21 May 2016

Social Engineering: CxO Leadership for BEC...

In the context of cyber security, many practitioner experts are already familiar with the "Business E-Mail Compromise" (BEC).  Operational Risk Management (ORM) professionals know this:
"Amateurs attack machines, Professionals attack people"

The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC complaint data from victims in every U.S. state and 45 countries. From 10/01/20131 to 12/01/2014, the following statistics are reported: 

  • Total U.S. victims: 1198
  • Total U.S. dollar loss: $179,755,367.08
  • Total non-U.S. victims: 928
  • Total non-U.S. dollar loss: $35,217,136.22
  • Combined victims: 2126
  • Combined dollar loss: $214,972,503.30
The FBI assesses with high confidence the number of victims and the total dollar loss will continue to increase.
What executives at most organization understand, is that they are a potential target for all kinds of threats from inside and outside the company.  Fortune 500 companies already have sophisticated internal accounting controls and "Personal Protection Specialists" who are doing advance work, for travel that the CxO takes across town or overseas.  Yet what about the Small-to-Medium Enterprise with just tens of millions of dollars in annual revenues?  Are they prepared as they could be for the BEC?

It does not take much for the financial controls and the accounts payable process to break down for companies and organizations, that have not prepared for this continuous threat, by your own insiders (employers, partners, suppliers) cooperation.  The numbers tell the whole story.  Countless times each year, companies are convinced to act upon a simple e-mail crafted by clever "Social Engineering" experts, to transfer money out of their corporate banking accounts.

So what are you doing to prepare, educate and deter this continuous wave of "Social Engineering" attacking your employees and key stakeholders?  How many computers and iPhones in your business or organization receive e-mail on a daily basis?  Each one of these is a threat vector, along with each one of your employees who is the human factor behind the device.

What is amazing today, is that a cyber threat like this, that has been talked about for over a year, is still growing.  Perhaps it is a leadership problem.  Perhaps it is a public safety announcement campaign problem.  In either case, you have to realize, there are some very specific remedies that can be exercised by your organization to deter, detect and defend yourself from "Business E-mail Compromise" (BEC).

Executives and senior staff are busy.  They are running the business and rarely have time for that two hour or half day training session.  This is your largest vulnerability to begin with at your organization.  An apathetic CEO or senior staff is the perfect target for any transnational organized crime (TOC) syndicate on the other side of the globe.

As a CxO, when was the last time you had a campaign within the organization to address these threats?  Weeks, Months, Years?  Why haven't you incorporated a continuous program to keep your employees and staff up to date?  If you have 1247 employees, then you have 1247 vulnerabilities walking around in your enterprise.

When you look at the line item in the Information Technology budget this year for hardware, software, maintenance and cloud computing, look a little further.  Where is the line item for the education program and the tactical awareness, to keep your people on the leading edge of deterring the social engineering wave of attacks in your organization?
There has been a lot of news in 2016 about a particular species of phish, the so-called Business Email Compromise (BEC). In this scenario, the attacker poses as an executive of a company, asking someone--usually a subordinate employee--to perform a wire transfer or similar action. When the employee complies and completes the transfer, the company realizes--too late--that it has just given a large payment to a criminal. An investment company in Troy, Michigan, recently lost $495,000 from a BEC phish, so this is not a small matter.

It even hit close to my (professional) home: DomainTools’ CFO recently received a spear phish purporting to come from our CEO, asking her to make a wire transfer of funds. The sending email address was a clever look-alike of “domaintools.com,” using some substituted characters. Fortunately our CFO is very savvy and knew right away that her boss wouldn’t actually make such a request in that way. But it underscores how common this kind of BEC phish is -- and how easy it is for criminals to spoof legitimate emails.
This is just a small example, of the continuous trend across the small-to-medium enterprise landscape.  You have the control and the ability to make a difference in your enterprise.  The time and the services exist for you to keep your organization more safe and secure than it is today.  When will you decide it is your "Duty of Care" to protect corporate assets and to start using some of the tools to make "Business E-mail Compromise" (BEC) extinct?

No comments:

Post a Comment