As facial recognition technology (FRT) rapidly gains ground, it’s also bringing a plethora of privacy and cybersecurity concerns. There’s now more and more personal information available in the public domain that wasn’t purposely released by the individuals to whom it refers. And that’s creating new opportunities for cyber attackers to make use of this information for nefarious purposes.

Whether they are using this type of technology or not, the cyber risks associated with facial recognition technology can impact an organization. That means security leaders need to understand these risks and take action to mitigate them.

The cyber risks brought on by facial recognition tech

Almost anyone can gain access to decent facial recognition technology these days. We’re all carrying around sensors in our mobile devices. We’re putting out a lot of data into the public domain already, and now, images are also captured sometimes without us knowing. Those images aren’t just stored locally on our devices – they’re potentially broadcast to the world. Images that include our faces are captured and broadcast into the open for people to score. Strangers can identity us from images we don’t even know exist – and those strangers can do whatever they want with that information, without our consent. Hackers can use these images for business email compromise (BEC) attacks.

Mitigating the risks

Facial recognition software does bring a lot of opportunity for beneficial uses, such as digital and physical security, and it’s understandable why businesses and other organizations would want to use it. While it’s impossible to control how others use this technology, organizations can take steps to protect their employees and the organization itself. 

Security leaders today have the in-house expertise to educate, inform and monitor for risks to the company. Now, more than ever, this needs to include educating employees about their individual security posture and the risks. Every day, data on the internet becomes more indexable and searchable. Our lives become less private, more details become available – and those can and will be used against us. It’s incumbent on companies to help their employees understand these concerns and the key role they can play in practicing cyber hygiene.

Companies should use this data to document a social media policy, for instance, that doesn’t just focus on non-disclosure agreements and what you can/can’t say about a company, but rather, also includes cyber hygiene specific to social media. That includes not using business email addresses to sign up for personal social media accounts, creating stronger passwords, changing passwords regularly, and recommendations for securing personal information from public view. It should also lay out clear consequences for violating the social media policy.

Regulating employee behavior is just one piece of it. Companies should also have ongoing monitoring capabilities in place to understand where new information or exposures are becoming available. Companies must understand that their people are information systems assets – just like their digital systems – are ripe for  compromise. Understanding where their vulnerabilities and exposures are – and how accessible they are – will help to better protect employees and the organization as a whole.

The risks are real

Facial recognition technology has demonstrated that it can help others keep their smartphones safe and gain lawful access to secure facilities. But corporations face greater risk with the wide availability of this software, as malicious actors have already demonstrated with BEC and other types of social engineering attacks. Matching faces in publicly-available images can give cybercriminals the information they need to target their prey. Security and IT professionals can train those under their corporate care to consistently use the safeguards noted above as a first line of defense. We may not have complete control over where our likeness appears, but we can exercise caution every place where we do have control.

Aaron Barr, chief technology officer, PiiQ Media