C-suite employees need to understand the risk posed by social engineering attacks, according to CSO. Terry Thompson, adjunct instructor in cybersecurity at Johns Hopkins University, told CSO that business email compromise (BEC) can expose an organization to “ransomware, email spoofing, and related threats.”
Alex Holden, founder and CISO at Hold Security, told CSO that executives are particularly valuable targets since their accounts are more likely to hold sensitive information.
“In many cases of BEC, the cybercriminals would find critical/confidential data inside the emails of C-suite victims,” Holden said.
Holden added that executives needed to be even more vigilant than regular employees.
“C-suite members are not regular employees; they are the most prominent employees,” Holden said. “They are role models and not above the rules. They are supposed to be the most protected individuals in the company. They may need more reminders to lead the cyber security initiatives by example and not to be the exception.”
Holden added that despite this, executives sometimes tend to take security shortcuts, putting themselves (and their organizations) at risk.
“[C-suite executives] are more likely to change technology and more likely to insist on breaking the rules,” Holden said. “They are also more prominent and therefore easier to target and imitate for abuse.”
Michael Del Giudice, principal in the consulting group at Crowe, told CSO that a defense-in-depth strategy is essential for preventing these attacks. In addition to training employees to be on the lookout for social engineering attacks, organizations should also require multi-factor authentication in case an attacker manages to get their hands on a password.
“Complementing that with technical controls, implementing things like multifactor authentication on email so even if they do get credentials it will still prevent them from authenticating,” Del Giudice said.
Executives and boards understand business risk. Cyber threats that operate through social engineering can be pigeonholed as matters of personal risk. But in fact they represent a clear business risk, and often the kind of business risks that an organization’s leaders are well-positioned to manage. Framing the risk of social engineering as a business risk is an important first step in managing that risk. New-school security awareness training can enable your employees to avoid falling for targeted social engineering attacks.
CSO has the story.