When should organizations be on guard against social engineering? Always, of course, but there are certain times when they should be especially alert. A study of cyberattacks has found that criminals are particularly attentive to changes in corporate leadership. Research published in The Journal of Strategic Information Systems finds that, “Our interviews with C-suite executives reveal that the chances of someone falling victim to a phishing email are higher during times of leadership change. And hackers know this: Criminals often time their attacks to take advantage of such changes, typically targeting the most susceptible.”
There are three basic reasons why times of transition are times of heightened risk, of phishing to be sure, and by extension of other forms of social engineering: “increased uncertainty, unsettled workplace practices and a desire to please the new boss (and sometimes the old one).”
A change in company leadership can be unsettling. Doubts and concerns about the future produce confusion, and confused people often come to doubt their otherwise sound habits of mind. In one case, “a network analyst received an email purportedly from the network administrator with a PDF document attached. The organization had significant turnover, and both the CISO and the network administrator had left. The uncertainty confused the employees, who were left wondering about the email and its authenticity and what they should do. In the end, they clicked on the PDF—installing malware.”
Unsettled practices also often follow a change in leadership. For good or ill, the new boss will often want to impose changes, either to put their mark on the organization, to set higher expectations, or to correct some perceived institutional shortfall. Indeed, the new boss may have been brought in precisely to make such changes. A phishing email might be misperceived as simply part of a new way of conducting business.
And finally, people tend to want to please, particularly the new boss. It’s easy for social engineers to exploit this predictable niceness in the employees.
The moral of the story is that organizations should consider increasing their awareness, especially with new-school security awareness training, during times of transition. The arrival of new faces in the C-suite isn’t the time to decide that security awareness training can be put off until the transition is complete and everyone’s comfortable. If it is deferred, you may be deferring not just training, but effective risk reduction as well.
The Wall Street Journal has the story.