AI, deepfakes, and document fraud — we’ve asked experts what they believe are the most worrying security threats in coming months, and years. Be Aware. These insights can save your organisation time, money and valuable infrastructure.
Meet the experts:
Jan Olsson; Crime Commissioner at the National Cyber Security Center at the Swedish National Operative Department (NOA). Jan has worked in the Swedish police for over 30 years, 15 of which with an extra focus on internet-related crime with special expertise in fraud and complex cybercrime.
Carl Heath; Senior Researcher and Focus Manager for the Strategic Area of Resilient Information Systems at RISE (Research Institutes of Sweden). A Focus Area Manager aims to strengthen the conditions for a safe and resilient society in a digital age. Carl has a research interest in society’s structural digital transformation, mainly concerning issues connected to democracy, digital resilience, innovation and learning. Carl has been on the Swedish Government’s Special Counsel for the protection of democratic dialogue and today he’s a member of a Think Tank for the Nordic Council of Ministers regarding democracy and technology.
Ulf Gustavsson; Secretary General of the European Organization for Quality, EOQ. Previous assignments include Management and Board-positions at the Swedish Association for Quality, SFK, at telecom company Millicom, at Qvalify as well as IKEA. During the years 1993—2000, Ulf was a military officer at the Lapland regiment in Kiruna and he is still a part of the Armed Forces, as an Officer in the Swedish Reserves.
Anna Schneider: Anna Schneider is the founder of the security company Afactor, which specializes in information security and employee security. Anna has a police background from various roles and positions at the Swedish Security Services and the Economic Crime Authority.
Per Lagerström; Communications and Marketing manager at Junglemap, which since 2006 has used NanoLearning within Information Security Awareness, Privacy, GDPR and more. The Jungelmap Nano-method focuses on behavior learning which lasts over time, with a focus on practical action.
Jimmy Åberg; Head of Intelligence at SRS Security, whose main work consists of proactively monitoring the security vulnerabilities of companies and individuals, and then assessing solutions. Jimmy has worked in the Police for 22 years, and prior to his new role at SRS, he worked for 14 years exclusively in Advanced Intelligence.
Since the start of this decade, what have been the major digital threats for businesses?
Jan Olsson: “In the past three years, ransomware has accelerated into the leading position. If we just look at numbers, we can see that phishing attacks are also increasing sharply. Of all data breaches that occur in the world, phishing is responsible for about 80% of them. We also see that the Office 365 Suite has become particularly vulnerable to attacks.”
Carl Heath: “The recurring Russian invasion of Ukraine is a clear sign of a new era, both business and the Public Sector. The increasingly authoritarian development in China reinforces a darker picture of the prevailing world order, where democracy and open societies are increasingly put to the test. Again, we live in a time where geopolitics plays a decisive role for business and security. Cyber security issues, information influence and disinformation, industrial espionage and organized crime are a few examples of security threats that are become increasingly challenging.”
Ulf Gustavsson: “I see the major threats as the everyday things which at first glance may seem completely harmless. It can be an innocent email that is actually a Trojan horse, and sets off a series of events. A careless click which can lead to devastating consequences. Or, an ill-suited conversation on the train, where too much information is shared and the wrong person is listening in. Another example can be a lost computer or a mobile phone. The technological developments are moving so fast that the threats we are used to today may take on very different forms tomorrow. Finally, I think we may see more sophisticated threats using AI going forward.”
Anna Schneider: “Above all, we see an increased threat from State Actors whom are trying to intrude on Swedish authorities; organisations gathering information regarding our National Defence.
Industrial espionage is also problem, including foreign powers acquiring technology in illicit ways. Research and Innovation worth billions are being stolen in Sweden.
Per Lagerström: “The pandemic meant that organizations and companies took a giant leap in terms of remote work. A step which in turn was made possible thanks to speedy and transformative digitalisation. This also meant that our digital vulnerability and the number of security risks increased dramatically. The recent years sharp increase in phishing and ransomware attacks is largely due to this change. Those involved in cybercrime suddenly have a much larger market to operate in. The development has meant that matters of cybersecurity and intelligence are highly prioritized by many companies and organizations, with an increasing realization that the human firewalls are absolutely crucial to creating well-functioning cyber security.”
Jimmy Åberg: “In general, we are more and more dependent on digital services to do our jobs. We have come to realize that digitization comes with fantastic opportunities, but also with an increased threat. Companies have been given opportunities to make their businesses better, but at the same time, criminals have many more tools to work with.”
Looking ahead, what digital forgery phenomena could become problematic for businesses?
Carl Heath: “I believe that the security threats we see today will continue to be challenging for years to come, while at the same time, there’s rapid development of technology in several areas, where perhaps AI has become the most obvious and the most talked about.”
Ulf Gustavsson: “It will be problematic to always have sufficient and up-to-date awareness and plans for potential security threats. While at the same time allow your customers, and especially employees to be able to work as efficiently as possible. Working from home places different demands on employee’s security awareness, compared to when you are located at the workplace were there is access-checks, key-cards and more secure firewalls. It’s not easy to find the balance between shared data and system access, for customers or for employees, and to do so with sufficient security.”
Per Lagerström: “The latest generation of AI means, to quote Microsoft, that ’the security landscape is being redrawn forever’. The attacks will become more frequent, more sophisticated, and they will also develop and change, more and more rapidly.”
Jan Olsson: “In my lectures, I always try to talk about the importance of how we store our data. Companies big and small turn to cloud services, instead of internal IT departments, as it’s usually cheaper and more flexible. We do recommend cloud services, as they invest a lot of time and money in their security; but its a real problem that so much data is collected in one place. Universally, cloud services are a major threat of the future. Even though cloud services are already the norm, we should be aware that the best and most sophisticated hackers are targeting large cloud services instead of individual small businesses. Going forward, and even as of today, identification is essential. I don’t know if ID’s will continue to be a ‘physical documents’ or a ‘digital certificates’, but something has to happen.”
Jimmy Åberg: “The greatest vulnerability lies with humans, not with technology. Exploiting the human factor will always be the easiest route for an attacker. 60–85% of all data theft and corporate frauds come from an initial human mistake. Many companies spend a lot of money on building robust and secure digital systems that can withstand technical attacks. But they don’t matter when the human, who is already inside, is the one being attacked.”
Anna Schneider: “Validating information will be a problem, and we need sufficient technology to help us do this in a smart and secure manner.”
The rapid development of AI tools can potentially help fraudsters. How big of a threat is this?
Carl Heath: “There are examples where AI-based language models such as chatGPT are used to identify vulnerabilities in systems, which can then be attacked more easily. AI tools for creating images, videos, and sounds are used for information influence or for fraud. At the same time, the development of new technology that is used to commit crimes means that organizations need to increase their resistance and resilience. Continuous education and development will help, and collaboration with others are also very important.”
Ulf Gustavsson: “As I mentioned, AI can be of great help in many contexts, but it can also, if used incorrectly, become a turning point for an individual or business. The most recent example I heard about was AI being able to mimic a person’s voice and trick relatives into making money transactions. Another threat to be aware is when AI is used an intrusion tool to and gain access to information and then compile it.”
Per Lagerström: “AI will play an absolutely decisive role in the development of cyber threats. But the same thing applies to the solution. With the help of AI, we can strengthen cyber security. One of the challenges here lies in the fact that both attacks and defences are built on the same technology. We don’t really know what the effects of that will be, but clearly we cannot put out a fire with gasoline. Advanced AI technology is not enough to counteract AI-enhanced IT attacks. On the contrary, we need to focus more on how we humans act. Preventing human impulses and making people stop, think, and dare to ask questions will be more important with an AI-dominated threat landscape.”
Anna Schneider: “From a political perspective AI tools can have major consequences. AI can be used by government actors to spread disinformation in a credible way. If it reaches the “right” recipients the inventors can strengthen their position on issues, or weaken their opposition. For the purposes of fraud, it becomes easier for already sophisticated fraudsters to impersonate, for example Executives in order to get fake invoices paid.”
Jan Olsson: “I follow developments around AI and deep fakes very closely. There are already cases of fraudsters calling up companies with fabricated voices, and it’s completely impossible to tell if it’s an actual colleague or an AI pretending to be one. I have seen examples of these phone calls working perfectly. One was at a smaller company, where an employee received a call from a ‘colleague’ about sending login credentials. And just like that, the fraudsters were inside the companies Office 365 suite.”
“Right now these deepfake tools are quite slow, and costly. But imagine three years from now. It’s an eternity in this respect. They will be completely free, and they will be better and faster than we can imagine. This requires all of us, on a global level, to make demands on phone manufacturers and their operating systems. It will be difficult, but it must be done. In just a few years, I think there could be legislative demands on tech companies.”
Jimmy Åberg: “AI tools can be amazingly good at tapping into our emotions. As soon as you kindle an emotion, humans disconnect their logical thought process. The stronger the feeling, the stronger the incentive is to act quickly. The biggest threat, and the one most likely to succeed, is using an AI to map a person’s behaviors, interests, and emotional weaknesses.”
“With various AI programs today, it is possible to quickly understand employees at a company. For example, you can look at a company’s Linkedin page and then go through the employees’ social media to get a full picture of the person’s interests. If an employee loves a specific artist, a specific football team or a specific food, an AI can compile this and then tailor a phishing attack. I have seen these attacks happen already this year.”
How do fraudulent CVs, certificates, and invoices threaten a company’s security, credibility, and finances?
Carl Heath: “Document fraud can be a serious security risk for companies, as it may lead to financial losses as well as damage a companys’ credibility. Criminal actors, both individuals, and companies can perform work, and sell products and services which are not sufficiently qualified. This can lead to financial loss and expose organisations to both risk and injury, and do damage to its reputation and trust.”
Ulf Gustavsson: “The more authentic a document is considered to be, the more difficult it is to detect the falsity. For this use, I am convinced that technology such as blockchain can be helpful. But, it’s still based on the issuer having a high level of credibility. That will always be important.”
Per Lagerström: “More and more Management groups raise these problems as direct threats — because it affects their entire business. It’s a huge problem that also impedes the digital transformation we are currently in. From a positive view, these issues take on a strategic weight. Security is no longer simply an IT issue, it’s a strategic topic for the entire company and its Executives.”
Anna Schneider: “The human factor is important here. With the development of new technology, it becomes much easier to falsify diplomas and certificates, for example. Hiring people who do not have the education or skills they claim, can have devastating consequences for a company. A bad recruitment can cost a lot of time, money and effort, and it can damage the trust for a business, which takes time to rebuild, and is difficult to put a price tag on.”
Jan Olsson: “False documents have been a major global problem for years. People get jobs at Universities or in Government Agencies, and then end up in positions with responsibility and power that affect entire communities. It’s important to prove individuals eligibility. It’s of the utmost importance that whoever stands behind a document, whether it’s an organization, a company, or a government agency, there should be ways to digitally authenticate it. You shouldn’t need to backtrack documents — some companies receive over 1,000 documents and invoices in a day. Digital verification should be a requirement. Especially for authorities that employ people with positions of power in our society.”
Jimmy Åberg: “In a world where it becomes increasingly important to know whom you are doing business with, and who you hire, it will be extremely important to verify official documents. Big corporate deals are built entirely on trust. When that trust is not there, deals will take longer or at times not happen at all. This, of course, results in great financial losses.”
How should companies act to avoid being exposed to digital security threats in the future?
Carl Heath: “It’s important for companies to have a clear security policy in place, something that is used operationally, to protect a company’s different values. It’s also important to continuously raise knowledge for key personnel and the company as a whole to maintain a high level of security awareness. Businesses need to follow the evolution of new digital threats, and keep systems and operations updated, to meet these threats.”
Ulf Gustavsson: “The human factor is the strongest factor in prevention, but can also be the weakest link in your security work. Going forward, it can be summed up in one word: Competence. I believe that competence means that you have the knowledge, the ability, and motivation to act. In other words, you need to have competence in these matters to protect yourself in the best way possible.
For smaller companies, the solution may be to hire a consultant with the right skills, who can ensure that there is a sufficiently basic protection adapted to the need of the organisation. It’s also important to remind oneself and all your employees of the need to develop a basic safety mindset, a way to stay attentive in your everyday job. Using that in place, you have taken a big step.”
Anna Schneider: “The biggest risks are us, the individuals. If the wrong person gets access to a system, it doesn’t matter how many locks, alarms, or firewalls you have implemented. Safety education should be an ongoing factor in all phases during employment. And start by carrying out reliable background-checks where diplomas, certificates and other documentation are checked for authenticity.”
Per Lagerström: “I would say that companies should do three things:
1. Prioritize the human firewalls as much as the technical firewalls. The combination of good technical systems and employees with a high-security awareness will create the best effect. Security is far too important to leave to the security experts alone — all employees are part of the company’s IT security.
2. Raise the security mindset among developers. Its a positive thing that innovation and new opportunities drive our digitilization, but Management needs to get better at setting requirements for ’security by design’. Security built into digital innovations are crucial.
3. Don’t get stuck on cyber security. Think about cyber resilience as well. When, as today, two out of three companies state that “they have been exposed to attacks which seriously threaten the organization’s operations”, the ability for digital recovery become absolutely central.”
Jan Olsson: “AI in combination with quantum computers is a huge coming threat. People might say ’then we can use the same techniques as aid’. Biut, the difference is that all companies and authorities must take legislation into account first. The criminals don’t have to wait for legislation. They will always be one step ahead because they are allowed to experiment.
Therefore, Companies must take more responsibility. It can be inconvenient, expensive, and time-consuming, but it’s important to work preventively. For the average employee, it becomes difficult to always think about safety issues in all parts of the work, so a policy and simple tools to follow are much-needed.”
“A good example is from 2018 when nine Iranian hackers sent phishing emails to 100,000 researchers at 144 different American universities. 5000 of the researchers shared research and documents that were not available to the public. If some of the sharpest minds in society fall for these attacks, so will the average employee. We need to allow ourselves a few extra seconds to check documents and emails for threats.”
“I would emphasize that companies shouldn’t focus too much solely on technical solutions. The answer lies in the people who use technology. It is through awareness, training, and controls that companies can prepare themselves. It is most often us humans who constitutes the greatest vulnerability in a company. Of course, be aware that the digital attacks also need to be fought, but the tools and systems are most vulnerable because of the human factor.”
