Are employees becoming more cyberthreat-savvy?

A deepfake scam earlier this month targeting one of the world’s largest advertising companies, WPP, is just one of the more recent incidents in an increasingly sophisticated wave of cyberattacks that have been utilizing AI for hacking purposes.

The attack, which was unsuccessful, impersonated WPP CEO, Mark Read, using a false WhatsApp account and a voice clone based on publicly available YouTube footage of him. It targeted one of the employees (an agency head) by inviting them to an online Teams meeting with who they thought was Read, and another senior executive.

According to Read, the hackers set up the Teams meeting with the pretext of asking the employee to set up a new business – their real motive being to extract the employee’s personal details and money.  

Following the attack, Read sent out an email to all employees, alerting them to the recent attack and reminding them to be vigilant against any communications that demanded some form of underhanded transaction.

“We have seen increasing sophistication in the cyber-attacks on our colleagues, and those targeted at senior leaders in particular,” he wrote. “Just because the account has my photo doesn’t mean it’s me.”

The sophistication in recent deepfake attempts noted by Read is part of a broader pattern in the emerging cyberthreat landscape, with hackers generally finding increasing success in AI-enabled impersonation tactics. According to Steve Bradford, Senior Vice President EMEA at Sailpoint, this means that employees are usually the target.

“From ransomware, phishing and targeted social engineering to the rise of AI-fueled deepfakes, we are seeing hackers employ increasingly sophisticated tactics to steal sensitive business information in the pursuit of lucrative returns. Many of these attacks, at their root, come down to some sort of compromised identity, meaning employees are often the target.”

Steve Bradford, Vice President EMEA at Sailpoint

Risk awareness among employees

The deepfake attack on WPP was unsuccessful thanks to the vigilance of the employees involved. Could this be a sign that the investment that many businesses have started to put into cybersecurity training for employees is starting to pay off?

According to its Annual Report 2023, WPP had implemented cybersecurity training for its employees prior to the recent deepfake attack, indicating that such training initiatives can make a real difference and are worthwhile investments for businesses.

But if employees are generally becoming more vigilant around cybersecurity risks, there may also be other factors underlying this trend. Audra Streetman, Security Strategist at Splunk, shares her perspective on the current state of employee risk awareness.

“I believe employees have become more aware of emerging threats like AI-generated deepfakes because stories of deepfake scams and attacks are making headlines. As people begin to integrate technology like AI and large language models into their day-to-day work, they become more aware of ways that this technology can be abused for fraud or extortion.”

Audra Streetman, Security Strategist at Splunk SURGe

The impact of background developments such as cyberattacks being widely reported on in the news and growing employee familiarity with AI tools, which Audra mentions here, has been largely overlooked in reports outlining cybersecurity best practices. Yet they represent potentially significant ways that employees are passively learning about cybersecurity, and becoming more risk-aware with practically zero-effort. Businesses are thus presented with two incredibly simple and easy ways of increasing cybersecurity awareness in their workforce: (1) promoting awareness and discussion of recent cyberattacks, and (2) educating employees on how AI can be used for various tasks, allowing them to safely experiment with it in their job.

However, as absorbing headline news and experimenting with AI’s abilities are passive/ unfocused learning methods, they are unlikely to have as much impact as proactive cybersecurity training initiatives, the benefits of which cannot be overstated by experts.

“Awareness training can also go a long way in teaching employees how to spot deepfakes and also implement basic cybersecurity measures like multi-factor authentication.”

Audra Streetman, Security Strategist at Splunk SURGe

“Increased awareness surrounding attacks means greater recognition by businesses and employees of the irrevocable damage these can cause. As such, more businesses are focused on ensuring employees constantly exercise best practice. This means providing the necessary training to help staff recognise and deal with any suspicious requests.”

Steve Bradford, Vice President EMEA at Sailpoint

As Steve highlights here, training is one of the most effective ways to ensure that employees are kept up-to-speed on the best cybersecurity practices and are consistently using them. Nevertheless, he acknowledges the key role that awareness plays in motivating businesses and employees to implement these practices. As such, activities that help us to understand the scale of damage that cyberattacks can cause, such as passively browsing deepfake headlines in the news, or creatively engaging with AI tools, certainly have their place in promoting a holistic workplace culture that cultivates strong cybersecurity practices and risk awareness.

WPP takes this approach, providing not just a one-off cybersecurity training initiative, but a holistic set of AI and data-centred training programmes. As the company states on one of its webpages, it is collaborating with the University of Oxford and other partners including Microsoft, Google, and Salesforce, to deliver bespoke courses in data and AI for its employees.

Overall, given the presence of AI in nearly every aspect of work and daily life, businesses will benefit from adopting a more holistic approach to cybersecurity, promoting both proactive training programmes and passive learning methods. By ensuring that employees are educated on how AI tools work and what they can be used to achieve, businesses are equipping them with an intuitive risk-awareness of cyberthreats, while at the same time empowering them to utilize the technology in a safe manner in their own work.

Is there an emerging risk awareness gap?

In the case of WPP, it was senior employees who were targeted in the deepfake scam. This is not unusual, since for hackers, there are several reasons to target employees in more senior roles:

• Senior employees are more likely to be wealthier than their junior counterparts, making them a bigger target for financial exploitation.
• Their credentials can allow the hackers to access higher-level and more restricted company data.
• Senior employees are more likely than other employees to have contact with the company CEO and other C-suite members – these figures are typically the easiest for hackers to impersonate due to their more public profiles.

Senior employees typically also have some kind of management role. Often, this involves training and educating other employees about various forms of workplace misconduct. For this reason, you would expect them to have a high level of vigilance and risk-awareness themselves.

However, a recent survey from compliance company, Skillcast, has revealed a surprising workplace misconduct awareness gap between managers and non-managers. The survey, which was conducted on 2,000 UK employees, found that managers actually had less awareness than non-managers about several forms of misconduct including fraud, theft, data breaches, and bribery.

Some of the most significant statistics are highlighted below:

• 54% of managers were unaware that the theft of a work computer constitutes a data breach.
• In a task that required respondents to differentiate between misconduct incidents and non-misconduct issues, there was a difference of 19% in correct answers between managers and non-managers.
• In more specific questions on particular types of misconduct, such as data breaches, this gap widened to 21%.

In response to the findings, Skillcast CEO Vivek Dodds has called for businesses to prioritize implementing comprehensive training programmes to promote cybersecurity awareness, particularly among managerial staff.

“Junior staff learn from managerial staff in the workplace, and whilst our study found that non-managers are more aware of misconduct, managers reinforcing misinformation may lead to the wider workplace falling behind on compliance.”

Vivek Dodds, Skillcast CEO

Additionally, Security Strategist Audra Streetman shares an external perspective on these findings, suggesting some potential reasons behind the awareness gap.

“It’s concerning that more than half of managers in the Skillcast survey were unable to recognize instances of bribery. The disconnect could be due to training initiatives developed and mandated for employees but not managers. Employees and managers are targeted in different types of attacks. For instance, deepfake scams may try to trick an employee into thinking that they’re speaking with an executive, whereas spear phishing emails may target the executive directly. This is why it’s important for people in all roles to be familiar with cyber threats and how to identify potential attacks.”

Audra Streetman, Security Strategist at Splunk SURGe

Concluding thoughts

In sum, it is crucial for businesses to educate employees at all levels of seniority about the diverse tactics that hackers are using to trip up their targets. The workplace misconduct awareness gap revealed by the Skillcast survey indicates that current training initiatives may be lacking in their comprehensive provision for all staff members. This points to a lack of investment in cybersecurity training, with budget restraints or laziness leading businesses to overlook the training of managers because they assume that managers have greater awareness of workplace misconduct issues simply due to the nature of their role.

However, investment in managerial training is in fact one of the best holistic investments that businesses can make. Even for those on a budget constraint, investing in the education of managers should be a top priority because it will reap more benefits further down the chain. Employees look to their managers for guidance on priorities; without managers who are themselves well-educated about the importance of cybersecurity, efforts to ensure that employees are taking the risk seriously and implementing best practices will see little success.