Related Posts
The information shared here comes from the #InfosecLunchHour meeting which took place on 3 September, with all personal identifiers removed to protect participant privacy and under Chatham House rules.
During today’s #InfosecLunchHour meet up on Zoom, which was a gathering of cyber security professionals, researchers, and practitioners, several pressing concerns were highlighted that deserve wider attention, from AI-powered deception to the digital divide affecting our most vulnerable users.
The Rise of AI Impersonation: A New Era of Fraud
The conversation began with a sobering look at AI-powered impersonation scams. These are not just theoretical concerns anymore, they are happening now, targeting organisations through sophisticated CEO fraud and deepfake technologies. The question posed was simple but chilling: How prepared are we to authenticate our own leadership?
What emerged from the discussion was a recognition that whilst sophisticated AI impersonation exists, many successful attacks still rely on surprisingly simple social engineering tactics. Recent breaches at major retailers revealed that basic deception often proves more effective than cutting-edge technology. This presents organisations with a dual challenge: preparing for high-tech threats whilst not overlooking fundamental security practices.
One participant shared insights from fraud investigation work, noting the significant financial incentives driving these attacks. The potential rewards for successful voice impersonation and CEO fraud are substantial enough to attract serious criminal investment in these technologies.
Learning from Past Disasters: The Ashley Madison Case Study
The discussion revisited one of cyber security’s most infamous breaches, the 2015 Ashley Madison incident. This case study remains relevant not just for its scale, but for what it revealed about cascading consequences.
The breach, orchestrated by a group calling themselves the “Impact Team,” exposed not just user data but fundamental security failures. The hackers demanded the company shut down entirely, threatening to release private information when their ultimatum was ignored. Multiple data dumps followed, revealing that many female profiles were actually bots, a discovery that highlighted the intersection of cyber security with broader issues of digital deception.
The human cost was devastating: blackmail, identity theft, and tragically, documented suicides. The breach disproportionately affected individuals in senior positions and had particular consequences for those in regions where the exposed activities carried severe legal or social penalties.
Perhaps most troubling was the hackers’ insistence that their disclosure served the “greater good.” Participants unanimously rejected this justification, noting the severe personal and professional harm that resulted. The incident serves as a stark reminder that data breaches create vulnerabilities extending far beyond simple extortion, potentially compromising individuals to government agencies and foreign actors.
The Authentication Challenge
As the group explored prevention strategies, the complexity of modern authentication became apparent. Participants discussed the delicate balance between security and usability, noting that overly rigid systems can be as problematic as weak ones.
Help desk authentication processes came under particular scrutiny. How do you verify someone’s identity over the phone when voice impersonation technology exists? The discussion revealed that many organisations are still developing robust procedures for these scenarios.
Some participants mentioned emerging startups working on new identity verification methods, but the consensus was clear: technological solutions must be paired with updated business processes. Organisations need clear protocols for verifying unusual requests, checking unexpected transactions, and confirming the identity of senior executives making atypical demands.
The Forgotten Users: Digital Exclusion and Cyber Security
Perhaps the most poignant part of the discussion at #InfosecLunchHour today centred on digital inclusion, or rather, the lack thereof. The group explored how current cyber security measures often fail to consider non-digital-native users, particularly older adults.
Stories emerged of elderly family members struggling with multifactor authentication, unable to navigate the increasingly complex digital interfaces that younger users take for granted. One participant shared concerns about upcoming analogue telecommunications shutoffs, noting that many retirement community residents lack basic digital literacy and feel overwhelmed by the transition.
This is not just a usability problem, it is a security vulnerability. When systems are designed without considering all user types, they often fail to protect the most vulnerable. The discussion revealed a troubling pattern: many digital systems are designed by and for digital natives, creating barriers that push vulnerable users towards less secure alternatives.
The Path Forward
Several key themes emerged from this wide-ranging discussion:
-
Threat Modelling Must Include Social Engineering: Organisations need to prepare for both sophisticated AI attacks and basic deception tactics. The most elaborate technical defences can be bypassed by simple human manipulation.
-
Process Matters as Much as Technology: New verification technologies are important, but they must be implemented with clear business processes that address real-world scenarios like CEO impersonation attempts.
-
Inclusive Design is Security: Cyber security solutions that do not consider all user types create vulnerabilities. Design decisions made without user input, whether historical or contemporary, often fail in practice.
-
Learning from Breaches: The cyber security community continues to grapple with the same fundamental issues revealed in breaches like Ashley Madison. Society’s failure to learn from past incidents leaves organisations and individuals vulnerable to similar attacks.
Looking Ahead
The participants concluded with plans to explore user experience design in cyber security, a recognition that human factors are as crucial as technical controls. As one participant noted, we often design systems without adequate consideration for how real people will actually use them.
The conversation also touched on the broader challenge of digital literacy and inclusion. As our critical infrastructure becomes increasingly digital, ensuring that all community members can safely navigate these systems is not just an accessibility issue, it is a national security concern.
The cyber security landscape continues to evolve, but this discussion highlighted a crucial truth: the human element remains both our greatest vulnerability and our most important defence. Whether we are talking about AI impersonation, data breaches, or digital inclusion, success depends on understanding and addressing human needs alongside technological capabilities.
As we move forward, the challenge is not just building better security tools but building security that works for everyone, regardless of their technical expertise or digital nativity. Only then can we create truly resilient systems that protect all members of our increasingly connected society.
#InfosecLunchHour is a monthly virtual meet up on Zoom of cyber security and infosec professionals for some relaxed chat over lunch. If you would like to join the next meet up at 12.30pm BST on Wednesday 1 October 2025 please email lisa@csu.org.uk to be added to the calendar invite for the event.