It’s no secret that Business Email Compromise (BEC) scams are an increasing threat to organizational security. Targeting company infrastructure by impersonating known associates, vendors, or even employees continues to be one of the most common ways of gaining access to data or finances–but hackers may be taking on a new approach. Many BEC scams are carried out by mass-targeting individuals at a company. However, as Forbes points out, that method is changing: whereas BEC scams of yore might target dozens or hundreds of employees at a time using a single scam, hackers are now going straight to the motherlode: The C-Suite.
That theory holds up. According to the 2019 Data Breach Investigations Report done by Verizon, C-Level executives are now 12 times more likely to be targeted in BEC scams. Why? Targeting a CEO directly seems more difficult and riskier than aiming for a lower-level employee. And according to Forbes, these scammers are working long and careful cons in order to target the C-Suite. But if you think about it, this new approach makes complete sense. For one thing, a direct scam on the CEO, if successful, provides direct access to some of the most important and lucrative information in the company. Rather than going through a variety of lower-level employees–any of whom might shut the whole operation down–this scam cuts right to the source, and takes extreme care to go into the scam well-prepared. In that sense, the C-Suite are high reward targets. For another thing, as security awareness training continues to grow in popularity and exposure to common scams grows–particularly when it comes to phishing–it becomes more likely that lower-level employees will recognize a scam without being duped. On the flipside, executives and the C-Suite are less likely to be active participants in awareness training (not to mention other IT-owned security initiatives or protocols), possibly making them easier targets. Combine these two factors, and you have a pretty appealing attack plan.
Unfortunately, these attacks have not only been attempted, they’ve been successfully carried out. Forbes provides a frightening example of a company in Silicon Valley (name and all detailed information withheld) that was targeted by a hacker who used not one but five separate identities from different sectors to scam a high-level executive into opening a malware-ridden attachment. In another example, a spoof email that appeared to come from a CEO targeted that same company’s CFO, requesting a transferral of funds. Thankfully, the scam was stopped in its tracks by a simple independent verification–the CFO walked into the CEO’s office and asked if he requested the transfer. When he said he hadn’t, it was clear that they were dealing with a hacker.
That last example makes an important point, which should be our basis for preventing these kinds of attacks: a foundation of strong security best practices and closely followed protocol changes everything. What’s more, these practices have to be instilled in and followed by each and every person, in each and every level, of an organization. If that process seems daunting, that’s understandable–but here are a few steps in the right direction.
First, don’t try to force C-Level executives into a general, end-user Security Awareness Training program. Courses designed for lower-level employees don’t tend to be well-suited to Leadership Teams, both in terms of content and general tone. There are many topics in general courses that will not be relevant to a CEO, as well as critical angles and considerations that will be missing. Instead, try deploying specialized courses that deal with Security Awareness topics from a CEO’s perspective and focus on areas like Whaling that are uniquely important to executives. Some courses (such as GLS’ Leading a Secure Organization) even offer special pacing or modularized versions that allow busy C-Levels to take training at a more convenient pace.
Second, don’t be afraid to include the C-Suite in regular simulated phishing exercises. As the statistics prove, executives need to be just as familiar with and capable of spotting phishing attacks as lower-level employees do…and phishing simulations play a big part in accomplishing that. If you’re worried that an unprecedented simulation sent to the C-Suite will rock the boat, try giving everyone a head’s up a month or two in advance, and explain the necessity of phishing everyone regularly in order to ensure total company security. Chances are that the Leadership Team will be 100% on board with your initiative, and will appreciate the opportunity to test their skills.
Finally, it’s important that executives be as involved as possible in decision-making and initiatives around Security Awareness. In many cases, SAT is handled and enforced by a distinct department (such as HR or IT), making it unnecessary or more difficult for Leadership to be kept in the loop. However, as C-Level executives themselves will tell you, a healthy organization must have Leadership buy-in and involvement for security. Of course, this involvement will reap the immediate benefit of making executives more aware of current threats and less likely to inadvertently click on a malicious email. And as the troubling Verizon statistics indicate, this is a crucial area of weakness that we need to deal with.
But even more importantly, involving executives in security will gradually help to foster a much stronger security culture, emphasizing to the entire organization from the top down that Security Awareness is important, prioritized, and necessary at every level of the company. In a sense, this is our best path to preventing all phishing attacks–not just Business Email Compromise, or specific attacks that target the C-Suite. Long term, a strong security culture–one in which all employees are familiar with protocols, prepared to address threats, and generally engaged in the security well-being of their company–will accomplish change and prevent breaches like nothing else can.
For more information on specialized Executive-Level Security Awareness Training, or to speak to a training specialist, please visit us at www.globallearningsystems.com.