This week, we have a guest post from Jolina Pettersson, Enterprise Security Architect, Consulting Services, NTT Security.
With business leaders busy, stressed and, in certain situations, demanding things to move fast, it’s no surprise they have become a prime target for hackers.
Business Email Compromise (BEC) – otherwise known as CEO fraud – is an exploit that is increasingly used to target leaders who are perhaps too distracted or time-starved to spot a malicious email. The most common form is for the attacker to pose as an organization executive, directing an authorized employee (like a specific person in accounting or finance), to perform a wire transfer to an account controlled by the attacker. The goal? To steal money by getting it directly from the organization.
Separating real emails from fake emails is becoming more and more difficult, and hackers know exactly how to fool leaders – whether that’s to make them wire transfer money or, equally concerning, click on a link to grant unauthorized access to sensitive or business-critical data.
Case in point, when NTT Security makes penetration tests against managers – on behalf of clients – we usually enter the company’s central systems within just 10 minutes. This finding begs the question: are leaders not taking cybersecurity seriously enough? According to our latest Risk:Value Report, apparently not. Fewer than half (45%) of decision makers consider all of their critical data to be ‘completely secure’ while only 52% have have an incident response plan. Over a third would consider paying a ransom to an attacker instead of investing in cybersecurity.
In order for businesses to succeed with security, managers must understand that the business is facing real security threats, and implement strategies to handle attacks. There is no place for a ‘it won’t happen to us’. Attacks can hit anyone. All businesses possess information that may be of interest to others, even if they do not believe it themselves. The consequences of unauthorized people accessing company-critical information reach far beyond competitive advantage. Managers therefore should also recognize that:
- Data attacks can cause organizations to lose money. Lost profits and claims can quickly make an attack costly. Now that the General Data Protection Regulation (GDPR) has come into force and other regulations like the California Consumer Privacy Act (CCPA) on the rise, there are huge fines for breaches of the privacy regulation.
- Data attacks can reduce the value of the company. If the breach of knowledge becomes known, the company risks losing its share value, and it can have consequences that may make partners more sceptical about entering into agreements.
- Data attacks can lead to lost confidence. Customers and stakeholders will rely less on companies that do not have good security. Confidence could be lost among customers, the board, employees and other audiences – not to mention damage to a company’s reputation and brand.
Managers need training in cybersecurity
Leaders need to be taught to distinguish real-time phishing emails, what to be aware of to avoid being tricked and understand the risks and consequences of an attack. The management’s commitment sets the stage for security awareness and security training in the rest of the organization, and is a prerequisite for everyone in the organization to learn to recognize when they are exposed to hacker attempts. In addition, the management’s awareness is a prerequisite for creating the right strategy and tools required to be prepared for attacks.
Five steps for managers to be prepared for attacks
- Technical barriers – robust technical systems and controls are the basis of the security strategy. Deploy technology that can prevent or detect attacks and unauthorized persons in the system.
- Human barriers – behind the technical barriers are the human element. Put in place a training program for both management and employees and continuously perform mock whaling and phishing exercises. Giving them the skills to recognize a phishing attempt and not giving up sensitive information such as passwords and credit card numbers is a small measure that can make a big difference.
- Intrusion alerts – hackers may be inside a business a long time before it discover a breach. The longer they get on the inside, the more information and several other computers in the network they can break into. Discover them before they do a lot of damage.
- Response plan – if an attack comes, good handling will reduce the damage and the time it takes to recover. Map the business along with its important data, sensitive information and documents to know which requires different levels of security. Involve everything from top management right through to technicians, HR, legal, and marketing in the development of the plan. Don’t forget to test and evaluate the plan on a regular basis. Practice makes perfect.
- Recovery plan – map what measures and activities should be initiated to restore the systems to make the business operational again as fast as possible. The recovery plan should include strategies to recover an organization’s business activities in the quickest possible time as well as a description of key resources, equipment and staff needed to recover its operations.