Cybersecurity is always a concern to enterprise, and IT departments go to great lengths to secure their networks and workforce users. Now, new research indicates that cyberthreats are increasingly aimed at executives. Social engineering attacks, in particular, are targeting the C-suite.
The SANS Institute defines social engineering threats as psychological assaults “where an attacker tricks you into doing something you should not do.” Today, such attacks are usually carried out by digital “phishing” — often experienced as fraudulent email purporting to be from a legitimate source.
These phishing missives may supply malware-laden attachments designed to infect the target’s computer, or simply guide victims to bogus webforms where they’re tricked into providing sensitive data such as usernames and passwords.
IT and InfoSec professionals will note that phishing has been a cybersecurity problem for more than 20 years, but research indicates it’s now surging. Figures from this year’s Microsoft Security Intelligence Report show that phishing attacks increased by a massive 250% in 2018.
Interestingly, Verizon’s recent 2019 Data Breach Investigations Report (DBIR) found that executives with access to valuable company data are increasingly targeted by social engineering threats. The report provides analysis of 41,686 security incidents, and 2,013 confirmed breaches from 86 countries. It shows that senior executives are now 12 times more likely than in previous years to be the target of social engineering attempts, and 9 times more likely to be the target of social engineering breaches.
Since harried executives often possess unchallenged approval authority and privileged access to critical systems, they’re high value targets for phishing-related cybercrime. “Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through,” according to Verizon. This leads to the increasing success of social attacks such as business email compromises (BECs), classified by the Federal Bureau of Investigation Internet Crime Complaint Center (IC3) as a sophisticated phishing scam targeting both business and individuals performing wire transfer payments.
Since the modern executive is typically on the move, mobile phones and their interfaces also play an important role in social engineering’s uptick. Increasing dependency on mobile devices for business communications presents added opportunity for criminals to successfully phish via SMS or email.
Arun Vishwanath, chief technologist at Avant Research Group, contributed to the Verizon DBIR. He notes that users are “significantly more susceptible” to the social attacks they receive on mobile devices. He points to both device design and behavioral norms in increasing risk. Limited screen sizes restrict clear viewing, operating systems and apps restrict or limit the availability of verification information such as SSL certification, and mobile software enhances elements that foster actions such as accept, reply, send, etc.
“On the one hand, the hardware and software on mobile devices restrict the quality of information that is available, while on the other they make it easier for users to make snap decisions,” according to Vishwanath. The fact that many people are multitasking while using their mobile devices — walking, chatting, driving, shopping, you name it — only adds to the level of distraction and reduced scrutiny of incoming information, making them even more susceptible to social engineering attacks.
Whether executive or employee, users are simply more vulnerable to phishing from mobile devices than from desktop computers and this should be of major concern to enterprise executives. The blurred lines between corporate and personal applications and the toggling between multiple email inboxes (work and home) are major contributing factors to an expanding threat surface. Even phishing attacks through instant messaging or SMS, for example, that may originate outside of the corporate network, can be used by criminals to gain access, gather critical details (data, passwords, intellectual property, etc.), and cause significant damage to enterprises.
Enterprise leaders need to protect both themselves and their organizations from threats customized to fool them. Greater awareness helps, but better preventive tools that leverage automation and the power of the cloud to strengthen security posture are also wise investments.
Eric Williams is the founder and CEO of ijura (www.ijura.com), whose cloud-based cybersecurity platform provides comprehensive mobile threat defense solutions to detect and remediate attacks against businesses, their employees, and their customers. Ijura (@ijuraCloud) is a wholly owned subsidiary of Tata Communications. Eric can be reached at email@example.com.