Dan Raywood, Author at SmartFrame

How can a manipulated image damage a business?

Dan Raywood — Tue, 22 Jul 2025 13:55:00 +0000

The ability to change an image’s content has become easier than ever, thanks in part to GenAI tools. But could distributing an altered image lead a business to face serious consequences? Dan Raywood investigates.

Rewind to Mother’s Day 2024, and most people will probably remember what they were doing. For one mother of three, sharing a photo of herself and her children opened up the reality of image manipulation.

In that case, the photo of the Princess of Wales was later withdrawn amid concerns about manipulation. The intense press coverage around it may even have brought forward the announcement of her cancer diagnosis.

Aside from the impact of the incident, this whole episode highlighted how photo-editing techniques can be used to manipulate and alter images – apparently, in this case, to merge several shots into a single, ideal photo – and the public’s readiness to scrutinize the results.

This was arguably the first incident of its kind – but could we see another altered image cause the sort of disruption that the Royal Family faced?

After all, if an image of a C-level executive were to be altered in order to portray them in a negative way, what would the impact be on them and their business?

Fake news – real consequences

Ilia Kolochenko, CEO at ImmuniWeb and a fellow at the British Computer Society, says there have been “countless incidents where celebrities and politicians were tricked, harassed and blackmailed with deepfakes, fake news, and misinformation.”

He admits that the vast majority of these incidents are “isolated events, and they didn’t really cause disruption.” But there is evidence of several “small but well prepared cyberattacks,” which affected cryptocurrency influencers, where X (formerly Twitter) accounts were compromised, and announcements were posted that encouraged followers to invest in a specific NFT or cryptocurrency. “So we had incidents that caused tangible financial damage,” he says.

Reputational damage

Quantifying the cost of an attack such as one involving reputational damage is particularly hard, especially when compared to a more common cybercrime where you can see a financial loss.

David Sancho, senior threat researcher at Trend Micro, says it’s fairly obvious that a company’s reputation can be damaged by deepfakes. One of the most immediate ways this could happen is by making the company appear to take a stance on a highly sensitive topic — something that can be done relatively easily.

“I don’t know what the agenda behind those attacks might be, because pure reputational damage ‘just because’ is not very likely unless there’s a hidden agenda by the attacker, so that would possibly imply hacktivists,” Sancho says.

“A hacktivist can say ‘look at this company doing this’ just to lower the reputation. It can happen, but I haven’t seen it happen very often.”

He also cites how a stock price could be affected by rough claims, but this would most likely be temporary and if the company denied the claims, then the stock price goes back to normal.

“In that meantime, the attacker can invest in that artificially low stock just to make money later. It can happen. I’m not saying that it hasn’t happened; it probably has. But since it’s very difficult to quantify, it’s very difficult to know. Stock fluctuates, and there’s a lot of bad behavior out there, so I haven’t seen it, but it theoretically is possible.”

Political agenda

Sancho says that this sort of action is undertaken by hacktivists “or people with political agendas,” and it became clear that this would also have to be the action of a very determined individual to make such a series of efforts against a single entity and cause determined damage.

Ultimately, most people may have a bad experience with a product or service, but after calming down, they usually move on. And Sancho says he completely agreed, as “it is probably not worth the effort for most people.” The most likely scenario would be a political campaign where you made an effort to disrupt the other party’s electoral efforts, such as with the Conservative Party’s 1997 “New Labour, New Danger” campaign.

A notable incident from 2020 involved an altered video of Nancy Pelosi, former speaker of the U.S. House of Representatives, where she was apparently shown to be “drunk and slurring her speech.” This was later revealed to have been manipulated, with the clip described as “low quality and jerky.”

Stamp out the impact

These incidents could be damaging if the victim — or their company — is unable to stamp out the impact and prove it to be based on a falsehood. So what can a business do to try to undo the damage or defend itself against this kind of attack?

Sancho says this is a hard situation to recover from “because by the time they open their mouths, the damage is already done, so the only thing they can do is say that this is a lie.” He says there’s not a lot you can do when somebody says false things against you.

“In the context of reputation, it probably will be done only in a political context,” he says. “It’s not impossible, but it just won’t happen very often, unless there is some other political agenda attached to it.”

Kolochenko says we have “almost attained the point of no return” with this sort of disruption, but it has nothing to do with AI “because it was possible before, but now with AI, it’s just cheaper and faster and more efficient.”

He believes that every company is vulnerable to a “massive AI-powered misinformation attack.” He cites an example where someone could create deepfake pornographic videos, and post them on sharing sites and social media – and in many cases, it could spread faster than it can be removed.

This could lead to management being tied up dealing with the aftermath, and a response “may be uncoordinated and unprofessional”. Potentially, mistakes can be made, which would be “more harmful than useful because people will be panicked.”

LLM legacy

Kolochenko says that even after all of the stories are taken down, in six to 18 months, all this data will be scraped by AI crawlers, LLMs will be trained, and in about a year from this incident, details will emerge.

“So AI will be poisoned with this information, and given that people will probably be relying even more on AI, this can lead to catastrophic reputational damage that will be kind of irreparable,” Kolochenko says. “Given that the right to be forgotten with LLMs from a technical viewpoint is non-executable, we have a big challenge if we’re talking about a smaller company.”

He continues: “Fraudulent techniques and AI can cause long-lasting reputational damage to everyone. A company can become toxic, and you won’t be able to clean up the internet. You also won’t be able to remove that data from training sets of AI models, unless you obtain a court order to remove the models themselves. But even then, you cannot remove the data from the training set.”

The impact on a smaller business is the telling factor here: facing a nation-state assault, whether it be a cyber-attack or misinformation, can have huge consequences. The response should include legal and marketing involvement, but even by the time of the attack, recovery may be too difficult.

While the use of AI to manipulate images is not at the heart of this issue, it is certainly making it easier – and the “feeding” of GenAI tools with data could cause problems for businesses trying to clear the claims. Having a response plan is crucial, as well as an eye on what others are saying about you.

The post How can a manipulated image damage a business? appeared first on SmartFrame.

Is Cyber Essentials still fit for purpose?

Dan Raywood — Tue, 23 Mar 2021 10:31:02 +0000

Cyber Essentials was launched seven years ago to help organizations protect themselves against cyber attacks. But does it still satisfy its objectives today? Dan Raywood investigates.

It has been over three years since I last looked at Cyber Essentials, and almost seven years have passed since the scheme was introduced, so it’s time to consider if it’s still fit for purpose.

When it was launched in 2014, Cyber Essentials was intended to help companies understand “the basic controls all organizations should implement to mitigate the risk from common internet-based threats.” This meant enabling and presenting a level of cyber hygiene, and verifying that an organization’s cyber operations were in a good state through certification.

Three years ago, I determined that Cyber Essentials does help to achieve a certain level of cyber hygiene, and the scheme had positive vibes from both the industry and those who had gone through the certification process. However, its supervision and management left a lot to be desired, and I called for more industry intervention, less focus on commercial gains, and more clarity on its purpose.

Fast-forward to the new decade and major steps have been taken; IASME Consortium was announced as the sole certification body in April 2020. Its chief executive, Dr Emma Philpott MBE, said IASME had contributed to the original writing of the scheme and had been involved in its delivery, and was “particularly looking forward to working with the wider network, which includes all Cyber Essentials Certification Bodies, which will allow us to offer expert support and certification to organizations across the whole of the UK and Crown Dependencies.”

One criticism of Cyber Essentials in the past has regarded the nature of certification being administered by different bodies, and the discrepancy around how each body was assessing cases. A statement by the National Cyber Security Centre (NCSC) said the move to a single Cyber Essentials Partner allowed it to work closely with IASME to further develop the scheme.

Despite these advances, it seems opinions remain divided on how much of a success Cyber Essentials has been. In a recent Twitter poll, we asked if the certification has done enough to ensure a company’s cybersecurity posture. Of the 107 people who responded, 80.4% agreed that it needs to be revised, while 19.6% said that it’s good enough.

Such a question is, of course, divisive, and many people who commented on the poll agreed that the scheme serves a purpose. It was described as an IT “MOT”, as well as “good enough to make sure you don’t get pwned by a stupid default password, unpatched box, unsupported software and an AV [anti-virus system] that has been disabled.”

Several others said it is a very acceptable base standard, and as long as it is acknowledged that it covers the “absolutely bare essentials” then it is fine. Another commenter claimed there is nothing “seriously missing from Cyber Essentials” as, like PCI, “it can be treated as a tick-box exercise and be next to useless, or you put in place a decent culture and use the results to drive improvement.”

Likewise, Andy Holmes, a head of IT security and compliance, said that it’s “obviously better than a company doing nothing” and is a good framework “as a starting point, if nothing else, and covers a fair amount of ground.” He also didn’t think it was ever intended to make a company’s security posture rock-solid, “just to bring it up to a basic level.”

The case for

This level of response around Cyber Essentials only being “acceptable” led us to wonder if there is a case for the certification remaining. In this newer era of Cyber Essentials, is the process of achieving compliance with certification clear enough? Or does more need to be done in order to make Cyber Essentials more relevant today?

We were unable to connect with IASME, but did speak to Chani Simms, a Cyber Essentials pool assessor for IASME Consortium and the Managing Director of Meta Defence Labs, a Cyber Essentials certification body. Chani said that in her role she “helps customers implement Cyber Essentials and often sees people who do not understand their Cyber Essentials scope and don’t implement the basics correctly.” She asked which other security frameworks are out there in the world that will provide certification for just £300, and come with a simple yet effective control set that can be applied to a one-man-band company through to a larger multinational and to home workers?

Chani said that “nothing is perfect, and everything has teething problems when newly implemented, but it’s our job to make things perfect for us. Having a certification doesn’t mean your company is secure if you haven’t implemented the controls correctly.”

Chani admitted that Cyber Essentials does not cover backup strategies, but can help to prevent a ransomware attack. Implemented correctly, you create different layers of security that help stop ransomware from getting onto your computer in the typical fashion, such as by clicking on a malicious link or via an infected email attachment. “Cyber Essentials can stop that as it will ensure you configure user accounts to not run as administrators and patch software regularly, therefore the chance of a successful attack is greatly lowered,” she said.

She called for more constructive criticism when people saw any imperfections in Cyber Essentials, saying “every framework has flaws but that is not to say it is bad.” She admitted the perfect cyber solution is not going to be found, as every business is different, but “whoever came up with it had a clever vision” and she could not “take people who come back with unfounded criticism seriously.”

Taking the Plus points

As well as the standard Cyber Essentials offering, there is the more advanced Cyber Essentials Plus certification. This, says the NCSC, “still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but for Cyber Essentials Plus a hands-on technical verification is carried out.”

In other words, someone else does the verification, rather than you having to do this yourself. Simms said she would “like to see the UK Government say all suppliers [should] have a minimum Cyber Essentials Plus” as a certification.

Oher comments we collected via Twitter agreed. “If you have a small IT team then Cyber Essentials+ should be your minimum standard,” said one. Another commenter opined that Cyber Essentials+ depends on the type of company you are. “If you are a small company, yes [it is good enough], but a company with servers, no [it is not good enough], as Cyber Essentials+ doesn’t have those in scope.”

The case against

The fact remains that many people who voted in the above poll felt that Cyber Essentials does not go far enough to ensure a company’s cybersecurity posture. One of the main reasons for this was the tick-box element of Cyber Essentials, in that a company can do a self-assessment and be certified. Chris Windley, CEO of Cyber Security Valley UK, agreed that the tick-box assessment does not cover cybersecurity education, but “simple guides to the key areas are helpful in general” and those “box-shifters and box-tickers have wrecked the market.”

In a recent online discussion of cybersecurity professionals, some members of the group said that too many “people use [Cyber Essentials] as a tick-box exercise and it is not the best standard for where are as a business.” Others claimed that a tick-box assessment “is not education, but it is better than nothing as it raises awareness to you as a business owner on what you need to do in other areas.”

Good enough for you and me?

This is essentially the issue: It is seen as good enough, and for some people that is satisfactory, while for others it does not go far enough in ensuring cybersecurity efficiency. Many of the people we spoke with on this issue cited the lack of acknowledgment of the human factor of cybersecurity that affects it so drastically.

Cary Hendricks, operations director of ID Cyber Solutions, runs a Cyber Essentials certification body in Scotland. He was very positive about the benefits of the certification, saying that “you get a ton of stuff and advice for £300,” which does not buy you a lot more in this industry.

“It is a brilliant way for new people in infosec to start to learn as it is a framework, set with specific questions,” said Hendricks.The sheer amount of exposure to different types of companies is a gold mine for starters under the guidance of a lead assessor.” If you work with an assessment body, they would have achieved certification many times for other companies, so you’re collecting all of the other experience they have from other operations. Hendricks also said that going through Cyber Essentials “is a great experience for folks on a very limited budget and know-how.”

The cybersecurity sector does carry a degree of cynicism on most things, and Cyber Essentials has indeed been viewed through this lens. However, it does serve a purpose – and most people agree that is the case.

Under the new supervision of IASME, it does have the potential to further evolve into something more accepted as a framework, while preserving its intention as a certification for businesses to prove their capabilities. Either way, the future seems bright.

The post Is Cyber Essentials still fit for purpose? appeared first on SmartFrame.