There are never enough hours in the day for your typical business executive. The stresses of running a modern business can stretch even the most productive, and early-rising, individuals to the limit. A Harvard Business Review report from last year, for example, claimed that CEOs work on average 62.5 hours per week — over 50% more than a regular full-time employee. Unfortunately, this may have serious repercussions for cybersecurity.
The latest Verizon Data Breach Investigations Report (DBIR) claims that senior execs are many times more likely to be the target of a breach or serious security incident that in years past. Why? Because they have a crucial combination of not enough time to vet social engineers, alongside privileged network access and organisation-wide authority.
To mitigate the risk from rising attacks on the C-suite, organisations will need to refocus training efforts and tighten technical controls.
Comprised from analysis of over 40,000 global security incidents and more than 2,000 confirmed data breaches across 180 countries, the report is seen as a valuable snapshot into industry trends over the previous 12 months. A third of breaches over the past 12 months featured “social” tactics: that is, phishing, spear-phishing, pretexting, spoofing and other attempts to socially engineer the target into inadvertently installing malware on their network or handing over access credentials. That makes sense. After all, the human is always considered the weakest link in an organisation’s security chain.
However, the difference in this report is which particular humans in an organisation are being targeted. It claims that senior executives are 12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches than in previous years. Incidents in this case involve attacks which compromise “the integrity, confidentiality or availability of an information asset”, while breaches result in confirmed disclosure of data to an unauthorized third party.'By posing as the CEO, CFO or similar from inside their own email account, hackers stand a great chance of convincing finance staff to carry out their money transfer requests without raising the alarm.'Click To Tweet
It’s not difficult to see why senior business leaders are beingly increasingly targeted. Time-poor and under pressure to achieve results, they’re typically more likely to click through on an email without properly reading its contents or sender. These misplaced clicks could enable attackers to gain a foothold in corporate networks via covert malware downloads, or even into the executive’s own account. New research from Barracuda Networks released last week reveals that 29% of organisations had their Office 365 accounts compromised by hackers in March this year, leading to over 1.5 million malicious and spam emails being sent.
These account takeovers (ATOs) can be used as a launchpad not only for data breaches but also Business Email Compromise (BEC). By posing as the CEO, CFO or similar from inside their own email account, hackers stand a great chance of convincing finance staff to carry out their money transfer requests without raising the alarm. Tactics like these led to BEC losses of nearly $1.3bn last year, the most of any threat category and representing almost half of total losses from cybercrime reported to the FBI in 2018.Recent research reveals that hackers typically have over 5 months in an organization before they are detected. Click To Tweet
Reducing dwell time
These C-suite challenges may also partly explain why breaches are going undetected for so long in organisations. According to the Verizon report, over half (56%) of breaches go unreported for “months or longer”.
This chimes with separate research from Mandiant which claims the median dwell time for hackers inside EMEA organisations last year was 177 days. That’s over five months hackers typically have inside an organisation before they’re detected. It goes without saying that the longer they’re in there, the more time they have to exfiltrate sensitive data, and the more an incident will eventually cost to remediate and recover from.
Piecing the puzzle together
The vast majority (71%) of cyber-attacks analysed by Verizon were financially motivated, although a significant minority of nearly a quarter (23%) were linked to nation state operatives who are typically working to different ends. Either way, there’s clearly a potentially major business impact from attacks targeting the C-suite.
IT leaders should be clear that senior executives must be included in employee training and awareness programmes. In fact, it may be worth developing specific courses to focus on the kinds of challenges experienced by those at the top of the organisation. Also included should be any assistants who might manage emails on their behalf. To stand the best chance of success, courses should feature real-world simulations of attacks, run in bite-sized lessons of around 10-15 minutes: little and often.
Of course, training is only one piece of the puzzle. Organisations should also have advanced email filtering in place to spot and block phishing and other malicious messages before they hit the inbox. These could include signature matching, heuristic and behavioural analysis, and even sandboxing. Emerging AI tools can also help here, by better analysing organisations’ communication patterns in order to spot suspicious BEC and phishing emails.
As arguably the weakest part of the weakest link in corporate cybersecurity, the C-suite represents an attractive target for attackers. You can be sure that they’ll keep on plugging away until organisations do something about it.
Spear Phishing : Menaces et tendances principales
Download the free report to learn more about different types of phishing attacks
Phil Muncaster compte plus de 12 ans d'expérience en tant que rédacteur et éditeur dans le domaine de la technologie. Pendant sa carrière, il a contribué à quelques grands titres du secteur, notamment Computing, The Register, V3 et MIT Technology Review. Après une immersion d'un peu plus de deux ans au cœur de la scène technologique asiatique à Hong Kong, il est de retour à Londres, où il s'intéresse désormais de près à la sécurité de l'information.