It was recently disclosed that the Dutch boss and finance director of a famous French film company were sacked after falling victim to a €19m Business Email Compromise (BEC) scam. Cyber criminals managed to dupe them both into making multiple payments to a third-party bank account in order to facilitate a fictitious acquisition. Such are the threats facing senior executives today, and the ease with which hackers can make a fortune.
We need to respond in kind with a renewed focus on security training and awareness raising. But this time, focused on the management.
Your weakest link
The above incident is just the tip of the iceberg. BEC, or CEO fraud, has led to losses estimated at $12.5bn since 2013. It’s not the only threat facing senior executives today. Phishing continues to represent a huge security risk to organizations. It was involved in 93% of data breaches analyzed by Verizon last year. One vendor blocked 137 million attempts in Q3 2018 alone. But the more dangerous attacks are the targeted spear-phishing emails aimed at specific individuals.
This is the problem with senior management. They have access to a huge trove of sensitive corporate information — data that could be highly monetizable on the dark web or even of value to nation states. This alone is worthy of attention. But even worse is that those at the top of the corporate ladder very often pay the least attention to best practice security: time-poor execs are worryingly likely to click on a phishing link, open a malicious attachment or fall for a scam.
How do we know this? Because NTT Security has been running a new Management Hack service in EMEA for several months now, in which we simulate attacks on clients’ senior executives using social engineering techniques, and then feedback to help improve awareness. Data so far shows 53% fell for spear-phishing attacks, 17% for social engineering via telephone calls and similar, 12% for fake access points and 8% for shoulder surfing.
In many cases, we were able to access critical data including confidential business plans, M&A documents, and usernames and passwords, in as little as 10 minutes.
These results are all the more concerning given the bad guys are getting better at making their scams look authentic. A new, more sinister world of “deepfake” content designed to socially engineer victims lies just around the corner.
In the meantime, IT security teams need to get better at improving the digital hygiene of the senior managers increasingly on the frontline when it comes to cyber-attacks. Doing so will not just improve corporate security: it may also help raise awareness at senior levels of the importance of cybersecurity. That may come in handy the next time you need board-level buy-in, and funding, for a major security project.
Cyber-attacks feature in both top 10s, at number five for likelihood and seven for impact, while data fraud is at number four for likelihood, reflecting an overall trend as technology shapes the risk landscape. Last year saw numerous data breaches, with millions - if not billions - of people’s data affected, as well as continued cyber-attacks on both public and private institutions and businesses.