CIO/CISOs can help others in the C-suite to understand the dimension of the cyber security challenge, and come up with appropriate solutions
C-level executives, who have access to a company’s most sensitive information, are now the major focus for social engineering attacks, alerts the Verizon 2019 Data Breach Investigations Report. Senior executives are 12x more likely to be the target of social incidents, and 9x more likely to be the target of social breaches than in previous years. The study finds financial motivation remains the key driver behind these attacks.
Social engineering attacks on the rise
The study sees a rise in the financially-motivated social engineering attacks on the C-level executives. A good example is the increasing success of business email compromises (BECs). These types of social attacks represent 370 incidents or 248 confirmed breaches of those analyzed.
Senior executives, who are typically time-starved and under pressure to deliver, review and click on emails randomly, often become victim of cyber attacks. Some also have assistants managing email on their behalf, making suspicious emails more likely to get through. The stressful business environment combined with a lack of focused education on the risks of cybercrime, the report notes.
“Enterprises are increasingly using edge-based applications to deliver credible insights and experience. Supply chain data, video, and other critical – often personal – data will be assembled and analyzed at eye-blink speed, changing how applications utilize secure network capabilities,” comments George Fischer, president of Verizon Global Enterprise.
He believes that security must remain front and center when implementing these new applications and architectures.
Cloud solutions increase risks
The findings also highlight how the growing trend to share and store information within cost-effective cloud based solutions is exposing companies to additional security risks.
The study found that there was a substantial shift towards compromise of cloud-based email accounts via the use of stolen credentials. In addition, publishing errors in the cloud are increasing year-over-year. Misconfiguration (“Miscellaneous Errors”) led to a number of massive, cloud-based file storage breaches, exposing at least 60 million records analyzed in the DBIR dataset. This accounts for 21% of breaches caused by errors.
Bryan Sartin, executive director of security professional services at Verizon comments, “As businesses embrace new digital ways of working, many are unaware of the new security risks, to which, they may be exposed. They really need access to cyber detection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyber threats. Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line.”
Lessons for CIOs and C-suite
The lessons are clear for the C-suite: Cyber security must be a leadership priority, because data breaches have a direct impact on an organization’s financial wellbeing. CIO/CISOs can help others in the C-suite to understand the dimension of the cyber security challenge, and how to formulate appropriate solutions.
Firstly, there should be regular discussions in the boardroom on the corporate impact of a data breach and who is responsible for preventing data breaches (and the onus should lie not on the CIO alone). Is having a dedicated Chief Information Security Officer (CISO) ensure that information assets and technologies are protected. If C-suite lacks an accurate picture of the risks faced by the business, they will set the wrong priorities and invest in addressing the wrong areas. This would make the organization vulnerable to attack.
Secondly, it is important to identify what is the biggest threat to data security? Almost two thirds of CEOs believe malware is the most serious and pervasive threat facing their organizations, according to another research. However, technology leaders like CISOs, CIOs and CTOs say that the primary threat comes from the misuse of privileged user identities and passwords. Studies show NO password is strong enough no matter how frequently it is changed. In this regard, Multi-factor Authentication (MFA) – which mandates a second step to confirm a user’s identity, such as a text-to-mobile verification code – provides much more robust protection for data and deters intruders.
Thirdly, working on the supposition of ‘when’, rather than ‘if’, provides a much more realistic and practical position towards today’s threat environment. Firms can manage lateral access through privileged access management. This ensures that users have access only to the privileges, systems and data they need for their jobs. A ‘zero trust’ is the best option assuming that un-trusted actors already exist both inside and outside the network, and absolutely everything on the enterprise’s network – users, endpoints and resources – must be identified and verified.
Finally, C-suite should monitor the security credentials when someone leaves the company. Businesses require a centrally managed console from which security staff can monitor access to the app, provide single sign-on to multiple applications and manage the devices used to access those systems.
Studies show there is a need to prepare the enterprise for the worst, by making a proactive investment in cyber security. Attacks on the C-suite highlights the critical need to ensure all levels of employees are made aware of the potential impact of cybercrime and subsequently more power to the CIO/CISOs to mitigate and strategically secure a key place in the boardroom.