Lisa Forte, partner at Red Goat Cyber Security LLP, explains why it’s important to include all professionals in cyber security training – from the cleaner to the CEO.
In my time at one of the UK Police Cyber Crime Units, I saw many cases which highlighted the fact that cyber security isn’t just down to the CISO or IT department but needs to be taken seriously by the whole executive team and every member of staff they employ. Not convinced? Consider this real-life case:
Julie worked for a medium-sized business operating in the UK and Ireland. She was the PA to the CEO, Mike. On the day in question, Mike was enjoying his skiing holiday in Italy with his wife and kids. It was Friday afternoon and Julie received an email which read:
I am just emailing to check that you have transferred the £70,000 into bank account XXX-XXX-XXX in order for us to buy that company I told you about in Belarus. The money has to clear in their bank account today (they are one hour ahead by the way) otherwise we will lose it.
Let me know when it is done,
Julie transferred the money and went off to enjoy her weekend. When Mike returned from his holiday Julie asked whether everything had gone through with the purchase of that company in Belarus. We can all imagine what Mike’s face looked like when he realised what had happened.
This type of attack, known as social engineering, is becoming more common. Emails can contain malware or can ask staff to transfer money or input login credentials. As technical controls get better, you are more likely to be attacked in this way.
What can we learn from this case? Firstly, Julie was used to Mike making last-minute requests that she had heard nothing about before. There was no formal procedure to follow. Mike, being the CEO, should make sure that his staff are aware of the risks of emails like this. Julie should have been required to verify that the request was genuine by another means other than replying to the email. Further, there was no four-eyes policy on payments. Mike had authorised his PA to unilaterally transfer large sums of money out of the company account without getting another person to approve it.
Due to the nature of social engineering – the fact that the hackers go after human weaknesses – security has to become everyone’s concern, from the cleaner to the CEO. Cultural change within an organisation has to come from the top and filter down. The prevalent idea that cyber security is the responsibility of the IT department has failed, and it is estimated to have cost the global economy $600bn last year.
The impact of a cyber-attack is wide-ranging and doesn’t just affect the IT team: it probably won’t be your head of IT calling all your clients to tell them all their data has been compromised or standing in front of a journalist explaining why security hadn’t been taken more seriously. The C-suite members will have to be involved then.
So how should executives get involved?
Table top exercising
One of the best ways of ensuring you are prepared for a cyber-attack is to run a table-top exercise simulating an attack. Anyone who would be involved in strategic decision-making following a cyber-attack should be involved.
An exercise involving the incident response team together with senior management, HR, communications and, of course, the security team can test how well your plans work and how well you communicate with each other. It provides a really rapid way to uncover planning errors and fundamental misunderstandings which can be remediated in the exercise rather than in real life. As well as preparing your company for a cyber-attack, bringing the executive team together for the exercise is an effective way to demonstrate to C-suite heads how a cyber incident affects the whole company and isn’t just the CISO’s problem.
Invest in some good-quality face-to-face training for your staff against social engineering and cyber-attacks.
The company executives should take part in this too. This demonstrates to employees that the entire company takes security seriously and provides a defence against the increasing frequency with which company executives are targeted by hackers.
When it comes to a cyber-attack, the sad reality is that it is a matter of when you get attacked, not if. Identify your technical and human vulnerabilities by conducting phishing and other forms of social engineering tests. Remember to include all your staff. Again, this not only helps lead by example but also acknowledges that executives aren’t necessarily experts in this field and that they too need training.
The security culture within an organisation needs to improve to really defend the company, and the IT team needs staff and executives to assist them in this by being trained to detect potential threats and report them.
Developing a security culture
The case described earlier of Mike and the apparent purchase of a company in Belarus describes a type of attack known as CEO fraud. CEO fraud is an excellent example of the need for a top-down culture for cyber security.
Typically, the attacker leverages status and urgency in order to get the victim to act quickly, and where necessary to violate existing security protocols. Have you ever asked a member of staff to bypass protocol to get something done quickly? In the vast majority of cases, staff do as instructed and are very unlikely to challenge the authority of a senior manager, even if this involves bending or breaking rules. Management sets the standards of behaviour; if you want to empower your staff to “just double-check” before giving out potentially valuable information or to challenge people without badges, they need to feel authorised and encouraged to do so.
Here are some ways executives can improve this situation: