In cybercrime, financial gain is still the primary driver, according to Verizon´s 2020 Data Breach Investigation Report. Nearly 9 out of 10 breaches investigated in the study were financially-driven, and this statistic has been increasing over the years. Another growing statistic is the increase in targeted attacks like spear phishing on C-level executives.
Money is a big motivator, especially for cybercriminals
Cybercriminal profiles can vary, and the list of motivations behind a hack may not come down to only one motive. However, a common motivating factor in most attacks is financial gain. A 2018 study by Dr. Mike McGuire discovered that some of the highest-earning cybercriminals can make upwards of 166,000 USD per month.
While not every cybercriminal is earning more income than the typical household salary, money can still play a big part in someone´s desire to commit a cyber-crime.
The potential financial gain drives both individual hackers and organized crime groups to exploit system vulnerabilities and prey on human error.
Spear phishing is often used when attackers are motivated financially
One common way for hackers to exploit human error is through spear phishing attacks. Spear phishing is a form of social engineering. It is a highly targeted attack designed for a single individual within an organization.
The content of a spear phish attack is usually very personal and believable in order to bypass even sophisticated technical filters. When hackers are financially motivated, spear phish attacks are often used.
Why is the C-level a lucrative target?
A high-quality spear phish attack usually requires significant time and resources to plan. Because of the increased time commitment required, hackers choose their targets carefully. Verizon reported that senior executives are 12 times more likely to be a social incident victim.
Senior-level executives, like the C-suite are usually time-starved and under pressure to make decisions and take actions quickly under pressure. Senior executives have access to some of the most sensitive information in the organization. Often, they also have unique approval authority and privileged access to critical systems. For example, if hackers are trying to get money transferred to an account, they normally need to impersonate someone from high up in the organization. Impersonating an executive will help the transaction happen more quickly, leaving less time for scrutiny and increasing the chances of the money transfer being executed.
These are all reasons why hackers are increasingly targeting the C-level. Hackers can reap large financial benefits if their efforts are successful with these high-profile targets.
Hackers will use BEC attacks after they have stolen credentials from executives. For example, with the right timing, hackers impersonating a CEO to ask an employee for sensitive financial information may be convincing enough for a successful attack.
A stressful work environment can also lead to less focus on security awareness education at the executive level. Executives have a tendency to hastily click through emails, according to Verizon´s report. This increases the chances that a malicious email could get through an executive´s inbox without detection.
How can you reduce the human risk factor of executives?
Bryan Sartin of Verizon stated that hackers´ tactics do not change that much over the years, but their targets and attack locations do change. Although companies are investing more in security measures now more than ever, companies still struggle with employee buy-in and engagement in security awareness training.
Recently, hackers have increasingly identified executives as good targets with high payouts. Until security awareness efforts increase at the executive level, they will continue to be targeted.
Cybersecurity requires active management awareness, attention, buy-in, and involvement to make an impact on the human risk profile.
Cybersecurity is not only IT´s problem. However, it is the role of the security team to educate executives and other department leaders about cybersecurity. Verizon´s advice is for an organization to begin with understanding the threat landscape and explaining it across the company.
Once you educate executives about the security risks they are exposed to and communicate the company´s security posture, you will start gaining leadership support.
As with any issue, you have to identify and explain the problem first. Then, IT can work together with cross-functional leadership to develop an effective strategy that addresses the reality of cybercrime.
Once security awareness increases at the executive level, those vulnerabilities will not be as easy to penetrate. Then, hackers will likely seek out other vulnerable targets and attack locations that could lead to high financial gains. This is why security efforts constantly need to evolve and continuously update.
Make security training practical and easily accessible
One reason why an executive may skip or avoid cybersecurity training is that it´s too time-consuming. Executives are busy, and they want to use their time wisely. If training appears to be a waste of time or not practical enough, people won´t engage with it.
Security training needs to be practical. It needs to include up-to-date content that looks similar to the threats that employees will face in their inbox. By focusing on relevant topics, employees can quickly develop the right skills to start detecting and reporting real threats.
Training should also last only a few minutes at a time and be incorporated into an employee´s regular weekly routine. Improving the ease of completing training and increasing the relevancy of topics are important. Then, it will be easier for executives to see security awareness and phishing training as a value-added activity.
Make an impact from the top-down
If executives are supportive and engaged in cybersecurity training, they will be more likely to promote it to the employees working for them. From the top-down, the security culture can shift away from negativity.
When you can count on the cooperation and engagement of all employees in your cyber defense strategy, you can make a big impact on reducing the human risk factor.