by Oscar Tello | 01/07/2020
Cybersecurity, at its core, is about protecting what is valuable to you as an organization.
For some, that might mean protecting valuable customer data - credit card information, Social Security numbers, or patient health care records. For technology companies, its also about protecting intellectual property. This includes source code, designs, products, or future product strategies. Collectively, that intellectual property defines the value of a tech company, and that value is usually sitting on a server as an easy target to be hacked.
The rapid proliferation of new technology, including a wide array of mobile devices and cloud-based solutions, means that hackers now have many more entry points to attack.
Additional vigilance is required for larger companies because of their access to valuable information and pervasive technologies, which makes them a natural target. This doesn’t let the small guy off the hook, though. If there are rumblings that a start-up has the next killer app in development, for example, they’re vulnerable to attack.
Economic espionage, or cyberespionage, isn’t limited to borders. It isn’t uncommon for overseas companies to target entities releasing products with high potential for profit and revenue. While the act itself isn’t necessarily something new, there are now organized and contracted teams leading the attack.
Social Engineering Attacks
Even with stronger security defenses, organizations are still at a disadvantage in the fight against hackers. Why? Because cyberattacks are increasingly aimed at individuals rather than systems—and the human factor is much harder to manage. People, however, are also the first line of defense with proper training.
High-profile enterprise hacking leads to the painful loss of precious data, customer confidence, and hundreds of millions of dollars in legal fees, notification costs, and technology remediation.
It’s no wonder C-level executives are now paying more attention to their organizations vulnerabilities when it comes to cybersecurity. Other individuals also demand results:
Investors and boards of directors are increasingly holding senior management accountable for cybersecurity.
Customers and partners demand adequate cybersecurity controls are in place before conducting business.
Sophisticated attacks usually begin here. A social engineering attack preys on the psychological willingness of employees to divulge a company’s confidential digital information.
These attacks involve an email from a hacker who appears to be an individual or business you know. The target tends to be an unaware or untrained employee who may be willing to give up desirable information—their system password or company account details, for example.
When the target is C-level executives, it’s known as whaling. C-level email fraud takes place when a hacker requests that members of an organization’s finance function disburse or wire funds to a third-party in an email that looks like it comes from senior management. (See example to the right.)
It’s important to remember there isn’t an all-encompassing solution to combat spear phishing or whaling. Prior to an attack, these defenses should be in place:
End-User Security Training
Never forget that people are your first line of defense.
Internal Process Controls
Have at least two sets of eyes and approval for requests that meet a certain threshold.