We should welcome the move by Obama’s administration to go after more funding – defending the nation from the growing threat of cyberattacks has to be a priority for any world government.
The focus on more money for improving private, public and international collaboration is particularly important. The threat we face, after all, is universal and international, like the Internet itself: a threat on private companies is a threat on the economy, an attack on the public sector will impact the private. We should all hope his call is heard and acted on by Congress, too – cybersecurity of national infrastructure, and the public and private sector, is too important to be a victim of partisan politics.
The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.
2016 is an election year, so the danger is that Obama’s successor is likely to want to just build a bigger wall around whatever needs protecting, and while that might be reassuring for voters, it’s a representation of how we’ve classically thought about the security of our assets. But, it’s 2016 and the wall, perimeter, LAN and the defences we used to rely on are all DOA today. The breaches we see every day show they are clearly not protecting us well enough. We need to see a strategy rethink. Many organizations are not updating their spending patterns for cybersecurity to fit with the modern threats they face – that can be very damaging.
If you needed a letter from the President to get budget prioritized for cybersecurity projects, chances are, you’re way behind the security curve and are likely going to be spending on remediation rather than protection.
Cybersecurity has become the issue of 2015 and 2016; there’s enough evidence out there that the government, large corporations and consumers have been dramatically hurt by hacks and cybercrime. The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.
If you’re only now waking up to the issues of cybercrime, cyber warfare and hacking because of Obama’s political promises, then it’s likely you’re already being badly burned both organizationally and personally. Even if you don’t know it yet.
The enormity of the threat should not be new to us, should it? We’re several decades on from the invention of the first technologies that gave us viruses, Trojans and polymorphic files. We’re coming up to the fifth anniversary of the ground-zero hack for enterprises through email – the RSA Security hack of 2011 – yet we’re still seeing our corporate and personal lives affected by cyber-nefariousness.
I’m constantly hearing from CISOs and IT Managers: “We’ve just updated our security ‘a couple of years ago’ so we’re doing just fine.” This is their defence for not changing strategy, asking their executives for additional budget or modernizing a security solution. And, this worries me – here’s why: First, because anything that ends in “doing just fine” usually means you’re not fine, or you’re about to find out the hard way. And, second, when you look at how advanced the cyber-threat landscape has become (and how quickly it moves), over the last two years, anything you added to your security stack a few months ago could already be out of date.
So, if it was a letter from the President you needed to motivate you to deliver up-to-date protection for your network, now you have one. There should be no more excuses. Get it done. It’s your civic and corporate duty. Modernizing your cybersecurity protections, updating your processes and educating your people is a necessity you cannot delay any longer. Unless, of course, you fancy being the next organization in the headlines or explaining a breach to your bosses.
It seemed clear to a lot of the speakers and delegates at the recent RSA Conference that protecting organizations from cyberattack is not just the responsibility of the IT security team. Shared responsibility is the expression on everyone's lips.
Many of the sessions and speakers talked at length about how the changing nature of the attack, and the significant damage they are now causing, means the executive leadership of every private or public organization, big or small, needs to take the threat seriously.
I bet if you found the CEOs or CFOs of the many companies that have suffered a high-profile attack – Sony Pictures, Target, SnapChat, etc. they would all agree that a hack, data breach, ransomware or whaling attack is a big deal. They cost money to fix. They damage reputations. They disable organizations. Employees care, shareholders don't like them and regulators or law enforcement are very concerned. Nobody wants to be the next CIO reporting a breach to their board.
But, amazingly, our own research shows that despite the high-profile damage attacks are causing, a surprisingly small number of executives are taking IT security seriously. According to IT pros surveyed, only 15 percent of C-level executives are extremely engaged in email security, and 30 percent are somewhat engaged. Confidence plays a major role in this equation: confident IT security managers are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security; they are also 1.6 times more likely to see C-suite involvement in email security as extremely or very appropriate.
The most confident were also most likely to feel they had good security resources. It is no surprise to me that executive support also leads to the proper investment. If the problem is understood and taken seriously, money and resources will follow.
But, it’s not just about how much the C-suite is involved in email security decision-making, it’s also about how they prioritize it in the broader business strategy. According to research from ISACA and RSA, 63 percent of respondents say their cybersecurity function (CISO) reports into the CIO and not the CEO. They argued, in a session at RSA, that his can create a conflict of interest, as the CIO is balancing a diverse range of priorities and may inappropriately deprioritize security in an effort to balance the books. The engaged CEO will consider IT security a risk management issue while the CIO will see it as a technology problem. Who the CISO reports to could make all the difference to the level of protection and cultural focus cybersecurity has in an organization.
So, it’s time for both sides to get together and recognize email security is a shared responsibility. The organizations that work together and see the wider relationship between IT security and other corporate risks are better placed to protect themselves from the worse affects of an attack. The problem is part technology, but also commercial, cultural, human and process.
On the IT side, learn to speak the language of the boardroom and show in real terms the risk and cost of the problem. This is not a technology conversation, it is a risk management discussion. On the executive side, take the time to understand the exposure and risk your organization is facing and put IT security higher on the risk management priorities. If you are a shareholder, next time you get the opportunity, ask the CEO or CFO about their IT security strategy. If their answer is ill informed, you might want to reconsider your investment.
Email security is not the responsibility of just the IT team. Everyone across the organization needs to play a role in protecting mission-critical data. It’s up to IT and the C-suite to work together to make email security part of the broader business strategy.
Protecting yourself from cyber-attack used to be about technology. But I have heard it repeated time and time again this week at the industry’s annual go-to security event, RSA Conference in San Francisco, that this is not enough.
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend.
Sure, you need the right technology, but attacks can’t be completely repelled with technology alone. You need to turn your employees into a new line of defense – something we have often called your Human Firewall.
Why? Well, today it makes much more ‘economic’ sense if you are an attacker to go after people.
For years now, most organizations have invested heavily on perimeter defenses, and as time passes, the historic security loopholes or open doors in the products we rely on have been closed and the defenses toughened – making it a harder job for attackers to go after your network. Not impossible, but harder. Requiring more skill, effort, resources and persistence.
Meanwhile, at the same time, we have put more and more technology into the hands of our employees and connected them to the outside world in multiple ways: email, social media, cloud services, mobile. We actively encourage our people to connect with customers, colleagues, contacts and prospects. It’s a part of being a modern organization.
So, an attacker has a choice to make about what strategy to apply, and they are going to look for the path of least resistance – the ‘return on investment’ business case for attacks on people are just too compelling. Because people are, after all, “only human.” For all our great qualities, from a security perspective, we are fallible. Prone to being tricked, scammed or bamboozled. As Admiral Rogers of the NSA said this week at RSA about employees and their role in cyber security: “… every individual we have given access to a keyboard is a potential opportunity or a threat.”
And, right at the center of all this sits email. Behind every email address is a person. Guaranteed. Sending an email cost next to nothing. Sending thousands of emails cost next to nothing. And if you invest a little time in social engineering to improve the targeting of your attack, just a few minutes on LinkedIn should do it, research suggests you are almost guaranteed to get a hit.
So, if you are an attacker what do you do? Buy hacking toolkits, invest in people resources, get heavy duty computing power, persistently attack a target over days, weeks or even months or find the CFO or CEO’s assistant’s name, fake an email address to look like their boss and then start an email dialogue?
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend. And, defense requires new technology, employee security training and culture change.
That’s why our Targeted Threat Protection service combines comprehensive technology protection with user awareness capabilities. You need to do both to effectively protect against attacks using malicious URLs, weaponized attachments and now non-malware emails used for whaling. With Mimecast, when you click on a malicious link we don’t just scan it, we tell you what we are doing so the employee sees the risk they are potentially putting the organization under and learns for next time. Receive an email that looks like it comes from the CEO, but in fact is from a spoofed domain name (even if it looks like your own) - we make that clear to the employee with an alert. And, receive an attachment – we convert it to a safe format before delivering it to you so any potential malicious payload is disabled and we explain why.
In recent months we have seen a growth in a new form of targeted attack in email specifically aimed at defrauding CEOs and CFOs, and duping their teams into wiring cash to cyber-criminals and hackers. These Business Email Compromise (BEC) or so-called ‘whaling’ or ‘CEO fraud’ emails are becoming widespread impacting organizations of all sizes.
The criminals are not stealing petty cash either - this can be a multi-million dollar fraud. Just ask aerospace component manufacturer FACC that admitted a massive fraud of $55 million in January. The FBI’s Internet Crime Center of IC3 reported in August last year that attacks were growing – an increase of 270% in victims since the beginning of the year. They reported complaints from over 8000 victims globally representing a potential loss of nearly $800m. They estimate that when you add in cases reported by international law enforcement agencies the total is over $1.2 billion. The FT then went on to report that losses in the last six months were accelerating and another $800m had been reported stolen.
The crime isn’t limited to the U.S. either of course. The 2015 official Crime Survey of England and Wales included ‘CEO fraud’ (or whaling) for the first time with over 5.1m cases. Now these frauds do also include attacks on credit cards or over the phone but online is only set to grow as the favored, and largely anonymous and hard to police, attack of choice.
In fact, Mimecast’s own research in December showed that 55% of the respondents of the 442-company survey had seen an increase in whaling attacks in just the last three months of 2015.
And this fraud is not just grabbing press headlines. World governments are prioritizing tackling it. In the last week alone the British Government has announced a new multi-agency fraud taskforce to look at this and other fraud attacks.
But success here is not just about law enforcement and email security.
New technical defenses are needed and there is a significant education effort to do. Whaling is just another form of targeted email attacks. Highly targeted but still designed to exploit your greatest security weakness – your people.
So, how does it work? Disturbingly simple, really. An email is sent to a target individual (often with a spoofed or similar sounding domain name) pretending to come from the CEO or CFO and usually to someone in the finance team asking them to make a wire transfer. The emails will be very convincing and use relevant information gained through extensive research of the target. They are the product of considerable effort – they will look right, they will sound right, and they will be carefully targeted and tailored. And ultimately they rely on our obedience to hierarchy, particularly our discomfort challenging our bosses and perhaps most disgustingly, our inherent desire to help others. Cyber-criminals will often place a telephone call to their victim too, for added authenticity and persuasion.
Research from Verizon’s Data Breach Investigation Report in 2015 tells us that a traditional phishing email attack will dupe 23% of people who receive it and 11% of those will go on to open a link or attachment. A concerted ‘campaign’ of attack emails will be even more successful – 10 emails will have a 90% chance of hooking at least one victim. These numbers show us that any social engineering- based attack using email is likely to be successful.
And remember, these figures are for attacks that are not highly targeted at an individual employee. So it is safe to assume the hit rate for a highly targeted email purporting to come from the CEO is going to be much more successful – and potentially damaging.
So, what can you do about it? We have written about this in more detail before here but in summary:
Technology can help – we announced a new capability this week for Mimecast Targeted Threat Protection called Impersonation Protect that gives you protection against whaling attacks and you can find out more here. You can also use email stationary that marks external email to make it obvious to the recipient that the email originated from the outside world. Register all available top-level domains (TLDs) you can that are direct or ‘near’ in name to your own to make it harder to spoof you. Subscribe to domain registration services so you get an alert when someone is creating one that might resemble yours.
Education is key – remember this is largely an attack on people not technology. So educate senior management, or those perceived to be ‘at risk’ (finance, HR, IT) about this specific attack. Help them to recognize its characteristics. Review your finance standard operating procedures to take into account this new type of attack. Then test your team. Conduct regular fake attacks to learn from your mistakes.
The incidents of these attacks are only set to grow. They are relatively easy for the criminals to conduct. They are hard to protect against just using traditional security technologies. They work and the pay day is very tempting.
It doesn’t matter how experienced or senior you are – you are still likely to fall for a well-crafted targeted attack. So assume you and your team will be duped, and plan accordingly.