to deepfakes, businesses also risk falling foul of regulatory compliance”

While deepfakes involving politicians tend to garner headlines, businesses need to be aware that they too may be at risk. And this turned into one of our big themes in our interview with Sam Peters, Chief Product Officer at ISMS.online.

“Cybercriminals can create convincing audio or video clips of senior executives, tricking employees into transferring funds or disclosing sensitive information,” he told us.

“These sophisticated attacks can result in significant financial losses and jeopardise the integrity of business operations.” And, he added, they could also affect your reputation and even mean you “fall foul” of regulatory compliance.

So what can you do about this invidious and growing threat? We’ll leave you to read the full interview to discover, but one thing is for sure: crossing your fingers and hoping your current strategies will continue to work simply won’t cut it.

Worth a read: Mike Britton, CISO at Abnormal Security: “The job for security leaders is only getting harder”

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity? 

I’m Sam Peters, Chief Product Officer at ISMS.online. I have nearly two decades of experience in information security and digital technology. 

Prior to my current role, I served as ISMS.online’s Chief Information Security Officer and Data Protection Officer, leading ongoing work to maintain ISO 27001 certifications alongside other essential information security standards. 

I started my career in digital roles in both the public and private sectors, working in finance, education and law enforcement. 

What are some cases of deepfakes being used that particularly concern you?  

As deepfake technology advances, it presents significant challenges and threats to businesses across various sectors. The potential for misuse is alarming, particularly regarding cybersecurity, financial stability and corporate reputation.

ISMS.online recently released our State of Information Security Report, in which 30% of respondents stated their organisation had already been targeted by AI-powered deepfake attacks in the last 12 months. This highlights just how seriously this attack vector should be taken. It’s not science fiction; it’s happening and impacting businesses now. 

One of the most immediate and pressing concerns is using deepfakes in business email compromise (BEC) and social engineering attacks. Cybercriminals can create convincing audio or video clips of senior executives, tricking employees into transferring funds or disclosing sensitive information. These sophisticated attacks can result in significant financial losses and jeopardise the integrity of business operations.

Deepfakes also threaten market stability. Imagine a fabricated video of a CEO announcing a false bankruptcy or significant scandal. Such misinformation can manipulate stock prices, leading to financial turmoil for the company and its investors. This economic manipulation undermines market trust and can have long-lasting repercussions for businesses.

A well-crafted deepfake can cause immense damage to a company’s reputation. False videos or audio recordings can spread misinformation about a company’s practices, executives, or products, leading to loss of customer trust, diminished brand value, and potential legal liabilities. The public relations fallout from such incidents can be extremely difficult to manage and recover from.

Due to deepfakes, businesses also risk falling foul of regulatory compliance. As regulations tighten around data protection and digital integrity, companies must ensure that their information security measures are robust enough to detect and prevent deepfake intrusions. Failure to comply with these regulations can result in hefty fines and further damage corporate credibility. Deepfakes can disrupt internal security by creating employee mistrust. If employees cannot trust the authenticity of communications from senior management, it can lead to confusion, poor morale, and decreased productivity. Ensuring that all internal communications are secure and verifiable is crucial to maintaining a stable and trustworthy work environment.

Worth a read: Duncan Jones, Head of Quantum Cybersecurity at Quantinuum: “Many leaders are now recognising that quantum computers will completely reshape cybersecurity”

What do you think are the best approaches to combating deepfakes? 

Combating the growing threat of deepfakes requires a comprehensive and multi-faceted approach. Organisations must adopt a combination of technological solutions, educational initiatives, and robust governance frameworks to address this issue effectively.

One of the most critical aspects of defending against deepfakes is recognising that they primarily rely on exploiting the human element within organisations. Deepfakes are designed to deceive individuals, making it essential for leaders to prioritise employee cybersecurity awareness and training programs. These initiatives should be reviewed regularly and updated to ensure alignment with the latest cyber threats, including deepfakes. To mitigate risks further, organisations must implement stringent access control policies. However, more than technology and employee awareness is required.

Organisations must also establish clear policies and guidelines for ethical use and deployment of AI technologies. ISO 42001 provides a comprehensive framework for AI governance, emphasising ethical use and accountability. By implementing this standard, organisations can ensure their AI development and deployment adhere to ethical guidelines and legal requirements, minimising the risk of deepfake misuse. Comprehensive risk assessments and mitigation strategies are vital components, allowing organisations to identify and address potential vulnerabilities related to AI technologies.

I think we will also see investment in developing advanced AI algorithms capable of detecting deepfakes by analysing inconsistencies and patterns that are difficult for humans to perceive. However, this currently comes at a cost, requires skill sets still being developed, and is not foolproof. I firmly believe investing in your staff, your information security and your AI management foundations as a business is far more cost-effective and will protect you in the long term. 

Implementing digital watermarking and cryptographic authentication techniques could also further help verify the authenticity and integrity of digital content.

What are the biggest cybersecurity challenges those in leadership roles are facing? 

Our 2024 State of Information Security Report highlighted several critical findings regarding the cybersecurity challenges faced by senior leadership. They are navigating a complex landscape shaped by the aftermath of the pandemic, economic uncertainties, and the relentless push towards digital transformation. While crucial for sustainable growth and operational efficiency, this journey has significantly expanded the digital attack surface.

Some of the critical data included:

As organisations engage more with third-party suppliers and specialists, managing vendor and third-party risk emerged as the top cybersecurity challenge, cited by 38% of our respondents. These partnerships, though valuable, introduce new vulnerabilities that must be managed diligently.

The complexity of global supply chains, heavily reliant on IT systems, presents significant cybersecurity challenges. Two-thirds (64%) of respondents reported that supply chain information security risks are becoming more common, with 79% admitting to at least one security incident in the past year related to third-party breaches.

Navigating the complex web of overlapping industry-specific and international regulations remains a significant challenge, as 33% of respondents cited compliance issues and highlighted difficulties in meeting diverse regulatory requirements across different regions as a challenge they are currently facing in information security.

The rapid pace of regulatory change adds another layer of complexity, with 65% of respondents finding it increasingly difficult to comply with information security best practices. Despite this, compliance remains critical for improving business reputation, reducing incidents, and achieving operational efficiencies.

Worth a read: Amazon joins EU Internet Forum to fight terrorist material and other online threats

What are some prevention strategies you believe every business should adopt?  

There are a number of essential prevention strategies that I believe every business should adopt to strengthen their cybersecurity posture, including implementing comprehensive cybersecurity awareness training for employees, establishing strong access controls and multi-factor authentication (MFA), keeping software and systems up to date with regular patching, deploying incident response, advanced endpoint detection and response (EDR) solutions, encrypting sensitive data at rest and in transit, establishing robust third-party risk management processes, and fostering a culture of cybersecurity across the organisation.

By implementing these prevention strategies, businesses can significantly reduce their risk exposure, improve their ability to detect and respond to threats and create a more resilient cybersecurity posture. However, it’s essential to recognise that cybersecurity is an ongoing process that requires continuous monitoring, adaptation, and improvement to keep pace with the risks.

ISO 27001 advocates for most of the prevention strategies I’ve mentioned. The standard outlines a comprehensive set of security controls and best practices organisations can adopt to protect their information assets and enables organisations to systematically work through, document and manage all the key areas of risk for their business.

By aligning with ISO 27001, organisations can demonstrate that they have implemented a comprehensive set of security controls and best practices that are globally recognised and accepted. This helps build trust with customers, partners, and other stakeholders and meet regulatory and contractual requirements for information security.

What role do you think governments play when it comes to cybersecurity? 

Governments play a crucial role in cybersecurity by providing necessary backing and decision-making in national cybersecurity strategy, incident response plans, and cybercrime-related laws. These elements are critical to protecting businesses and individuals against cyber-related threats.

However, cybersecurity should not solely fall on governments. Businesses must also take proactive measures to protect their critical information and infrastructure. Government support and guidance are often invaluable in this effort.

For example, government-backed schemes such as the UK’s Cyber Essentials Scheme help organisations evaluate and improve their security posture. The scheme’s self-assessment process allows businesses to protect against common cyber-attacks, implement technical controls, and reduce the risk of successful cyber incidents.

Governments set the legal framework and provide resources, while businesses implement these guidelines to safeguard their operations. This collaborative approach ensures a more secure digital environment for everyone.