When Twitter CEO Jack Dorsey's account was hacked for roughly 20 minutes, we all got a glimpse of corporate identity theft, and why it matters. While the takeover was by no means a major cyberevent (and the account was quickly recovered), the fact remained that the CEO of a major company lost control of his account on a service that he literally controls.
Around the same time, an Instagram phishing scheme was circulating where users were prompted via a spoofed Instagram email to enter their logins and passwords after they were sent a 2-Factor authentication code. Instead of logging into their actual Facebook-hosted accounts, they found themselves on a replica of a legit Instagram page hosted in the Central African Republic. It was exactly the kind of attack that makes hacks like the one perpetrated against Jack Dorsey possible, and, more to the point, it's why they happen literally every day.
Need more evidence? How about the unnamed CEO who was recently scammed to the tune of a couple hundred thousand dollars thanks to an audio deepfake that convincingly mimicked the voice of his boss--the CEO of a parent company--including the most subtle nuances of his German accent. The money was wired to Hungary, quickly transferred to Mexico and then dispersed amongst an untraceable number of other accounts.
Getting hacked is a fact of life, right up there with death and taxes. If you think you're somehow above this third certainty in life, you're all the more imperilled.
I could provide countless other examples, but they all boil down to a lesson that businesses are learning the hard way and what their customers already know: it's easier to fall prey to identity theft than it is to prevent it.
The Goals of Business Identity Theft
If stealing an individual's identity is lucrative, stealing a company's identity can be the motherlode. Even a midsized company often have in their possession the data of thousands of customers, contacts, and contractors; a single official-looking email can open the door to innumerable types of fraud, both internally and externally.
The attack doesn't need to focus directly on monetary prizes: the hijacking of Twitter's CEO's account garnered a lot of the wrong kind of publicity--and there is such a thing as bad publicity. In the hacking world, the prestige of making Jack Dorsey look foolish for twenty minutes most likely exceeds an anonymous hack of 100,000 accounts. Reputation is a powerful currency, and compromising the leadership of any company with an online presence represents a potent boost.
Consider what would happen were someone to hire that hacker to compromise a more important account--for saying's sake, President Trump's account. That control could actually affect world markets. The same could be said for hacks of any major leader in the public or private sectors. There is a huge financial upside to such hacking. It is crucial to bear this in mind at every moment of the day, and behave accordingly.
That said, data leaks, account takeovers and breaches start to look positively quaint in light of the potential sabotage represented by deepfakes.
People wire money on the basis of a phone call all the time. The harm caused by a phony corporate communication to shareholders or the general public could represent a catastrophic loss of money and confidence. Erratic behavior in the C-Suite can tank stock prices (just ask Elon Musk), and even crudely faked videos have gone viral (just ask Nancy Pelosi or Mark Zuckerberg).
We'll be seeing deliberate attempts to damage the reputations of businesses and their leadership as deepfake technology becomes more ubiquitous, and with that in mind it's time to level up.
What Businesses Can Do:
My advice for businesses faced with having their identities hijacked is similar to my advice for individuals--practice The Three Ms.
Minimize Your Risk of Exposure: Put resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Vet contractors and vendors based on their security practices to minimize supply chain risk. Consider requiring employees to log in to a VPN (virtual private network), especially if they're connecting to the company network remotely. It's often the sloppiest of mistakes that give hackers access to your business. Training and sound cybersecurity policies can fill in the gaps where technology often fails.
Monitor Everything: Establish a policy at your business about transferring funds; in the era of deepfakes, it's important to know who is likely to request access to money, and how it should be handled. Always double check by getting confirmation on the phone. All systems can introduce vulnerabilities, especially the introduction of new technology. Create a culture where employees know that if they see something, they will be rewarded for saying something. Cybersecurity is a team sport.
Manage the Damage: When it comes to a compromise of your company's identity, honesty is the best policy. Own up to a data breach as quickly as possible (especially if you are subject to the GDPR's 72 hour requirement), be transparent about lapses in security, and review any policies that allowed the compromise to occur in the first place. Jack Dorsey's Twitter hack may have been embarrassing, but the company moved quickly to close the security loophole that allowed it to happen. Perhaps most important, have some empathy. Cyber-fails are scary. Remember, your news might be more traumatic for your customers or clients than it is for you, and act accordingly.