Reuters just made me aware of a U.S. Securities and Exchange Commission report about a recent SEC investigation of nine companies that had been victims of CEO fraud had sufficient internal controls in place as required by law.
The report focused on what the FBI calls “business email compromise” and what in InfoSec circles is known as CEO Fraud: cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The FBI estimates such scams have led to a whopping 12 billion dollars in losses since 2013.
In some cases, attacks on these companies lasted months and were only discovered when law enforcement intervened. Each had securities listed on a national stock exchange and lost at least 1 million, though two lost more than 30 million and one lost more than 45 million.
Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a statement: "We did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations."
Regulators and lawmakers are increasingly focused on the risks cyber criminals pose to companies and their customers following a series of high-profile incidents.
Not Just Public Companies
And it's not just public companies that are required to have internal controls to protect against risks like this. There is a lot of recent case law that shows you need to have defenses against social engineering in place. Any organization needs to have what the courts view as "Reasonable Cybersecurity".
Here Are Three Free Resources
- VIDEO: In two very short videos during SecureWorld interviews, attorney Shawn Tuma explains what the courts view as “Reasonable Cybersecurity” and what your organization needs to have in place. Take 3 minutes and watch these two videos. You are going to be glad you did, because they have fantastic ammo to get budget.
- WHITEPAPER: This whitepaper from Michael R. Overly shows you the common threads in compliance laws and regulations. Are you familiar with the concept of Acting “Reasonably” or taking “Appropriate” or “Necessary” measures? Did you know you are supposed to "scale security measures to reflect the threat"? Find out how this can keep you from violating compliance laws or regulations.
- Free Phish Alert Button: Train your users to not fall for spoofed social engineering attacks like this. Install the free phish alert button on their machine so they can report incidents like this.
Free Phish Alert Button
When new spear phishing campaigns make it through all the filters—and about 10 to 15% do—it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from "weakest link" into your "human firewall" is to roll out KnowBe4's free Phish Alert Button to your employees' desktops and mobile devices. Once installed, the Phish Alert Button allows your users—which today are your last line of defense—to sound the alarm when suspicious and potentially dangerous phishing emails make it in their inbox.
Don't like to click on redirected links? Cut & Paste this link in your browser: