The Verizon 2019 DBIR is comprised from the analysis of 41,686 security incidents, from 86 countries, of which 2,013 were confirmed data breaches. The report confirms that criminals actively target human vulnerabilities via social engineering attacks. According to this year’s Data Breach Investigations Report (DBIR), of the 2,013 confirmed data breaches, 33% included Social attacks. All companies are vulnerable to these attacks. If you’re a small to medium sized business, don’t think you’re off the hook. In this year’s report, small businesses accounted for 43% of all data breaches. Who are being targeted within all organizations? The C-Suite is under attack and feeling the brunt of these social engineering assaults.
The C-Suite is Under Attack
C-level executives such as the (CEO, CFO, COO, and CIO) are a prime target of cybercriminals. They are 12x more like likely to be the target in social engineering attacks than other employees. Financial gain remains the primary goal. In total, 71% of all breaches had a financial motive.
Because senior executives have top-level access and are higher up on the chain of command to make and approve requests, their email login credentials are very attractive to cybercriminals. For attackers, stolen credentials, and compromised email accounts, are like having the key to the city. Criminals can come and go at will, within the company’s network, like a trusted friend. No brute-force needed. A compromised C-suite email account can be used to send wire transfer requests, then the criminals simply wait for the money to arrive. In recent years, Snapchat, Mattel, and FACC have all fallen victim to BEC scams. Verizon reports that Business Email Compromise (BEC) attacks represented 370 incidents of which 248 were confirmed breaches.
Phishing and vishing are commonly used by attackers to steal credentials. Because of the sheer volume of emails that the C-suite handle, their exposure to phishing is higher than other employees. Each day they routinely respond to multiple issues that demand quick resolution, creating an environment that is conducive to ‘clicking before thinking.’ Criminals are also harvesting credentials from data leaks and breaches. A 2017 CEO email exposure study found that 81% of the world’s top CEOs have had their personal information exposed in spam lists or leaked marketing databases. And for 1 out 3 CEOs, a service they access with their company email has been hacked, and the password they use for that service has leaked.
Strengthen Your Enterprise’s Defenses
All businesses both large and small are vulnerable to social engineering attacks. So, what can you do to strengthen your enterprise’s defenses? We recommend the following actions:
- Implement security training and awareness that involves the C-suite. It’s vital for senior executives to understand how malicious actors use their personal and professional online exposure to launch social engineering attacks. The Social Engineering Risk Assessment (SERA) provides expert analysis of your company’s potential risk, and is designed to help you plan, educate and prepare for a social engineering attack.
- All employees should receive cyber security training. This includes new employees, longtime employees, C-level executives and contractors. Employees who understand the threats posed by phishing attacks are less likely to click malicious links, and more likely to report suspicious activity. Organizations that implement Phishing-as-a-Service programs see a dramatic reduction in malware infection rates, laptop re-imaging, drive-by downloads, and adware. They are also better equipped to protect their organization’s most critical assets and trade secrets.
Additionally, The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following best practices to minimize access to your information:
- Create a strong password that is unique for each device or account.
- Consider using a password manager.
- If available, use two-factor authentication.
- Use security questions properly. For accounts that ask you to set up one or more password reset questions, use private information about yourself that only you would know. Answers that can be found on your social media or facts everyone knows about you can make it easier for someone to guess your password.
- Create unique accounts for each user per device.
Don’t put off security training and awareness. Take the necessary action today to strengthen your enterprise’s defenses.
Verizon Data Breach Investigations Report