CEOs can be the weakest link in an organization’s security posture, according to Mimecast’s Matthew Gardiner. Carole Theriault talked to Gardiner last week on The CyberWire’s Hacking Humans podcast, where they discussed the importance of security awareness at the top levels of a company’s management.
Attackers know that if they successfully exploit or impersonate the CEO—called CEO Fraud—who has a high level of access, they instantly gain a top advantage.
“If you're going to impersonate somebody at a company, CEOs are a pretty good choice, maybe the CFO, or there's a couple other people, depending on what you're trying to do. So if you get a, in quote, ‘get an email from the CEO,’ you're much more likely to go, whoa, wait a second, you know? I got to take this seriously. I'm going to act accordingly, you know, quickly, perhaps. But then, they're also, on the flip side, a point of attack. So if you're an attacker and you can get into the CEO's account or onto their machine, you're into the flow of the most sensitive data or information at a company.”
This type of attack highlights the broader trend of attackers preferring social engineering over technical exploits to gain access to organizations. It’s much more efficient for an attacker to trick someone into letting them in than it is to break in on their own.
“It's actually kind of hard to hack - you know, to literally, technically hack an organization that has some security controls,” explains Gardiner. “It's much easier to send in a request via email and have the user, essentially, invite them in, or do something, you know, in response to, you know, an email that says, please change your wiring instructions for our account, and pretends to be one of your vendors or customers. There's nothing malicious, necessarily, in it. It's the - purely socially engineered.”
To defend against these attacks, Gardiner recommends a combination of technical safeguards and user education to protect every surface of the organization.
“I mean, you want technical controls. You want, you know, security awareness training that everyone would take, including the C-level folks. And you want, you know, the classic triumvirate - the business process to be no single point of failure. But on your point of the CEO, a good CEO would say, I'm like everybody else. I should be beholden to the security controls that everybody else is - and probably even some more - but at least what everybody else is.”
Gardiner believes that, while organizations have made progress over the years, security is a never-ending process that can always be improved upon.
“The understanding and awareness is much higher than it's ever been, but it's still complex. And that's, you know, sort of the frustrating part of security. There is no absolute answer. You just got to improve in all the three areas, you know - the tech, the people and the business processes - and make it all risk-based.”
C-suite employees need to understand that they are among the most appealing targets for social engineering attacks. new-school security awareness training can give employees at every level of your organization an understanding of the type of attacks they are most likely to face.
The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2018-11-15.html