The Verizon DBIR — The C-Suite is Under Attack

The Verizon 2019 DBIR is comprised of the analysis of 41,686 security incidents, from 86 countries, of which 2,013 were confirmed data breaches. The report confirms that criminals actively target human vulnerabilities via social engineering attacks. According to this year’s Data Breach Investigations Report (DBIR), of the 2,013 confirmed data breaches, 33% included Social attacks. In view of this, it’s clear that all companies are vulnerable to social attacks. So, if you’re a small to medium-sized business, don’t think you’re off the hook. Notably, in this year’s report, small businesses accounted for 43% of all data breaches. Who are the specific targets within all organizations? The C-Suite. It is under attack and feeling the brunt of social engineering assaults.

The C-Suite is Under Attack

C-level executives such as the (CEO, CFO, COO, and CIO) are a prime target of cybercriminals. They are 12x more likely to be the target in social engineering attacks than other employees. Financial gain remains the primary goal. In total, 71% of all breaches had a financial motive.

Because senior executives have top-level access and are higher up on the chain of command to make and approve requests, their email login credentials are very attractive to cybercriminals. For attackers, stolen credentials, and compromised email accounts, are like having the key to the city. Criminals can come and go at will, within the company’s network, like a trusted friend. No brute-force needed. A compromised C-suite email account can be used to send wire transfer requests, then the criminals simply wait for the money to arrive. In recent years, Snapchat, Mattel, and FACC have all fallen victim to BEC scams. Verizon reports that Business Email Compromise (BEC) attacks represented 370 incidents of which 248 were confirmed breaches.

Phishing and vishing are commonly used by attackers to steal credentials. Because of the sheer volume of emails that the C-suite handle, their exposure to phishing is higher than other employees. Each day they routinely respond to multiple issues that demand quick resolution, creating an environment that is conducive to ‘clicking before thinking.’ Criminals are also harvesting credentials from data leaks and breaches. A 2017 CEO email exposure study found that 81% of the world’s top CEOs have had their personal information exposed in spam lists or leaked marketing databases. Additionally, for 1 out 3 CEOs, a service they access with their company email has been hacked, and the password they use for that service has leaked.

Strengthen Your Enterprise’s Defenses

All businesses both large and small are vulnerable to social engineering attacks. So, what can you do to strengthen your enterprise’s defenses? We recommend the following actions:

• Implement security training and awareness that involves the C-suite. It’s important for senior executives to understand how malicious actors use their personal as well as professional online exposure to launch social engineering attacks. With this in mind,  The Social Engineering Risk Assessment (SERA) provides expert analysis of your company’s potential risk. It can help you plan, educate, and prepare for a social engineering attack.
• All employees should receive cybersecurity training. This includes new employees, longtime employees, C-level executives, as well as contractors. Employees who understand the threats posed by phishing attacks are less likely to click malicious links, and more likely to report suspicious activity. Organizations that implement Phishing as a Service^®  see a dramatic reduction in malware infection rates, laptop re-imaging, drive-by downloads, and adware.

Additionally, The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following best practices to minimize access to your information:

• Create a strong password that is unique for each device or account.
• Additionally, consider using a password manager.
• If available, use two-factor authentication.
• Use security questions properly. For accounts that ask you to set up one or more password reset questions, use private information about yourself that only you would know. Do not post information on social media that can make it easier for someone to guess your password.
• Its equally important to create unique accounts for each user per device.

Take Action Now!

Don’t put off security training and awareness. Take the necessary action today to strengthen your enterprise’s defenses.

Sources:
https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
https://enterprise.verizon.com/resources/reports/dbir/2019/introduction/
https://www.social-engineer.com/phishing-c-suite-executives-keep-biting/
https://press.f-secure.com/2017/10/25/study-shows-30-of-ceos-have-been-pwned-passwords-exposed/
https://www.social-engineer.com/assess-your-risks/
https://www.social-engineer.com/social-engineering-risk-assessment/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-08-issue-111/
https://www.social-engineer.com/phishing-as-a-service-phaas/
https://www.us-cert.gov/ncas/tips/ST04-003

Images:
Verizon Data Breach Investigations Report