[News] If Cybersecurity Professionals Can Get Phished

Defense Contractors Get Taken in by Business Email Compromise

Business email compromise (BEC) is a form of email fraud that typically involves targeting employees with access to company finances and using social engineering to trick them into making money transfers to the bank accounts of the fraudster. According to an article on security website Cyberscoop, scammers used BEC to steal more than $150,000 from two defense contractors last year.

“Business impersonation fraud is trending because it works,” said Alexander Heid, chief security officer at SecurityScorecard, which builds risk profiles on companies based on publicly accessible information. “With 1,000 target enterprises, if only 1 percent fall for the scam, that is still ten places wiring over large sums of money – and that adds up very fast.”

What makes this shocking is that defense contractors are the same companies making millions of dollars a year providing, you guessed it, cybersecurity services to government agencies and large corporations. In other words, they’re companies who should know better. It’s not surprising then that the names of the defense contractors were omitted from the article. I suppose that wouldn’t look very good, but it does prove a point. Social engineering is very hard for people to combat because, well, they’re human.

The only consistent way to combat social engineering is with phishing prevention technology that doesn’t fall prey to social engineering tactics.

Pros Fear Phishing Attacks

Given that even defense contractors can be taken in by phishing scams, it should come as no surprise that Very Few Professionals are Confident in Their Phishing Defense Assessments. According to research done by the IT governance organization ISACA and Terranova Security, “just 12% of security, assurance, risk and governance professionals are confident in their ability to assess the effectiveness of their phishing defenses. Additionally, only 57% of those surveyed said they carry out phishing simulations within their organizations.”

The untold story here is the reason the pros are worried is because they think the solution is to carry out more and more phishing simulation attacks. The misguided belief that if only they could somehow train their employees better, then the phishing problem would go away. But research proves that just isn’t true.

Research done on the efficacy of phishing simulation found that “with increased education and 10 or more phishing simulation campaigns, that rate could be reduced by a third from 14.2% [to 9.4%.]” Even with all the education and simulations in the world, 10% of employees are going to click on a malicious link. It’s not their fault—they’re only human. And of course, it only takes one click to infect an entire network.

I find it hard to believe that the pros don’t know there are inexpensive, easy-to-deploy, cloud-based email security solutions that can almost make phishing awareness training unnecessary. Where is the research showing before and after results of deploying this readily available technology? Nowhere.

Until the paradigm shifts the onus of email security away from users and onto technology, we’ll continue to see what we’re seeing today: companies getting phished and pros losing sleep.