The Chief Security Officer (CSO) and the rest of the executive suite may be among the weakest cyber security links, according to research conducted by AlienVault and published by Computing UK. Half of CSOs fall victim to phishing attacks, while 82 percent of IT security professionals are worried that executives will fall prey to carefully crafted phishing scams.
Compounding matters, only 45 percent of firms are providing cyber security training to their employees, including executives while a whopping 20 percent don't conduct any training at all -- instead dealing with attacks after the fact.
If I was aiming to misbehave, a 20 percent "target market" sounds pretty fat and lucrative. Cold-call salespeople kill for lead lists with a 20 percent return rate.
Phishing attacks to the executive level tend to be well-crafted and researched to the individual, including domain names that are similar to what might be expected. Attacks may be directed at or through personal assistants and to third-party suppliers, partners, and customers as well.
Since the beginning of 2016, there's been a 270 percent increase in CEOs being victims of fraud, according to FBI statistics. Over the past three years, phishing fraud is estimated to cost U.S. firms over $2.3 billion in the past three years, with each incident costing between $25,000 to $75,000.
Remember that 20 percent target market? Imagine a single phishing "win" bringing in an average of $20,000 or more to a cybercriminal. Phishing is not only a target rich environment, but lucrative to a skilled criminal that does their homework.
AlienVault (News - Alert) also found that 45 percent of IT professionals believe it likely the companies they work for will pay off on a ransomware attack generated from the result of a successful phishing attach. It's not a lot of faith in executive judgment to do the "right" thing if the worst happens.
The best first line defense against phishing and other social engineering-based attacks is education, starting at the executive boardroom and (hopefully) built into corporate training for all employees. Companies can take advantage of online training organizations, such as CareerAcademy.com, to construct basic and advanced security training. Depending on the training organization, cyber security online courses can also provide employee benefits in the form of providing college credit and/or continuing education units (CEUs) as well as formalized employee certifications for skill training.
Regardless of the training structure designed between IT and HR, executives have to buy in and be involved in on cyber security from day one on the job. Failure to participate and educate employees on cyber security makes companies a lucrative target for bad actors looking to cash in early and often through phishing attacks and ransomware. Company officials need to promote awareness through advocacy of education and by example in their own affairs. Failing to do so can easily result in a very costly incident affecting profitability and potentially ongoing employment.
Edited by Maurice Nagle