{"id":251148,"date":"2024-05-20T11:48:19","date_gmt":"2024-05-20T11:48:19","guid":{"rendered":"https:\/\/aijourn.com\/?p=251148"},"modified":"2024-05-20T13:14:35","modified_gmt":"2024-05-20T13:14:35","slug":"are-employees-becoming-more-cyberthreat-savvy","status":"publish","type":"post","link":"https:\/\/aijourn.com\/are-employees-becoming-more-cyberthreat-savvy\/","title":{"rendered":"Are employees becoming more cyberthreat-savvy?"},"content":{"rendered":"\n

A deepfake scam earlier this month targeting one of the world\u2019s largest advertising companies, WPP<\/a>, is just one of the more recent incidents in an increasingly sophisticated wave of cyberattacks that have been utilizing AI for hacking purposes.<\/p>\n\n\n\n

The attack, which was unsuccessful, impersonated WPP CEO, Mark Read, using a false WhatsApp account and a voice clone based on publicly available YouTube footage of him. It targeted one of the employees (an agency head) by inviting them to an online Teams meeting with who they thought was Read, and another senior executive.<\/p>\n\n\n\n

According to Read, the hackers set up the Teams meeting with the pretext of asking the employee to set up a new business \u2013 their real motive being to extract the employee\u2019s personal details and money.  <\/p>\n\n\n\n

Following the attack, Read sent out an email<\/a> to all employees, alerting them to the recent attack and reminding them to be vigilant against any communications that demanded some form of underhanded transaction.<\/p>\n\n\n\n

\u201cWe have seen increasing sophistication in the cyber-attacks on our colleagues, and those targeted at senior leaders in particular,\u201d he wrote. \u201cJust because the account has my photo doesn\u2019t mean it\u2019s me.\u201d<\/p>\n\n\n\n

The sophistication in recent deepfake attempts noted by Read is part of a broader pattern in the emerging cyberthreat landscape, with hackers generally finding increasing success in AI-enabled impersonation tactics. According to Steve Bradford, Senior Vice President EMEA at Sailpoint, this means that employees are usually the target.<\/p>\n\n\n\n

\n

\u201cFrom ransomware, phishing and targeted social engineering to the rise of AI-fueled deepfakes, we are seeing hackers employ increasingly sophisticated tactics to steal sensitive business information in the pursuit of lucrative returns. Many of these attacks, at their root, come down to some sort of compromised identity, meaning employees are often the target.\u201d<\/p>\nSteve Bradford, Vice President EMEA at Sailpoint<\/cite><\/blockquote>\n\n\n\n

Risk awareness among employees<\/h2>\n\n\n\n

The deepfake attack on WPP was unsuccessful thanks to the vigilance of the employees involved. Could this be a sign that the investment that many businesses have started to put into cybersecurity training for employees is starting to pay off?<\/p>\n\n\n\n

According to its Annual Report 2023<\/a>, WPP had implemented cybersecurity training for its employees prior to the recent deepfake attack, indicating that such training initiatives can make a real difference and are worthwhile investments for businesses.<\/p>\n\n\n\n

But if employees are generally becoming more vigilant around cybersecurity risks, there may also be other factors underlying this trend. Audra Streetman, Security Strategist at Splunk, shares her perspective on the current state of employee risk awareness.<\/p>\n\n\n\n

\n

\u201cI believe employees have become more aware of emerging threats like AI-generated deepfakes because stories of deepfake scams and attacks are making headlines. As people begin to integrate technology like AI and large language models into their day-to-day work, they become more aware of ways that this technology can be abused for fraud or extortion.\u201d<\/p>\nAudra Streetman, Security Strategist at Splunk SURGe<\/cite><\/blockquote>\n\n\n\n

The impact of background developments such as cyberattacks being widely reported on in the news and growing employee familiarity with AI tools, which Audra mentions here, has been largely overlooked in reports outlining cybersecurity best practices. Yet they represent potentially significant ways that employees are passively learning about cybersecurity, and becoming more risk-aware with practically zero-effort. Businesses are thus presented with two incredibly simple and easy ways of increasing cybersecurity awareness in their workforce: (1) promoting awareness and discussion of recent cyberattacks, and (2) educating employees on how AI can be used for various tasks, allowing them to safely experiment with it in their job.<\/p>\n\n\n\n

However, as absorbing headline news and experimenting with AI’s abilities are passive\/ unfocused learning methods, they are unlikely to have as much impact as proactive cybersecurity training initiatives, the benefits of which cannot be overstated by experts.<\/p>\n\n\n\n

\n

\u201cAwareness training can also go a long way in teaching employees how to spot deepfakes and also implement basic cybersecurity measures like multi-factor authentication.\u201d<\/p>\nAudra Streetman, Security Strategist at Splunk SURGe<\/cite><\/blockquote>\n\n\n\n

\n

\u201cIncreased awareness surrounding attacks means greater recognition by businesses and employees of the irrevocable damage these can cause. As such, more businesses are focused on ensuring employees constantly exercise best practice. This means providing the necessary training to help staff recognise and deal with any suspicious requests.\u201d<\/p>\nSteve Bradford, Vice President EMEA at Sailpoint<\/cite><\/blockquote>\n\n\n\n

As Steve highlights here, training is one of the most effective ways to ensure that employees are kept up-to-speed on the best cybersecurity practices and are consistently using them. Nevertheless, he acknowledges the key role that awareness plays in motivating businesses and employees to implement these practices. As such, activities that help us to understand the scale of damage that cyberattacks can cause, such as passively browsing deepfake headlines in the news, or creatively engaging with AI tools, certainly have their place in promoting a holistic workplace culture that cultivates strong cybersecurity practices and risk awareness.<\/p>\n\n\n\n

WPP takes this approach, providing not just a one-off cybersecurity training initiative, but a holistic set of AI and data-centred training programmes. As the company states on one of its webpages<\/a>, it is collaborating with the University of Oxford and other partners including Microsoft, Google, and Salesforce, to deliver bespoke courses in data and AI for its employees.<\/p>\n\n\n\n

Overall, given the presence of AI in nearly every aspect of work and daily life, businesses will benefit from adopting a more holistic approach to cybersecurity, promoting both proactive training programmes and passive learning methods. By ensuring that employees are educated on how AI tools work and what they can be used to achieve, businesses are equipping them with an intuitive risk-awareness of cyberthreats, while at the same time empowering them to utilize the technology in a safe manner in their own work.<\/p>\n\n\n\n

Is there an emerging risk awareness gap?<\/h2>\n\n\n\n

In the case of WPP, it was senior employees who were targeted in the deepfake scam. This is not unusual, since for hackers, there are several reasons to target employees in more senior roles:<\/p>\n\n\n\n