Why GRC is Critical for Shielding Against Digital Deception

By Goh Liang Kwang, 

It’s getting hard to tell what’s real these days. The latest addition to the recent streak of deepfakes saw scammers successfully duping an employee into a million-dollar transaction by impersonating a Hong Kong company's Chief Financial Officer (CFO) and other colleagues via video call. While deepfakes are a concerning development, the threat they pose is symptomatic of a wider issue. That is, the unpreparedness of individuals and organisations in countering increasingly sophisticated social engineering scams. It is only natural that the tactics of malicious actors evolve as technology does. Consequently, it demands a multi-layered defence strategy from us that goes beyond just spotting pixelated faces on video calls.

As the case in Hong Kong demonstrated, human fallibility and weak internal governance remains a key vulnerability in averting deception hidden in plain sight. Even the most sophisticated technology can be bypassed if internal processes and employee awareness are lacking. 

This is where Governance, Risk Management, and Compliance (GRC) steps in, offering a robust framework to combat not just deepfakes, but the entire spectrum of social engineering threats. As the name suggests, its three pillars form a fully integrated strategy in enabling organisations to minimise their vulnerability to attacks by effectively managing risks, implementing comprehensive controls as well as defensive protocols to respond promptly to any attack holistically.

It Takes All Hands on Deck

The implementation of a GRC strategy against cyber threats involves a total systems approach where every business function is taken into consideration to anticipate attacks from any direction. This blends with concepts that may be familiar to data protection professionals, such as Data Protection by Design and Data Protection by Default. Within these frameworks, an organisation thoroughly analyses their business processes for risks, creates a governance infrastructure that establishes robust controls to tackle the dangers of digital deception. All this is done while considering the security implications of every business process from the outset so as to minimise the vulnerabilities attackers can exploit.

The strength and success of the GRC model comes from the concerted engagement of all internal and external stakeholders (e.g. third-party contractors, vendors) to fortify and maintain internal safeguards and tackle threats of attack. From boardroom executives to ground-level staff, everyone has a role to play in upholding each GRC pillar, and there are accompanying measures that can be taken in each pillar to form a total defence.

Commit to Governance from the Leadership Level

Leadership plays a crucial role in prioritising data governance and cybersecurity, including integrating GRC principles into the concept of ”Total Defence” to create a sustainable organisational culture of online safety. Leaders must actively champion digital security by allocating resources to it, making it a core agenda item in regular management reports and mandating active monitoring. This is because fast-changing scam tactics empowered by AI requires a dynamic and systematic defence strategy, paired with effective implementation. With leadership driving such initiatives, it elicits commitment from every stakeholder, such as HR, IT, Finance and contractors, and ensures they understand their roles in the defence.

Identify and Mitigate Risks with Multi-layered Controls

In Risk Management, vigilance in identifying risks, coupled with effectively-designed controls to mitigate them, is crucial. Deepfakes leverage social engineering tactics, so running scam awareness campaigns through staff training and conducting regular Vulnerability Assessment and Penetration Testings (VAPTs) are vital to reduce attack surfaces. Running table-top simulations to test staff preparedness can help identify existing gaps in their knowledge and awareness of such threats as well, so that reinforcements can be made to their education. Employees must be equipped with healthy skepticism to identify suspicious activity and report it immediately - this can be an effective measure to deter and identify insider threat situations too. On top of training programs, organisations may keep abreast of evolving scam tactics and cyber threats by subscribing to security reports and news from authoritative sources. 

When it comes to operationalising vigilance, organisations may employ the Zero Trust security model as well. This means not trusting any entity or piece of content until verified and having the ability to detect telltale signs of fraud. Employees must check every entity and communication (e.g. emails, video calls) before granting access or acting on requests through multiple channels. For instance, validation must be based on correct identification and authentication, as well as the necessary approval from higher ups before granting access to the entity. These are called process controls, which is just one of three kinds of controls that can be put in place to mitigate risks. Here are some examples:

1. Physical: Securing office premises and servers via physical protection measures. 
2. Technical: Installing technical access controls, such as biometric or card access methods and identity authentication controls with 2-factor authentication at minimum. Other examples include, firewalls, audit logs for various communication channels, having strong passwords or passkeys for secured databases, as well as network and device-level malware detection tools. 
3. Process: Establishing clear policies and procedures for sensitive or high-value transactions and implementing multi-layered controls like financial authorisation limits, transaction verification with a doer and checker approach, and regular auditing to prevent unauthorised actions.

Running the gamut of these controls is part of having a total defence approach in fortifying your organisation. GRC demands for a layered defence system and such multi-pronged considerations are integral to it. In particular, organisations should employ the Swiss Cheese Model for Defence-in-Depth, whereby multiple layers of defence are present so that if one line of defence is compromised, additional layers exist as reinforcements to ensure that threats are stopped along the way.

Ensure Successful Policy Implementation & Compliance 

To make an organisation’s mitigating controls count, it is key to ensure successful implementation of all policies and protocols and that they are adhered to. Effective implementation hinges on tracking and identifying compliance risks and promptly addressing them. This involves monitoring the compliance of all departments in following through these steps: identifying risks, designing controls, assessing control effectiveness, auditing implementation effectiveness and finally addressing any residual risk.

Remember to collaborate with external stakeholders (e.g. partners, vendors) as well, to ensure that they too have strong security measures in place when playing their part in safeguarding the organisation.

GRC in Action

In summary, you can think of GRC as a three-pronged defence against cyber threats:

1. Proactive: Educate, raise awareness, monitor threats, conduct VAPTs to gauge staff competency in protocols and their readiness in incident response.
2. Detective: Foster alertness to suspicious activities. Regular checks, audits, and anomaly detection are crucial. This requires continuous monitoring and response, as early detection of anomalies enables swift response, minimising losses and preventing future attacks. 
3. Responsive: Upon detecting an anomaly, report it, implement damage control protocols, and take corrective measures to prevent recurrence. 

Back to the Hong Kong Case

The Hong Kong Case demonstrated the necessity of stringent multi-layered internal due diligence before executing financial transactions. It also highlights just how sophisticated scams have become now that the power of generative AI has become accessible to everyone. 

Therefore, aside from having a strong GRC posture, all members of an organisation must exercise constant vigilance. Here are some suggested steps one can take to determine if video calls are genuine or fake, as recommended by members of our DPEX Network community:

1. Engage in casual conversation to determine the genuineness of the people on the other side of the video/online meeting.
2. Seek confirmation through official channels, like written communication, especially when dealing with finances. Never execute any instruction simply based on verbal instructions alone and always request for an official follow-up email to confirm the instruction. 
3. Maintain proper records for all processes in the organisation.
4. Set limits on approval levels for different transaction amounts.
5. Have clear policies for video conferencing platform usage, meeting initiation, and legitimacy checks.
6. Discreetly investigate possible insider threat actors who might be in cahoots with the external attackers

GRC is anything but reactive. It’s about proactive prevention. By taking a holistic approach and staying updated with the latest strategies in Governance, Risk Management and Compliance, you can safeguard your organisation against deepfakes and other social engineering scams. Remember, vigilance, proactive measures, and collaboration with all stakeholders are key to navigating with confidence against nefarious activities in the digital realm.

Capabara, our Next-Gen AI Capability-as-a-Service platform, is currently available on beta. Sign up as a beta user, and stay tuned to our latest announcements on its development by following CAPABARA on LinkedIn or heading over to capabara.com to find out more about how it can empower your organisation. 

This article was first published on our LinkedIn Newsletter, The Governance Age, on 20 Feb 2024.