Jay Rath
Ransomware across all industries has declined since 2015. That’s the good news. The bad news is that that cyber-gangs are focusing on government, healthcare – and, especially, senior executives.
In the month of February there was one phishing attempt in every 3,331 e-mails, and one piece of malware in every 645 e-mails, according to a new whitepaper from Osterman Research. The firm, based in Washington state, specializes in research for technology-based companies.
“That means that in an organization of 500 e-mail users who receive a median of 100 emails per day, the security infrastructure will receive 15 phishing attempts and 77 pieces of malware each day.”
One Osterman source found that, during the 13 months ending in February, there was a 74 percent increase in ransomware variants.
Meanwhile, 77 percent of organizations do not have a consistent, formal cybersecurity response plan according to Health IT Security, citing The Third Annual Study on the Cyber Resilient Organization, by IBM Security and the Ponemon Institute. “Of the 2,800 respondents, approximately half stated that their incident response plan was informal or did not exist.”
“Many organizations are not exercising proper due diligence,” agrees Osterman; 33 percent of users receive security awareness training once a year or as part of orientation after being hired; 6 percent of users never receive any type of security awareness training,
And the training that is offered may be of low urgency or poor quality. As a result, “many users will not be sufficiently skeptical of potential threats,” says Osterman, “particularly if these are delivered through social media channels, web advertising or text messaging that are implicitly assumed to be more trustworthy (or at least less suspect) than email or the web.”
Recommendations include:
- Conduct a thorough audit of current security and compliance
- Establish thorough, detailed policies
- Implement a program of best practices
- Provide security training specific to each user’s company role, “commensurate with the risk associated with each”
That brings us to whaling
Speaking of risk and roles, senior company officials can’t assume security awareness is only critical for those down in the trenches. A relatively recent form of fraud has been dramatically increasing. It’s known as “whaling” or CEO/BEC (for Business E-mail Compromise).
In the first half of 2017 there were 3,175 reported attempts of CEO/BEC fraud across industries worldwide. That figure more than doubled, to 6,533, in the second half, an increase of 205.7 percent.
“Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms,” according to the FBI. “In just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners.”
The criminals, having gained access to a company’s network, “may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.”
When a CEO is traveling or otherwise unavailable, a CFO, controller or other executive receives what appears to be a request “for an immediate wire transfer, usually to a trusted vendor. The targeted employee believes he is sending money to a familiar account, just as he has done in the past. But the account numbers are slightly different, and the transfer of what might be tens or hundreds of thousands of dollars ends up in a different account controlled by the criminal group.”
Notes Osterman, “Many [organizations] lack the strong internal control processes that would enable them to prevent CEO Fraud/BEC attacks.”
Join 36 million patients, plans and health systems who enjoy greater security in the Moxe Health interactive network.