The Future of Combating Social Engineering (and Deepfakes)
Protecting employees starts with designing intelligent systems built with natural human behavior in mind.
Follow Noah's Ark on Substack for newsletters delivered directly to your email inbox!
As I have been working on building DeepTrust, the single resource I reference and come back to more than any other is Ross Haleliuk’s newsletter Venture in Security.
Recently I revisited what I consider to be one of the single best issues he has ever published: Security awareness won’t save us, and people will continue clicking on links (as they should)
While I highly recommend reading the entire newsletter, the premise can be distilled into a couple of key quotes:
“The struggle of securing companies has the same roots: people don’t like dealing with friction and will do anything possible to avoid it. Enterprise security teams tend to introduce a lot of friction, banning different tools, creating complex approval processes, forcing people to go through lengthy compliance paperwork just to implement a simple change to their workflow, and so on.”
“Security awareness is important but we must not place responsibility for security mistakes on people. Instead, knowing that people will do anything to avoid friction, we need to design security controls in such a way that makes the most secure behavior also the most efficient and frictionless”.
“The most important part to remember is that people are just that - people. They are emotional and easy to manipulate, prone to make silly mistakes, and willing to do anything to cut corners, avoid pain, and reduce friction. Although this may not sound as hopeful as some would like, this is the reality and it is this reality we should be designing our security defenses for.”
There is one final quote from an earlier related post of his that distills his entire argument into two sentences:
“We need to move the industry towards adopting a similar concept of people-centered security. Security is something that needs to happen with individuals, not to individuals.”
Chefs kiss. The man doesn’t miss. These principles are central to everything I will discuss below.
Let’s start with the facts: Business is not a finite game, it is an infinite game.
There is no end and there is no “winning”. In business, like all infinite games, the goal is simply to keep playing.
Security teams are tasked with helping facilitate this. Keeping the company “in the game” so to speak, and ensuring that the company doesn’t die from losing, or losing access to, its money and assets (or ability to accrue more money and assets).
Different companies will have different risk appetites and will plan, hire, and budget accordingly.
It is then up to the security teams to make the most of the resources they are given.
To every other non-security employee, security is an afterthought - as it should be.
When security enters their consciousness, it is generally due to any one of an annoying series of additional tasks, tests, and general points of friction an employee may encounter that makes their life harder as they focus on the job they are paid to do.
As much as the security industry likes to champion the idea that “security is everyone’s responsibility” and security needs to “shift left”, the unfortunate reality is that incentives are not aligned to turn these dreams into a reality anytime soon.
Furthermore, in a well run organization, all functions have clearly defined roles and responsibilities. There shouldn’t be an overlap. Security team’s aren’t asked to go prospect new clients for the company. Likewise, a sales rep is not paid to secure the company, they are paid to drive revenue growth.
If security teams are going to ask others to help them protect the company (not their primary responsibilities), then they need to make it easy for them to do so. Security systems processes need to be architected in ways that make secure behavior easy and pre-integrated with existing workflows.
Too often security teams introduce additional friction which reduces the odds that employees from other departments will actually help. If something is annoying or time consuming, it is much more likely an employee will skip a step or circumvent a control.
This brings us to security awareness training.
I’m sure there is plenty of data indicating that security awareness training does help prevent breaches. There must be in order for it to be a compliance requirement in so many cases, and for there to be a whole industry built around it.
However, at it’s core, security awareness training attempts to educate employees on various security topics in order to leverage their perception, awareness, and judgement in protecting the organization in the event that an attacker exploits a gap in the implemented security tools and processes.
While this makes sense, and isn’t inherently bad, traditional security awareness training puts responsibility for security on those outside of the security team while requiring dedicated time from all employees in an organization to complete on a regular basis - time which could be spent working on their primary responsibilities.
Outside of this, traditional training still suffers from the challenges associated with relying on human beings:
“First and foremost, behavioral change is hard, and because human nature doesn’t change simply because we learn new facts, awareness is never enough. As someone smart said, “If awareness alone was enough, nobody would be smoking”.” - Ross Haleliuk
For organizations with a small security teams and limited budgets, this very well might still make sense for them from a risk mitigation standpoint.
For larger organizations, regular cybersecurity training will likely continue to be a mandatory compliance requirement even if it’s effectiveness is up for debate.
However, while it might not go away, I do think that the coming years will see the function and delivery of security awareness training evolve.
AI is going to cause security teams to re-evaluate how much responsibility they place on employees in securing their organizations.
As it stands today, between 88% and 95% of breaches are caused by human error.
Generative AI is only making this worse as employees are being targeted with increasingly convincing social engineering and phishing attacks. AI is also allowing these attacks to expand to new vectors, with increasing numbers of voice phishing and deepfakes being seen on voice and video communication platforms like Zoom, Meet, and Teams.
With AI allowing social engineering and phishing attacks to increase in both volume and effectiveness, it’s becoming increasingly risky to rely on the ability of employees to identify and defend against these attacks when their very senses and psychology are under attack.
This is not to say that education and awareness aren’t important, they are, but education and awareness can no longer be relied upon as the only defense when it’s increasingly difficult for employees to discern what’s real and what’s fake.
Generative AI is a forcing function for a change that needed to happen a while ago.
Separate from the question of CAN employees be relied upon to defend against these attacks, there is the question of SHOULD they be relied on to defend against these attacks?
领英推荐
As employees have to increasingly question what is real and what is fake across text, voice, and video communications, they have to either slow down and question every interaction, or put the organization at risk.
This is not sustainable for businesses.
In all instances, security systems should work alongside employees instead of relying on the employees themselves for security.
Systems that protect employees shouldn’t just function as drivers of risk reduction, but of operational efficiency as well. Effective security systems should free up time. Employees should be empowered to quickly go about their business without having to slow down and question every interaction they have.
The future of security is dynamic and integrated directly into employee workflows with minimal friction.
We are already seeing this change in engineering with products like Wiz Code integrating security directly into the code development lifecycle, or email security with providers like Abnormal.
However this shift will increasingly extend to other areas of security.
Security training will evolve into security guidance. The delivery format will shift from static to real-time. Generalized advice will become personalized recommendations based on the exact risk an employee is encountering in that moment.
At DeepTrust, we are working to create this future when it comes to voice and video communications.
Post COVID, voice and video communications have become essential to (almost) every business, with many companies operating distributed or remote workforces. These communication channels, especially video, have become central to all aspects of business, and utilized for conversations across business functions - from sales, to engineering, to customer support, and even for the executive team and the board.
However in the rapid adoption of this new style of working, security was an afterthought - and rightfully so. After all, if you could see and hear someone, you could pretty much assume it was them.
But over the last year, generative AI has allowed phishing and social engineering to move onto these platforms.
It makes sense, if these platforms rely entirely upon users (employees) to enforce security, and users can now consistently be fooled using real time deepfakes, it’s no wonder that attackers are beginning to target employees on these communication channels.
While security awareness training was the go-to solution for most organizations, the reality is that this is not sustainable for all of the reasons I have discussed above.
This is exactly why at DeepTrust we are focused on helping organizations defend these communication channels from social engineering and deepfakes, and doing so in a way that helps ensure that employees are empowered to go about their everyday business knowing that if they encounter a potential threat, they will be alerted and given prescriptive guidance in real time on how to navigate the situation.
In short, we allow the seamless integration of security into voice and video conversations in a way that minimizes disruption to employee workflows.
Real-time threat detection with real-time security guidance - across all core voice and video communication platforms.
At DeepTrust, we believe security should be human centric and designed with real people in mind.
For everyday employees, security should be easy, and not something they have to regularly think about. It shouldn’t introduce additional friction into their workflows, add additional responsibilities, or require additional time and training. It should just happen. Any threats targeting them should be identified on their behalf, and if there is a security related action they need to take, they should be told exactly what to do and why - in the moment when it’s relevant, not before.
For security teams, protecting employees from social engineering and phishing should be much easier with proper tool selection, tool quality, tool integration, and tool configuration. Security teams shouldn’t have to rely on the judgement and senses of employees to protect their organizations. Furthermore, security teams are busy, so the tools they work with shouldn’t just tell them when a threat is identified (and/or drown them in alerts), they should automatically take corrective action as well.
Central to DeepTrust is the understanding that deepfakes aren’t THE problem, they are just a tool aggravating existing problems.
Social engineering, phishing, fraud - these are all real problems being made worse by deepfakes. Understanding and focusing on the core problems allows us to take a comprehensive approach defending against each of them.
Importantly, it allows us to extend our call security beyond just deepfake detection because even though deepfakes are a factor in each of these threats, deepfakes themselves aren’t the underlying issue.
With this in mind, we built our voice and video call security platform to take numerous data points into consideration. Who is in the call? What platform is it on? What device is employee audio coming from? What is being said? Are sensitive actions or information being requested? Is someone being asked to deviate from company process or policy? Is there a deepfake being used?
All of these data points are analyzed continuously to identify potential threats and provide real-time tailored alerts and recommendations to both employees in calls and their security team.
I’ll close with an important acknowledgment.
At the end of the day, it is the individual security teams who are responsible for architecting effective security programs to protect their organizations with the resources they are given.
While our team at DeepTrust is working hard to help provide a solution that can assist security teams in their efforts, we are not, and never will be, a magic security “fix”.
We exist to help organizations reduce risk in our area of expertise - not to make false promises of absolute security.
I want to call this out specifically because far too many cybersecurity products are marketed in ways that misrepresent what they do, whether intentionally or not.
This is not us at DeepTrust.
If you are looking to reduce the risks associated with voice and video based social engineering and phishing for your organization, or are concerned about deepfakes, I’d love to chat. I think we can help.
A little about me…
I'm a co-founder at DeepTrust where we help security and fraud teams defend against social engineering and deepfakes. Integrating across VoIP services, DeepTrust works in real-time to identify high risk conversations, detect deepfakes, and provide just-in-time, prescriptive, security guidance to employees directly in their calls.
P.S. Substack is a much better platform for newsletters than LinkedIn. I encourage you to follow Noah's Ark there.
Looking forward to seeing you there!
Noah
CSO | Advisor | Investor
2 个月Ever more important going forward. Nice work!
Well written ??