Security managers are often concerned about employees who use Facebook at work and fall for the 419 "I'm trapped in London and need money" scam. Others might still have some in their organization who are convinced it is the Prince of Nigeria who wants to share his fortune. And with spear phishing, a targeted email attack in which messages are created to look like they come from an employer, bank or other trusted source, now a common criminal technique, the need for effective awareness programs for employees has become paramount.
But those concerns, according to Jayson Street, a security consultant and CIO of Stratagem 1 Solutions, shouldn't be the chief worry. That's because the biggest social engineering threat is the top executives in a company -- and they're the ones who need to be educated the most.
Street, who conducts penetration testing and gives advice on what he calls "patching the human problem," said with access to sensitive data and confidential information, C-level executives are the juiciest targets for criminals, and they are putting the company at serious risk. These vulnerabilities won't go away until everyone understands security, from the bottom of the organization, right up to the top.
"We need to have executive buy-in of these risks," said Street. "Executives need to understand what can happen and how to avoid it."
Street details the four reasons why top executives may be the most likely target for a social engineering attack.
They expect not to have to follow security rules
They are the most important people in the company, their jobs are extremely demanding, and they expect to be exempt from all of those inconvenient rules and policies that the security people have put in place, said Street.
"They are the ones who expect they don't need the firewall blocks as much, or that they can go to the websites others can't," he explained. "They don't want to be filtered, logged or monitored, so they don't want to go through the web proxies that also protect them from compromise."
The problem is these executives are often no more security smart than your average employee and can be compromised with many of the common social engineering scams. And because they are executives, the social engineer is much more likely to make the attack targeted and personal, going as far as to send an email that appears to be from a legitimate source, but actually contains a bad attachment.
They think you're going to protect them
Once the executive has opened up that attachment and infected their machine, they're going to ask why security didn't protect it, said Street.
"When an executive is compromised and causes a loss for the company, he is not going to say 'Oops, my bad.' He is going to say 'Why didn't you protect me from myself?'"
Street recently completely a series of penetration tests for two hotels and gained access to the server room by sending a forged email to hotel employees which claimed he was the CEO of the hotel's tech support supplier.
"Afterward, I asked them 'Why did you let me in?' and they said 'This is how the owner does things. He sends emails like this all the time!'"