Phishing attacks are growing off the chart, and while we're not surprised by the numbers of attacks we are seeing, the dirty little secret chief security officers don't want to talk about is that the executive team may be the ones putting the company at risk.
In a recent report published by anti-virus software developer Kaspersky Lab, phishing attacks (including the most sophisticated and targeted spear-phishing scams) have registered an 87 percent spike in just one year. The report reveals that the number of Internet users targeted by phishing jumped from 19.9 million to 37.3 million. Meanwhile, phishing attacks affected an estimated 102,100 people worldwide daily in 2012-2013, twice as many as in 2011-2012.
The widening availability of cyber criminal tools in conjunction with growing online activity is pushing the number of attempted phishing scams upward at an alarming rate. But what's even more alarming is simulated attacks by cyber security experts are revealing that corporate executives are falling for simple phishing emails such as electronic faxes, fake conference registrations, shipping confirmations, and social media password resets. Not only are these executives clicking on potentially malicious links, the data reveals that some senior executives are actually submitting login credentials, which could expose their company to harmful and costly data breaches.
As online personal and work identities continue to merge, social networking sites have opened paths to tremendous stores of information for criminals to leverage. This information is used to lure employees and executives alike into taking risky actions based on a false sense of security. And the increase in bring-your-own-device (BYOD) and mobile computing only adds to the ways criminals target users. Cyber criminals are finding more ways to attack unsuspecting employees with increasingly complex attacks, targeting all levels in an organization.
As the debate continues regarding cyber security training, it's important to note that a recent Naked Security Survey found that 85 percent of information security professionals support the use of simulated phishing attacks for the purpose of training employees. The impact of security awareness and education programs cannot be overstated, especially when addressing all levels in an organization. Recent data revealed that an average of 33 percent of Fortune 500 corporate executives are taking the phishing bait. This is based on simulated phishing attacks which show that executives are as susceptible as other employees. However, because of their increased network access or data privileges, executives are extremely valuable targets to the criminals.
So what's the answer? It's up to CSOs to convince the entire organization of the importance of effective education and behavior change to defeat cyber attacks. After all, everyone with access to digital data is at risk. And executives should not be exempt from education that can have such a positive impact on an organization's susceptibility. As agents of change, these leaders have the opportunity and responsibility to lead by example.
However, getting the CEO and other executives to participate in security training may require a strategic plan. Use the following tips to help get your C-level executives into the training fold:
1. Know your numbers: Know the cost of cleanup after successful attacks. This is a cost that can be mitigated by investment in effective training. I have seen a positive return on investment based on decreasing the number of attacks by just 10 percent.
2. Don't leave out the executive assistants: Often executive assistants have access to and are empowered to respond to, forward, or initiate executive emails. Remember that executive assistants with permission to receive or send sensitive data from executive accounts are as vulnerable as their bosses.
3. There is a cost benefit to avoiding remediation: If the security staff is not swamped chasing down threats and fixing a multitude of infections and breaches, strategic or revenue-generating endeavors can be prioritized. Too many times, the security team is fighting fires and not finding enough time for significant proactive change.
4. “My time is too valuable” is not an answer: Everyone is pressed for time, but executives have to find the time for training and set an example for the rest of the organization. Many times they hold the keys to the data kingdom, if you are not training them, you are missing one of the largest and most valuable targets.
The case for effective security training is made with statistics and other hard numbers. Know your numbers to make the most effective business justification for cyber security training.
With phishing attacks on the rise globally, senior executives should no longer be exempt from security awareness and education efforts. The only choice for employees at every level of the corporate ladder is to fully engage in the fight against cybercrime. This means security awareness and education for everyone, including those at the top.
