Damaging, high-profile corporate data breaches haven't stopped employees—CEOs included—from clicking on questionable links, downloading unauthorized software and engaging in other risky behavior that exposes their companies to cybercrime.
Even as e-mail phishing attacks increase, placing companies at risk of losing billions of dollars, employees often shrug off corporate data-security policies and practices, becoming weak links in cybersecurity efforts, experts note.
Employee training at all levels is considered vital to keeping company data secure.
Business e-mail compromise attacks—company-targeted phishing scams often involving spoofed e-mail addresses, fake websites and malware—continue to grow and evolve, targeting firms of all sizes as well as personal transactions, the FBI reported recently.
In these scams, employees are tricked into wiring funds or sensitive data, such as employee wage and W-2 tax forms, to a cybercriminal's account, believing they're responding to a request from the company's CEO or another top executive.
From October 2013 to May 2018, global "exposed dollar loss" from these scams, defined as actual and attempted financial losses combined, surpassed $12.5 billion, with U.S. victims accounting for $2.9 billion, the FBI reported.
"People need to be trained to spot those and to avoid clicking," said cybersecurity lawyer Michael Morgan, partner at McDermott Will & Emery in Los Angeles.
Cybersecurity firm Code42, in its 2018 Data Exposure Report, found that:
- A majority of chief information security officers (CISOs) believe their companies will have a breach that will go public in the next 12 months. More than 70 percent have stockpiled cryptocurrency to pay cybercriminals.
- 78 percent of CISOs said that "the biggest risk to organizations is people trying to do their jobs the way they want with a disregard for policy" and rules preventing data exposure.
- 93 percent of CEOs keep copies of their work on a personal device outside of company storage.
Show Everyone—Including the CEO—How to Spot Scams
"If you have employees who have access to your system, you're going to need to make sure they're adequately trained to spot things like malicious e-mails. You need to run tests, [such as] a test phishing e-mail, and see how many people click on it," Morgan said. "That'll give you information on the extent to which your employees are tuned in to [potential scams]."
CEOs, privy to highly sensitive information, are prime phishing targets, Morgan noted. Cybercriminals who compromise a senior executive's e-mail can then send messages from that person's e-mail account—perhaps asking an accounting employee to transfer money to an unauthorized person or seeking sensitive information that could damage other victims.
"CEOs receive a very large volume of e-mails. They are just as susceptible as anybody else to clicking on to a suspicious e-mail," Morgan said. They may be busy and hard to train, he added, "but it's especially important for senior executives to get training on how to identify phishing e-mails."
Training, Testing, Multifactor Authentication
Every time a company trains, its risk of falling prey to a successful phishing attack decreases by 20 percent, according to Sharon Nelson, attorney and president of cybersecurity firm Sensei Enterprises Inc. in Fairfax, Va.
One California law firm was the target of a serious phishing attack one week after employees received training, she said. Because of the training, the staff was sensitized, an alert went out and the firm averted a breach.
Employees should be attentive and skeptical of any unexpected e-mail asking them to click on a link or for their password, Morgan said. E-mails purporting to be security alerts asking them to confirm information "should raise a red flag," he said.
Companies can take several other steps to protect their systems, including requiring two-factor authentication to log on to the company network, limiting employees' access to the network, using security software and hiring so-called ethical hackers to try to penetrate the system. Of these, multifactor authentication is the most important step, Morgan said.
"I've only seen one instance where, despite multifactor authentication, a hacker was able to get into the system."
John Simek, Sensei vice president, noted that spam filters and other software can help firms fight phishing scams, with some programs converting attachments to PDF files and changing all incoming links. He cited Microsoft's Office 365 Advanced Threat Protection and similar offerings from other software vendors, including Proofpoint. Even then, he said, training is important, and software can have flaws.
"Just because you have the technology in place, don't think you're bulletproof," Simek said.
Penetration testing, or hiring an ethical hacker to break into the network, is an effective way to find vulnerabilities, according to Sensei's founders, who said it is critical to find people with proper certifications. These can include training from the SANS Institute, a certified information-systems security professional designation from ICS², or a certified ethical hacker certification.
"This is the most dangerous kind of security testing that is done," because things can go wrong unintentionally, Nelson said.
While penetration testing may be too costly for very small businesses, Nelson recommended that companies of any size hire an independent third-party vendor to
conduct a security audit to identify vulnerabilities and make recommendations to address critical problems. Company leaders should know that IT professionals are not necessarily trained in best practices for analyzing and improving a company's security posture, Simek said.
Dinah Wisenberg Brin, a former Associated Press and Dow Jones Newswires staff reporter, is a freelance journalist and writer working from Philadelphia, Pa.