Framing the Social Engineering Risk in Business Terms

Framing Social Engineering Risk C-suite employees need to understand the risk posed by social engineering attacks, according to CSO. Terry Thompson, adjunct instructor in cybersecurity at Johns Hopkins University, told CSO that business email compromise (BEC) can expose an organization to “ransomware, email spoofing, and related threats.”

Alex Holden, founder and CISO at Hold Security, told CSO that executives are particularly valuable targets since their accounts are more likely to hold sensitive information.

“In many cases of BEC, the cybercriminals would find critical/confidential data inside the emails of C-suite victims,” Holden said.

Holden added that executives needed to be even more vigilant than regular employees.

“C-suite members are not regular employees; they are the most prominent employees,” Holden said. “They are role models and not above the rules. They are supposed to be the most protected individuals in the company. They may need more reminders to lead the cyber security initiatives by example and not to be the exception.”

Holden added that despite this, executives sometimes tend to take security shortcuts, putting themselves (and their organizations) at risk.

“[C-suite executives] are more likely to change technology and more likely to insist on breaking the rules,” Holden said. “They are also more prominent and therefore easier to target and imitate for abuse.”

Michael Del Giudice, principal in the consulting group at Crowe, told CSO that a defense-in-depth strategy is essential for preventing these attacks. In addition to training employees to be on the lookout for social engineering attacks, organizations should also require multi-factor authentication in case an attacker manages to get their hands on a password.

“Complementing that with technical controls, implementing things like multifactor authentication on email so even if they do get credentials it will still prevent them from authenticating,” Del Giudice said.

Executives and boards understand business risk. Cyber threats that operate through social engineering can be pigeonholed as matters of personal risk. But in fact they represent a clear business risk, and often the kind of business risks that an organization’s leaders are well-positioned to manage. Framing the risk of social engineering as a business risk is an important first step in managing that risk. New-school security awareness training can enable your employees to avoid falling for targeted social engineering attacks.

CSO has the story.

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.