Criminals know where the richest pickings are; it might be financial or it might be valuable information, but the higher up the organisational tree they manage to get and successfully target, the greater the reward. But when it comes to understanding cyber threat, we don’t have to look very far to realise our boardrooms are not well enough informed about organisational threat and this is having a knock-on effect.
Whaling is a form of phishing that targets c-level employees specifically. Phishing is arguably the most successful attack vector and delivery vehicle for malware, including ransomware. But criminals careful devise and hone email content to appear credible and appealing to the high-level recipient; using topics, subject lines and terminology likely to appeal to the recipient and encourage them to open the document containing malware or click the link for instance. This takes careful digital stalking of the target and their colleagues. It also means it can be challenging to spot. However, c-level directors and business leaders appear to be lacking in their genuine grasp of cyber threat and if the data is to be believed, they are actually engaging in risky behaviours that increase the likelihood of infection, rather than leading by example and building a culture of security resilience. The success of whaling is testament to this. But businesses with a cyber-engaged boardroom are suffering less when it comes to those inevitable attacks from cyber criminals.
Training board level directors in cyber security is becoming increasingly important as the need for strategic leadership in this are becomes clear. Whaling will still go on of course, but the response needs to be an increasing awareness and ability to deal with this kind of threat. Once the board level response is clear for all employees to see it helps to shape everyone’s behaviour and this can also help employees to respond to the so-called CEO scam, more effectively. This is when employees are targeted by criminals usually using a spoofed email, designed to get them to react very quickly by pretending to be from a senior level person, requiring a response, normally a payment, to be made immediately. Of course, the email is not genuine and the ‘CEO’ unaware of the unfolding drama. Employees may panic and not check the email is genuine in an attempt to expedite the request as fast as possible as their ‘boss’ is probably behaving in and angry and impatient manner. This is classic social engineering of the victim; using position, haste and an immediate demand for action to limit thinking time. It is estimated by the FBI to have cost businesses well in excess of £500m at last count (2016).
The impact is not the only issue when it comes to revenue loss due to this kind of security failing. The reputational harm could result in business-ending customer loss.
If you would like more details on training board level directors, please visit our training area.
- Posted by Ellie Hurst
- On 6th June 2017
- 0 Comments