Back in April this year Wombat Security Technologies published a report on simulated phishing attacks as a means of staff awareness training. This is the process of targeting a company's own staff with benign phishing or spear-phishing attacks. By tricking staff into clicking a link that takes them to a 'you've been phished page,' the theory (proven in practice) is that they will be less likely to be phished for real.
The report included the comment, "Some brave CSOs have even phished their own executives just to prove the point about everyone's vulnerability." Now Wombat has put some numbers to that statement, and has found that 33% of Fortune 500 corporate executives fall for phishing attacks.
On the one hand this suggests a possible way -- by phishing the senior executives -- to increase staff awareness budgets; but on the other hand, the last person in the company a CSO would like to see phished for real would be the CEO -- he or she holds too many keys to too much of the kingdom. "Not only are these executives clicking on potentially malicious links," warns Wombat, "Wombat's data reveals some senior executives are actually submitting login credentials, which may be exposing their company to harmful data breaches."
Spear-phishing is frequently the first step in an APT-style attack. Once such an attack has gained a foot-hold, it is both difficult to detect and difficult to remediate. Last year Trend Micro calculated that more than 90% of successful APT attacks start via spear-phishing. It could be argued, then, that avoidance of phishing is one of the best defenses against malware attacks.
Simulated phishing as part of staff awareness training is Wombat's solution to this growing threat. Its figures now show that senior executives must be included in that training. The company offers four tips for getting an all-inclusive budget. Firstly, understand the cost of not investing; such as remediation costs, brand damage, and possible breach notification costs. Secondly and similarly, quantify the opportunity cost of remediation -- if the IT department spends less time remediating breaches and cleaning PCs, what alternative revenue-generating projects could it undertake?
Thirdly, says Wombat, "My time is too valuable" is no excuse. "Everyone needs to be educated about information security risks and the CEO and the executive team can lead by example." And fourthly, do not forget the executive assistant. "Anyone who has access to the executive's email may be vulnerable to phishing attacks."
In fact, Wombat told Infosecurity, the executive assistant might be a major part of the problem. "Some reasons that senior executives may be more susceptible is they often have other people that may be reading and responding to emails, like executive assistants."
But whatever the reasons, senior executives are not simply part of the problem, they are a major part of the solution. "Executives have the opportunity to be leaders in the area of security awareness and training by setting the pace in this important area," Wombat toldInfosecurity. "CEOs can lead by example and help employees recognize the potential threat of phishing attacks against their company."