By Goh Liang Kwang,
It’s getting hard to tell what’s real these days. The latest addition to the recent streak of deepfakes saw scammers successfully duping an employee into a million-dollar transaction by impersonating a Hong Kong company's Chief Financial Officer (CFO) and other colleagues via video call. While deepfakes are a concerning development, the threat they pose is symptomatic of a wider issue. That is, the unpreparedness of individuals and organisations in countering increasingly sophisticated social engineering scams. It is only natural that the tactics of malicious actors evolve as technology does. Consequently, it demands a multi-layered defence strategy from us that goes beyond just spotting pixelated faces on video calls.
As the case in Hong Kong demonstrated, human fallibility and weak internal governance remains a key vulnerability in averting deception hidden in plain sight. Even the most sophisticated technology can be bypassed if internal processes and employee awareness are lacking.
This is where Governance, Risk Management, and Compliance (GRC) steps in, offering a robust framework to combat not just deepfakes, but the entire spectrum of social engineering threats. As the name suggests, its three pillars form a fully integrated strategy in enabling organisations to minimise their vulnerability to attacks by effectively managing risks, implementing comprehensive controls as well as defensive protocols to respond promptly to any attack holistically.
The implementation of a GRC strategy against cyber threats involves a total systems approach where every business function is taken into consideration to anticipate attacks from any direction. This blends with concepts that may be familiar to data protection professionals, such as Data Protection by Design and Data Protection by Default. Within these frameworks, an organisation thoroughly analyses their business processes for risks, creates a governance infrastructure that establishes robust controls to tackle the dangers of digital deception. All this is done while considering the security implications of every business process from the outset so as to minimise the vulnerabilities attackers can exploit.
The strength and success of the GRC model comes from the concerted engagement of all internal and external stakeholders (e.g. third-party contractors, vendors) to fortify and maintain internal safeguards and tackle threats of attack. From boardroom executives to ground-level staff, everyone has a role to play in upholding each GRC pillar, and there are accompanying measures that can be taken in each pillar to form a total defence.
Leadership plays a crucial role in prioritising data governance and cybersecurity, including integrating GRC principles into the concept of ”Total Defence” to create a sustainable organisational culture of online safety. Leaders must actively champion digital security by allocating resources to it, making it a core agenda item in regular management reports and mandating active monitoring. This is because fast-changing scam tactics empowered by AI requires a dynamic and systematic defence strategy, paired with effective implementation. With leadership driving such initiatives, it elicits commitment from every stakeholder, such as HR, IT, Finance and contractors, and ensures they understand their roles in the defence.
In Risk Management, vigilance in identifying risks, coupled with effectively-designed controls to mitigate them, is crucial. Deepfakes leverage social engineering tactics, so running scam awareness campaigns through staff training and conducting regular Vulnerability Assessment and Penetration Testings (VAPTs) are vital to reduce attack surfaces. Running table-top simulations to test staff preparedness can help identify existing gaps in their knowledge and awareness of such threats as well, so that reinforcements can be made to their education. Employees must be equipped with healthy skepticism to identify suspicious activity and report it immediately - this can be an effective measure to deter and identify insider threat situations too. On top of training programs, organisations may keep abreast of evolving scam tactics and cyber threats by subscribing to security reports and news from authoritative sources.
When it comes to operationalising vigilance, organisations may employ the Zero Trust security model as well. This means not trusting any entity or piece of content until verified and having the ability to detect telltale signs of fraud. Employees must check every entity and communication (e.g. emails, video calls) before granting access or acting on requests through multiple channels. For instance, validation must be based on correct identification and authentication, as well as the necessary approval from higher ups before granting access to the entity. These are called process controls, which is just one of three kinds of controls that can be put in place to mitigate risks. Here are some examples:
Running the gamut of these controls is part of having a total defence approach in fortifying your organisation. GRC demands for a layered defence system and such multi-pronged considerations are integral to it. In particular, organisations should employ the Swiss Cheese Model for Defence-in-Depth, whereby multiple layers of defence are present so that if one line of defence is compromised, additional layers exist as reinforcements to ensure that threats are stopped along the way.
To make an organisation’s mitigating controls count, it is key to ensure successful implementation of all policies and protocols and that they are adhered to. Effective implementation hinges on tracking and identifying compliance risks and promptly addressing them. This involves monitoring the compliance of all departments in following through these steps: identifying risks, designing controls, assessing control effectiveness, auditing implementation effectiveness and finally addressing any residual risk.
Remember to collaborate with external stakeholders (e.g. partners, vendors) as well, to ensure that they too have strong security measures in place when playing their part in safeguarding the organisation.
In summary, you can think of GRC as a three-pronged defence against cyber threats:
The Hong Kong Case demonstrated the necessity of stringent multi-layered internal due diligence before executing financial transactions. It also highlights just how sophisticated scams have become now that the power of generative AI has become accessible to everyone.
Therefore, aside from having a strong GRC posture, all members of an organisation must exercise constant vigilance. Here are some suggested steps one can take to determine if video calls are genuine or fake, as recommended by members of our DPEX Network community:
GRC is anything but reactive. It’s about proactive prevention. By taking a holistic approach and staying updated with the latest strategies in Governance, Risk Management and Compliance, you can safeguard your organisation against deepfakes and other social engineering scams. Remember, vigilance, proactive measures, and collaboration with all stakeholders are key to navigating with confidence against nefarious activities in the digital realm.
Capabara, our Next-Gen AI Capability-as-a-Service platform, is currently available on beta. Sign up as a beta user, and stay tuned to our latest announcements on its development by following CAPABARA on LinkedIn or heading over to capabara.com to find out more about how it can empower your organisation.
This article was first published on our LinkedIn Newsletter, The Governance Age, on 20 Feb 2024.
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.