Skip to main content
General

The Verizon DBIR — The C-Suite is Under Attack

By June 24, 2019No Comments

The Verizon 2019 DBIR is comprised of the analysis of 41,686 security incidents, from 86 countries, of which 2,013 were confirmed data breaches. The report confirms that criminals actively target human vulnerabilities via social engineering attacks. According to this year’s Data Breach Investigations Report (DBIR), of the 2,013 confirmed data breaches, 33% included Social attacks. In view of this, it’s clear that all companies are vulnerable to social attacks. So, if you’re a small to medium-sized business, don’t think you’re off the hook. Notably, in this year’s report, small businesses accounted for 43% of all data breaches. Who are the specific targets within all organizations? The C-Suite. It is under attack and feeling the brunt of social engineering assaults.

The Verizon 2019 DBIR

Social-Engineer, LLC is proud to be a contributor for the 12th edition of the Verizon 2019 DBIR.

The C-Suite is Under Attack

C-level executives such as the (CEO, CFO, COO, and CIO) are a prime target of cybercriminals. They are 12x more likely to be the target in social engineering attacks than other employees. Financial gain remains the primary goal. In total, 71% of all breaches had a financial motive.

Because senior executives have top-level access and are higher up on the chain of command to make and approve requests, their email login credentials are very attractive to cybercriminals. For attackers, stolen credentials, and compromised email accounts, are like having the key to the city. Criminals can come and go at will, within the company’s network, like a trusted friend. No brute-force needed. A compromised C-suite email account can be used to send wire transfer requests, then the criminals simply wait for the money to arrive. In recent years, Snapchat, Mattel, and FACC have all fallen victim to BEC scams. Verizon reports that Business Email Compromise (BEC) attacks represented 370 incidents of which 248 were confirmed breaches.

Phishing and vishing are commonly used by attackers to steal credentials. Because of the sheer volume of emails that the C-suite handle, their exposure to phishing is higher than other employees. Each day they routinely respond to multiple issues that demand quick resolution, creating an environment that is conducive to ‘clicking before thinking.’ Criminals are also harvesting credentials from data leaks and breaches. A 2017 CEO email exposure study found that 81% of the world’s top CEOs have had their personal information exposed in spam lists or leaked marketing databases. Additionally, for 1 out 3 CEOs, a service they access with their company email has been hacked, and the password they use for that service has leaked.

Strengthen Your Enterprise’s Defenses

All businesses both large and small are vulnerable to social engineering attacks. So, what can you do to strengthen your enterprise’s defenses? We recommend the following actions:

  • Implement security training and awareness that involves the C-suite. It’s important for senior executives to understand how malicious actors use their personal as well as professional online exposure to launch social engineering attacks. With this in mind,  The Social Engineering Risk Assessment (SERA) provides expert analysis of your company’s potential risk. It can help you plan, educate, and prepare for a social engineering attack.
  • All employees should receive cybersecurity training. This includes new employees, longtime employees, C-level executives, as well as contractors. Employees who understand the threats posed by phishing attacks are less likely to click malicious links, and more likely to report suspicious activity. Organizations that implement Phishing as a Service®  see a dramatic reduction in malware infection rates, laptop re-imaging, drive-by downloads, and adware.

Additionally, The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following best practices to minimize access to your information:

  • Create a strong password that is unique for each device or account.
  • Additionally, consider using a password manager.
  • If available, use two-factor authentication.
  • Use security questions properly. For accounts that ask you to set up one or more password reset questions, use private information about yourself that only you would know. Do not post information on social media that can make it easier for someone to guess your password.
  • Its equally important to create unique accounts for each user per device.

Take Action Now!

Don’t put off security training and awareness. Take the necessary action today to strengthen your enterprise’s defenses.

Sources:
https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
https://enterprise.verizon.com/resources/reports/dbir/2019/introduction/
http://www.www.social-engineer.com/phishing-c-suite-executives-keep-biting/
https://press.f-secure.com/2017/10/25/study-shows-30-of-ceos-have-been-pwned-passwords-exposed/
http://www.www.social-engineer.com/assess-your-risks/
http://www.www.social-engineer.com/social-engineering-risk-assessment/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-08-issue-111/
http://www.www.social-engineer.com/phishing-as-a-service-phaas/
https://www.us-cert.gov/ncas/tips/ST04-003

Images:
Verizon Data Breach Investigations Report

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now