Deepfakes have become the second most common information security incident affecting UK businesses, with over a third of organisations experiencing such incidents in the past 12 months, according to new research by ISMS.online.
The findings show that nearly 32% of UK businesses have encountered deepfake security issues, placing them just behind malware infections in prevalence. This data comes from the ISMS.online State of Information Security report, which surveyed 502 people working in information security across ten sectors, including technology, manufacturing, education, energy, utilities, and healthcare.
The primary method of attack involving deepfakes appears to be business email compromise (BEC), where attackers use AI-powered voice and video-cloning technologies to trick recipients into making corporate fund transfers. Other possible uses include information and credential theft, reputational damage, or bypassing facial and voice recognition authentication systems.
The research also highlighted that 41% of UK businesses reported that partner data was the most compromised information in the past 12 months. This underlines the persistent risks posed by third-party vendors and suppliers. Furthermore, 79% of businesses experienced an information security incident originating from a third-party vendor or supply chain partner, marking a 22% increase from previous reports.
To combat these advanced threats, many companies are focusing on enhancing training and awareness. Nearly half of the respondents (47%) are placing more emphasis on employee education and awareness initiatives. Additionally, about 38% plan to increase financial allocations for securing supply chain and third-party vendor connections by up to 25% in the coming year.
Despite these efforts, employee errors continue to be a problem. The research noted that 34% of employees use their own devices (BYOD) without adequate security measures, and 30% do not properly secure sensitive information. These practices leave businesses vulnerable to cybercriminals leveraging sophisticated technologies like deepfakes.
Luke Dash, CEO of ISMS.online, remarked, “It is deeply concerning to see the number of organisations threatened by both deepfake and third-party vendor risks. To address these rising and more sophisticated threats, organisations must continue to build robust and effective information security foundations.” Dash also noted, “It is encouraging to see businesses investing in securing their supply chains and increasing employee awareness and training.”
Despite AI being part of the problem, there is optimism regarding its potential to improve data security. A significant portion of respondents are adopting AI and machine learning (ML) technologies to combat threats, although these efforts are still in their early stages. Just over a quarter (27%) have implemented AI and ML initiatives in the past 12 months, and a substantial majority (72%) believe that these technologies will enhance data security programmes.