Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Fortune 500 Executives Often Fall for Trivial Attacks: Report

Phishing attacks continue to succeed with alarming regularity, and the problem is not just limited to regular employees.

Phishing attacks continue to succeed with alarming regularity, and the problem is not just limited to regular employees.

Everyone in the organization, from the executives upstairs to the employees in the trenches, need to learn how to recognize a phishing attack. Recent attacks were the result of someone not recognizing an email as being malicious and opening the attachment or clicking on the link. When presented with a form asking for information, such as login credentials or other sensitive information, the victim didn’t realize the form wasn’t real.

Actual simulated phishing attack results show that C-level executives may be most likely to take the bait and fall for simple or sophisticated spear phishing attacks, Wombat Security Technologies said. In fact, the data shows that corporate executives are falling for attacks like electronic faxes, fake conference registrations, shipping confirmations, and social media password resets.

Not only are executives clicking on potentially malicious links, “some senior executives are actually submitting login credentials,” Wombat said.

IT security teams need to make sure that the entire employee base, even executives and their assistants, are included when putting together security training programs. If the executives push back, security managers have to be able to quantify the risks of not training everyone.

It’s good to know the actual costs—the numbers—of not investing in comprehensive security training, such as damage to brand reputation, loss of intellectual property, and the time and expense of IT cleaning up infected machines.

Security officials can demonstrate what kind of damage can be caused if executives are phished, as opposed to just focusing on examples of what happens if regular employees are phished. This is also a good time to show how much time IT already spends chasing down threats and incidents. How much does this cost the organization? IT can also present a list of projects they could be working on if they could reduce the amount of time dealing with these phishing attacks.

Advertisement. Scroll to continue reading.

“Risky behavior is expensive,” Wombat said. Security officials have to show the numbers to get the executive buy-in for security awareness.

Anyone who has access to the executive’s email, such as the assistant, also need to be part of the training. Just as there’s no one too important to deal with training, there’s no one “not important enough” to be trained. If the assistant learns how to recognize phishing attacks, that assistant is less likely inadvertently hand over the keys to the kingdom on the boss’s behalf.

“If you’ve got stats and numbers to back you up, there’s no reason to let the executive team off the hook for training,” Wombat said.

No one’s time is so valuable that they don’t need security. The CEO and the executive team need to set a good example for the rest of the organization.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.