But most IT security professionals are still not training them – leaving their organisations at risk of fraud and ransomware
Almost half of those who work in the IT security industry (49 percent) believe that their CEO or executives have fallen victim to targeted phishing scams, according to new research conducted by Unified Security Management™ and crowd-sourced threat intelligence leader, AlienVault®.
The research, which surveyed the attitudes of around 300 IT security professionals at the Infosecurity Europe conference, found that more than three-quarters of respondents (82 percent) worry that their CEOs and executive board are still vulnerable to phishing threats, such as CEO fraud, where a phishing email appears to come from the CEO of a company and instructs executives to transfer funds to an account held by attackers.
In spite of this, the majority of infosec professionals are leaving their CEOs vulnerable by not training them to spot potential threats. Less than half of those surveyed (45 percent) give training to everyone in the organization, including the CEO, to better enable them to spot phishing emails. Over a third of those surveyed (35 percent) conduct training so that most employees in the organization can spot malicious emails, and a fifth (20 percent) do not conduct any training at all to help personnel detect phishing threats, instead just dealing with problems as they occur.
Javvad Malik, security advocate at AlienVault, comments: “The challenge that lies here is two-fold. Firstly, most phishing scams that target execs are well-crafted and researched. Similar-looking domains are registered and execs are carefully researched. Secondly, many execs have personal assistants who manage their day-to-day operations and who are often more susceptible to social engineering techniques. As such, it is important to train all users within an organisation as attackers will always try to strike at the weakest links, who may not even be internal employees. CEO fraud also routinely targets third party suppliers, partners and customers, so awareness should be spread to all associated parties. To stay a step ahead, security teams need to monitor third party activity closely and use threat intelligence networks to keep abreast of the latest scams being employed by criminals.”
In April, the FBI reported a 270 percent increase in victims of CEO fraud since the beginning of 2016, which has cost organizations over US $2.3 billion (£1.7 billion) in the past three years. The FBI estimates that organizations which fall victim to CEO fraud attacks lose between US $25,000 and US $75,000 on average (£18,500 to £55,000), but some companies are affected more severely. Toy maker Mattel lost $3 million in 2015 as a result of a CEO fraud phishing scam.
Javvad Malik continues, “Recent years have seen a marked increase in phishing as a preferred attack avenue. Phishing emails come in various forms. Some contain malicious attachments or have links which, once clicked by users, direct them to a malicious website for a drive-by malware download, leading to infections such as ransomware. Other phishing attacks do not come with any malicious files, but rather rely on pure social engineering techniques to manipulate the user. These attacks succeed because they manage to trick employees into ignoring basic security precautions.”
The research also revealed that almost half of those surveyed (45 percent) thought that it was either likely or possible that their organization would pay up if it was infected with ransomware. Only just over a quarter of respondents (28 percent) were confident that they would not pay the ransom because all their data is adequately backed up, and an additional 27 percent said that they would not negotiate with extortionists on principle.
Javvad Malik continues, “It’s worrying to see how many people would consider paying up if they were infected with ransomware. Negotiating with criminals is a dangerous game that offers no guarantees, and cooperating in this way just encourages more attacks. The most important defence against this type of malware is to have reliable backups in place to protect your organisation’s data. In addition, it is vital to have detection controls on both network and host, which are correlated and kept up to date with the latest threats.”
A blog post outlining further findings from the research is available here.