When I speak with IT security professionals, the number one challenge that they face is how to get upper management more involved. How do you motivate them to make cyber security a personal matter? The truth, show them why and how they are the prime target of cyber theft.
Executive management plays an instrumental role in approving budgets and setting the example for safe cyber behaviors. While allocating resources and sponsoring initiatives is a critical role, it is not personal. However, in recent months, higher level management is becoming the number one target of hackers, and that is personal. Terms like “whaling” and “CEO Fraud” started emerging in the media to describe social engineering attacks that are specifically designed to deceive high-level executives and their closest employees to gain access to company’s valuable data and funds. Unlike “phishing”, “whaling” is harder to detect by IT security professionals because it usually involves one email sent to a well-placed individual within the upper levels of the organization. The focus is on exploiting behavior to gain access. Specific people are targeted because of their knowledge of valuable information or ongoing access to systems.
These management level attacks are extremely costly to the organization because they usually involve a wire transfer. In January of 2015, the FBI reported that hackers stole nearly $215 million from companies in the previous 14 months through email scams directed at executives and their closest employees. One popular and effective method is “business email compromise” where hackers fake the executive email account and send an urgent wire transfer request to one of the employees, who is usually in charge of these instructions. Sometimes, the request is even sent directly to the financial institution with precise instructions to send funds immediately to a specific bank account for a business reason such as paying foreign suppliers or businesses. The attacker usually does such a great job at researching the company’s executives’ positions and their network that it becomes very hard to not fall for the scam. How is that possible you may ask?
In this connected world, more private information is made public through social media. There are many real stories out there that illustrate how easy it is to trap high-level executives due to the abundance of detailed online information available about them.
In 2013, the administrative assistant to a VP at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service. A few minutes later, the assistant received a phone call from another VP within the company, instructing her to process the invoice. However, the invoice was actually a remote access Trojan and the VP who called her was an attacker who was able to browse and infiltrate files on the infected computer. The hacker used social media to identify the VP’s administrative assistant.
The same scam technique was used in June 2015, for a San Jose based maker of networking technology for service providers and enterprises. It lost $46.7 million.
In 2010, a security consultant created a fictional persona, Robin Sage, who was purportedly a cyber threat analyst for the U.S. Department of Defense. Robin had accounts on LinkedIn, Twitter, and Facebook, and those were used to create a network of professional “targets”. Most of her new connections worked for the U.S military, government, or affiliated organizations. Despite the lack of hard evidence to corroborate Robin’s clearance, credentials or even existence, the contacts shared information that revealed their email addresses, bank accounts and even the location of secret military units.
These stories demonstrate that targeting executives and those close to them is a very real threat, and it is personal. When it comes to ensuring the protection of company assets, approving budgets and risk plans is no longer enough.
There are some success stories. In one reported incident, an executive assistant was able to stop a wire transfer of $315,000 that was initiated after receiving a fake email from her “boss.” She simply noticed the difference in the tone used in the exchange with the hacker. In this case the-would-be-cyber theft was thwarted by good behavior and old-fashioned teamwork. We believe when people are informed and work together as a team, they can develop synergies and affinities that can make them more attuned to the very subtle details that no security firewall can detect. A good way to make this effective is team training for C level personnel using cyber attack simulations.
Everyone has a personal responsibility to defend their company against cyber threats. Management must review and reinforce financial controls, but that is not enough. Upper management needs to be made aware of both the potential company vulnerabilities and their personal vulnerabilities. Leaders need to be educated on what to share on social media, on the company’s website and in their “out of office” auto reply. Everybody needs to understand and formally sign-off on the risks involved with using personal devices and unsecure networks to exchange work emails. Executives and their staff need to invest the time to attend training to learn how to detect and stop such attacks because they cannot rely on technology alone.