Defending senior managers and executives – the so-called whales of enterprises – against targeted cyberattacks requires that they and their support staff are aware of potential risks and query any suspicious activities, says cybersecurity consultancy and auditing firm Galix MD Simeon Tassev.
The public profile of company leaders and information about them readily available to cybercriminals enable them to launch attacks on those leaders using their personal information; the availability of such information makes it difficult to defend them against attacks.
However, adherence to processes and controls, best practice information management and questioning unusual or extraordinary requests will prevent cybercriminals from exploiting the information they have gathered about high-level employees.
“A cybercriminal targeting a high-profile manager can easily get professional and personal information to make an attack. Usually, whaling cyberattacks use social engineering, in which cybercriminals use gathered information to fraudulently present themselves as a person or organisation representative, as a means to carry out attacks.
“Attackers try to monetise this information, usually by attempting to get a fraudulent payment made with the information given by making it seem as if it is a legitimate business payment. There is also usually a sense of urgency presented in the fraudulent communication or a request to bypass a process or control.”
Most attackers get through, owing to the good intentions of staff who want to execute what appears to be a legitimate request by a superior.
“The best way to protect [oneself] against these types of social engineering cyberattacks is to use known and valid communication channels to get hold of the person and verify the information.”
Further, employees should query any requests to bypass normal procedures and controls. While the subsequent delays might lead to frustration among some employees, superiors or clients, validating a suspicious request prevents an irretrievable loss and is best practice, advises Tassev.
Galix provides consulting services for companies wanting to improve their cybersecurity, but it mainly audits and certifies the cybersecurity systems and practices in companies against standards of best practice.
The firm audits against the Payment Card Industry Data Security Standard, which is a body of standards used to govern electronic card payments in the financial services industry. Companies can use these high-level electronic processes and system standards to effectively protect their own processes and systems.