ISMS.online: Deepfakes Now Rank as Second Most Common Information Security Incident for UK Businesses

Deepfakes are now the second most common information security incident encountered by UK businesses in the past year, trailing only behind malware infections. 

That's according to research by ISMS.online, the auditor-approved compliance platform, which found that over a third of businesses across the UK have experienced a deepfake security incident in the last 12 months.

ISMS.online’s State of Information Security 2024 report surveyed 502 people in the UK who work in information security across 10 sectors including technology, manufacturing, education, energy and utilities and healthcare.

The most likely scenario today for threat actors to use deepfakes is in business email compromise (BEC)-style attempts. Attackers use AI-powered voice and video-cloning technology to trick recipients into making corporate fund transfers.

However, there are possible use cases for information/credential theft, reputational damage or even to bypass facial and voice recognition authentication. And with partner data (41%) being cited as the most compromised in the past 12 months by UK respondents, more businesses need to be vigilant when it comes to the risks posed by their third-party vendors and suppliers, especially in light of these new, sophisticated attacks. 

Therefore, to counteract these increasingly advanced attacks, enhancing training and awareness is crucial across both the supply chain and internally.

Nearly half of the respondents (47%) acknowledged this by placing greater emphasis on employee education and awareness initiatives. In addition, nearly two-fifths (38%) said financial allocations for securing supply chain and third-party vendor connections are set to increase by up to 25% in the coming year – particularly as the research found that 79% of businesses have been impacted due to an information security incident caused by a third-party vendor or supply chain partner.

However, despite the heightened focus on training, the findings indicate that employee errors continue, with even well-trained employees facing challenges in identifying deepfakes. It was noted that employees continue to use their own devices (BYOD) without adequate security measures (34%), and 30% are not properly securing sensitive information. This deviation from best practices leaves businesses vulnerable to cybercriminals who may exploit these weaknesses with this increasingly sophisticated technology such as deepfakes. 

Luke Dash, CEO of ISMS.online said: “It is deeply concerning to see the number of organisations threatened by both deepfake and third-party vendor risks. To address these rising and more sophisticated threats, organisations must continue to build robust and effective information security foundations. However, it is encouraging to see businesses investing in securing their supply chains and increasing employee awareness and training. 

Despite AI being part of the problem, UK respondents are also adopting AI and ML technologies to thwart threats, though they are still in the early stages. Just over a quarter (27%) have put initiatives in place in the past 12 months, though a much larger majority (72%) agree that AI and ML will help to improve data security programmes.

“It’s still unclear how new, advanced technologies like AI and ML are going to change the data security landscape.

We are certain, however, that governments across the globe will push for more, not less, regulation. Standards like ISO 42001, which deals with AI, will help organisations provide assurances to partners, customers and regulators. Having these in place is truly essential to building a better business, longevity and financial success.”

Key Takeaways 

• Nearly 32% of UK businesses have experienced a deep fake security incident in the last 12 months, ranking the second most common information security incident in the country 
• 41% of UK businesses have stated that partner data has been the most compromised in the last 12 months - highlighting the persistent risks posed by suppliers 
• 79% of businesses have been impacted due to an information security incident caused by a third-party vendor or supply chain partner – an increase of 22% compared to 2023’s ‘State of Information Security’ research 
• Despite AI being part of the problem, 72% agree that AI and ML will help to improve data security programmes.

Methodology

ISMS.online commissioned a leading independent market research firm Censuswide to conduct the research. With a sample of 1,526 respondents who work in information security across the UK (502), USA (518) and Australia (506), the research uncovers the main information security and compliance challenges facing organisations in these regions.

The survey fieldwork took place between 22.03.2024 - 02.04.2024. For the full report, visit: https://www.isms.online/state-of-infosec-24/