Todd Wade, Interim Cyber Lead for Link Fund Solutions: “The deepfake cybersecurity challenges are only going to get worse'”

Talking to Todd Wade sometimes feels like dipping into a dystopian world. A world where people can deepfake your voice so perfectly that relatives and colleagues believe it’s you. So let’s just hope that it is indeed Todd that we spoke to. Maybe it wasn’t Todd Wade, Interim Cyber Lead for Link Fund Solutions, but some evil variant cooked up by ChatGPT.

But we have good reason to believe he was the real deal, because an evil chatbot wouldn’t provide such good advice about deepfake attackers. “They aim to get [victims] in an emotional state,” he said. “Once there, they will launch into various persuasion techniques to get them to do what they want. Numerous studies have shown people make worse decisions when in an emotional state.”

Fortunately, Todd goes on to suggest ways to fight off deepfake attacks, along with two other increasingly worrying threats: those that use third-party tools we rely on (with MOVEit being the classic example) and AI-based threats.

Ominously, he concludes: “There is an old saying in cybersecurity: attacks always get better, never worse. Third-party and AI risk highlight this well. It’s not a question of whether you will have a successful attack but when.”

But don’t despair, as Todd provides lots of strategic advice to counteract such risks, and encouragement to anyone who wishes to join the cybersecurity community. Read on to discover these insights, and how he came to work in cybersecurity himself.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

I read a book years ago called The Cuckoo’s Egg by Cliff Stoll. It was a mystery hunt for a hacker in an early 1980s computer systems, a classic tale of corporate espionage. What captivated my attention was the struggle between defence and offence – the highs and lows the defence would go through and the thrilling feeling of elation when things went right for them. This is what first started me on my journey into cybersecurity. 

I’m a techie by nature – historically cybersecurity was closely intertwined with technology departments. It’s only been the last few years that, for many organisations, cybersecurity has come into its own. It’s no longer thought of as a tech solution; it’s a risk solution.

I have been the Chief Information Security Officer for many organisations – mostly in financial services/private equity. In addition, I recently published a book with the British Computer Society called Cybercrime: How to Protect Your Business, Your Family and Yourself. I have always believed that if you want to improve the cyber posture of an organisation, teach the employees how to protect themselves and their families. This will engage them in a deeper manner than the org, and the same security habits they develop will carry over into the workplace. This is what my book is about. 

I started investing in early-stage cyber startups a couple of years ago as part of a cyber syndicate called cyberclub.London – we are a collective of 60 to 70 cyber leaders – we get to see all the latest cyber startups and pick our own deals to invest in. It’s super interesting. I don’t do this for so much more money but more for the challenge; I get to see the coolest cyber innovations and work with the founders. It’s my geek side coming out. 

What are some cases of deepfakes being used that particularly concern you?

There are several deeply concerning challenges with deepfakes – from fake voices to videos to images. People believe what they hear and see. The opportunity for social engineering has just 10x itself. 

A common example is a deepfake call from a CEO (with the voice matching perfectly) that will ask the employee to transfer funds or provide sensitive information. Many times, employees will comply with the requests. Why wouldn’t they? The boss just asked them to. 

It’s not as straightforward as the boss making a request, however. The attackers are very good at using deepfake to get people into an emotional state – could be fear (“I will fire you if you don’t do this” threat) or urgency factor in play (“if this isn’t done right now, our entire business will be forced to close, everyone will lose their job because of you”). They aim to get them in an emotional state. Once there, they will launch into various persuasion techniques to get them to do what they want. Numerous studies have shown people make worse decisions when in an emotional state. 

For individuals, deepfakes are increasingly getting used to extort people. The examples range from deepfakes showing the individual engaged in illegal or immoral behaviour. The threat actors then extort them for financial gain.

The deepfake cybersecurity challenges are only going to get worse.


Worth a read: Allan Liska, Lead Threat Intelligence Analyst at Recorded Future: “‘Too often I hear from companies, ‘Why would they target us?’ That is not how ransomware targeting works.”


What do you think are the best approaches to combating deepfakes?

This is a complex problem to defend against, however there are some basic tactics that people can use. Deepfakes are often designed to evoke strong emotions like anger, fear or outrage. Take a moment when content triggers an instant emotional response. Often, the attackers know enough about you that when they target you, they know what will get you riled up. Before instantly reacting, pause for five minutes. It will help you get out of any emotional state you find yourself in. 

Ask yourself these types of questions: is there any way to verify it? Is there any corroborating evidence? Then check the source. Is it from a reputable news source or is it from some random social media account?

Another suggestion is to educate yourself about deepfakes and how they can be used maliciously against you. You will be better prepared to recognise the deepfakes when you encounter one. Technology solutions are also improving. Tools like Microsoft’s video authenticator can be used to analyse pictures or videos to determine if they have been manipulated. Take the time to verify what you are seeing before jumping to any conclusions or worse sharing the content. It greatly compounds the deepfake problem when users share the content without first checking its authenticity. 

First, it’s important to understand that ransomware is not going away anytime soon. It continues to be a highly lucrative way for cybercriminals to make money. 

One of the biggest trends is Ransomware-as-a-Service. The barrier to entry for aspiring cybercriminals has been lowered significantly. Anyone can jump on the dark web and sign up with the Ransomware-as-a-Service service. They will be provided with the infrastructure to launch attacks. Little technical skills are needed. Some will even provide technical assistance to help the attack. 

A company insider with access to critical computer systems can partner with these groups. The insider provides the access, and the RaaS operators do all the rest. When the organisation pays the ransom to the RaaS group, they then pay off the insider. There is no shortage of disgruntled employees who might be tempted by this.

Another trend is double/triple extortion. Organisations are increasingly not paying the ransom to get their data unencrypted. That doesn’t mean they are off the hook. Cybercriminals then attack the organisations in other ways. Before launching their ransomware attacks, they will first download the company’s data. When the company doesn’t pay, they threaten to make the data public or sell it to someone. This could be a significant reputational risk or loss of intellectual property to a competitor. Other times, they will use the data to continue to launch further attacks. They will try everything they can to ramp up the pressure to get payment.


Worth a read: Rob Robinson, Head of Telstra Purple, EMEA: “We’re currently dealing with a pretty obvious and growing skills gap, which can be a lucrative opportunity for cyber-criminals”


What are the biggest cybersecurity challenges those in leadership roles are facing?

Two of the most concerning are third-party and AI risks. First, there has been a clear trend towards interdependency with third parties for some time. While there are significant business improvements in doing so, there are also increased cyber risks. 

Take, for example, the MOVEit breach in 2023. MOVEit is a file transfer service that many organisations use. Threat actors compromised the company and, through this, were able to breach 1,840 organisations. Over 62 million individuals had their information compromised. A third-party vendor’s cybersecurity posture had direct implications for its partners. This had reputational, financial and regulatory consequences. 

|| Related: Clop ransomware MOVEit attacks exposed email addresses of 632,000 Pentagon & DoJ employees

Second, AI is rapidly evolving. Like third-party risk, AI is increasing in complexity. AI attacks will only get worse. Cyber attacks will become more automated and impactful. American Express was breached in 2023. It is suspected the threat actors used automated AI-enabled social engineering for their attacks via highly personalised phishing emails or social media messages that tricked employees into revealing credentials. 

There is an old saying in cybersecurity: attacks always get better, never worse. Third-party and AI risk highlight this well. It’s not a question of whether you will have a successful attack but when. That is why there is a shift in thinking towards resiliency and how well an organisation can recover from an attack.

What advice do you have for aspiring professionals wanting to work in cybersecurity?

I have had many conversations with people looking to enter cybersecurity. Lately, many have wanted to shift their careers to cybersecurity. My recommendation is first to gain a strong foundation. You need to understand the fundamental concepts of cybersecurity. These include things like risk management, cyber governance and network security.

Depending on how you learn there are a few options. If you are a self-learner, there is no shortage of online courses and information you can make use of. It’s only a question of how much time you are willing to put into it. On the other end, there has been improvement in cybersecurity courses led by instructors. This can be an actual university degree or short courses to take. 

The next question is always, how do I get my first job? It’s a chicken and egg problem. Organisations often want at least a year or two of experience for an entry-level job which isn’t possible if you have never had a cyber job. My recommendation is to think out of the box for this. Start looking for ways to build up your CV – maybe this is volunteering at a cyber event, maybe participating in one.

The other way is to start to network with people who can hire you – this is so important. Go to vendor cyber demos or conferences. Many opportunities have been presented to me by people in my network that have never been advertised. 

Avatar photo
Tim Danton

Tim has worked in IT publishing since the days when all PCs were beige, and is editor-in-chief of the UK's PC Pro magazine. He has been writing about hardware for TechFinitive since 2023.

NEXT UP