Beyond Passwords: Navigating The Future of Digital Identity in an AI-Driven World

In January 2024, the UK engineering group Arup fell victim to one of the world’s biggest known deepfake scams, losing HK$200 million ($25 million) in a sophisticated cyber attack. The incident serves as a stark warning to business leaders about the evolving nature of cyber threats in the age of artificial intelligence.

Fraudsters used a digitally cloned version of a senior manager to order financial transfers during a video conference. The scam unfolded when a staff member received a message purportedly from the UK-based chief financial officer about a “confidential transaction.” The employee then participated in a video conference with what appeared to be the CFO and other company employees—all of whom were digital clones created using deepfake technology.

Etay Maor, Chief Security Strategist at Cato Networks, headquartered in Tel Aviv, comments on the alarming nature of such incidents: “We’re repeating the same cycle we went through 15-20 years ago with application security issues. We’re rushing to implement new technologies without fully considering the risks. And we only address these risks after breaches occur, after attacks happen, after the damage is done.”

The Arup case underscores several critical points for business leaders:

The rapid evolution of AI-powered threats

Deepfake technology has advanced to the point where it can convincingly mimic trusted individuals in real-time video conversations.

The persistent human element in cybersecurity

Despite sophisticated technology, the attack succeeded due to human trust and decision-making.

The need for multi-layered authentication

Relying solely on visual and audio cues for identity verification is no longer sufficient in the age of deepfakes.

The importance of robust internal controls

Even with convincing impersonation, proper financial controls and verification processes could have prevented or limited the damage.

For decades, passwords have been the primary authentication method for digital systems. However, as Kai Roer, CEO and Founder of Praxis Security Labs, points out: “Having advised organizations about their security culture since the 1990s, it is somewhat frustrating that 82 percent of breaches can still be traced to human factors.” The Norwegian’s statistic underscores a fundamental truth: passwords are a victim of human nature.

The human brain isn’t wired to remember complex strings of characters for multiple accounts. As a result, users often resort to weak, easily guessable passwords or reuse the same password across multiple platforms. This behavior creates a domino effect, where a single compromised account can lead to widespread security breaches.

While passwords may seem like a cost-effective security solution, the reality is far from it. Kiser stresses the hidden costs associated with password-based systems.

These hidden costs include IT support for password resets, lost productivity due to forgotten passwords, and the potential financial and reputation damage from security breaches. As these costs continue to mount, it’s clear that passwords are not just a security liability but also a significant financial burden for organizations.

“Many business leaders think that buying new technology solutions is the answer,” says Roer, regarded as the foremost authority on security culture. “But ransomware-related payments skyrocketed to $1.2 trillion in 2021—up from $416 billion the previous year. That hockey-stick illustrates that the tech solutions are not working.”

He argues there has been “too much focus on technology in the cybersecurity space.” People and processes have been dwarfed by comparison. “It’s time to rebalance those three parts,” he continues. “The elephant in the room is that no matter how much you train your employees, you will never wholly reduce the chance of being breached. It is inevitable.”

So what can organizations do to better prepare colleagues whose priority is not security?

Providing them with the agency to act is critical, states Roer. “The security team’s role is to secure business continuity, yet this is one of the most neglected areas across the industry,” he says. “Naturally, people have emotions, and when things go wrong, they fear doing—or even losing—their jobs. If not prepared, it can be hard to control communication at times of stress.”

Roer suggests that cybersecurity training, including phishing exercises, should be used like fire drills. “We have those not to prevent fires but to know what to do in that scenario. Building a more robust human firewall and improving the security culture will make everyone feel safer when a breach inevitably happens.”

Nudge theory, a concept in behavioral science, offers valuable insights for improving cybersecurity practices. Ward explains: “This is the theory behind the fact that you can say to people, stop and think, but they literally cannot. That is not how brains work.”

The core principle of nudge theory is that small changes in the environment or context can significantly influence human behavior. In the realm of cybersecurity, this approach can be used to:

• Encourage better password hygiene
• Promote the adoption of multi-factor authentication
• Increase awareness of phishing and social engineering attacks
• Foster a culture of security within organizations

Here are some practical applications of nudge theory, in a security setting:

Default settings
By making secure options the default, organizations can leverage the power of inertia to improve security. For example, MFA can be enabled by default for all user accounts.

Visual cues
Using color-coding or icons to highlight potential security risks can help users make better decisions. Ward provides an example. “When you’re about to click on a potentially risky link, we provide a subtle nudge—a small visual cue or prompt. We’re not preventing you from clicking but rather empowering you to pause and consider the safety of your action. This gentle reminder encourages you to think critically about potential security risks before proceeding.”

Timely prompts
Delivering security reminders at the point of action can be more effective than periodic training sessions. Ward notes: “You want your guidance and instructions to be as close to the point of risk as possible.”

Social proof
Highlighting peers’ positive security behaviors of peers can encourage others to follow suit. For instance, displaying messages like “90 percent of your colleagues have already enabled two-factor authentication” can motivate action.

Framing 
Presenting security measures in terms of potential losses rather than gains can be more compelling.

As Roer and Ward suggest, one of the most crucial aspects of implementing new security measures is fostering a culture of cybersecurity within the organization. This involves implementing new technologies and empowering employees with the knowledge and tools to make secure decisions.

Ward stresses the importance of this approach. “If you tell employees that cybersecurity is their responsibility but don’t give them the tools or knowledge to address security issues, you create more problems than you’re solving. To truly make security everyone’s responsibility, you must empower people with the authority and the capability to take effective action.”

To create a strong cybersecurity culture, organizations should:

• Provide regular, engaging training sessions on cybersecurity best practices
• Encourage open communication about security concerns and incidents
• Lead by example, with management demonstrating strong security behaviors
• Recognize and reward employees who consistently demonstrate good security practices
• Integrate security considerations into all aspects of the business, not just IT

“We need to change our approach to consider security and risk management from the beginning of any new technology project,” adds Roer. “Instead of treating security as an afterthought, it should be an integral part of the development process, alongside discussions about functionality and innovation."