2. Make your executives take the time to learn how to avoid being harpooned.
No matter how busy executives might be -- or how much they resist going through security awareness instruction -- they need to attend training sessions on a regular basis.
This includes instruction on what to look for in suspicious emails, as well as how to identify in-person whaling attacks, where an individual who might appear trustworthy gathers information over a period of months that can be used to access corporate systems.
Most executives exclude themselves from periodic security-awareness exercises, even though they're the very people who should be conditioned doubly hard to thwart targeted phishing attacks, Belani says.
Make it mandatory that not only executives take training, but also their administrative assistants, who can play a key role in thwarting attacks targeting their bosses. Training sessions don't have to be excruciatingly boring for attendees. Consider including videos of simulated social engineering schemes, or have the security team act out such a scenario.
In addition to providing training, keep people continuously informed about whaling threats and incidents. Ocean Bank sends out monthly "security awareness" bulletins to everyone in the organization, advising people about threats such as whaling, phishing, and malware, with tips on how to avoid them.
"We keep them constantly aware, so if they're targeted they will know and report it back to us," says Sergio Pinon, senior vice president of security for the Florida bank and chairman of the Financial Institution Security Association. But be sure to keep these updates short and simple; if they're too lengthy, most people won't bother to read them.
Aside from training people in how to avoid being a whaling victim, reiterate the importance of protecting valuable data such as intellectual property. According to the 2011 Data Breach Investigations report conducted by the Verizon Risk Team, U.S. Secret Service, and Dutch High Tech Crime unit, recently there have been more targeted attacks at specific types of data that aren't typically stolen in bulk, such as certain varieties of sensitive organizational data and intellectual property.
3. Do your own penetration testing and social engineering.
How well did attendees of security training classes pay attention to what they heard? Why not find out by running some tests?
Owen McCusker, principal analyst at Sonalysts, a security consulting firm, says some of his firm's clients follow up their training with an "inoculation process," in which administrators send out emails that include characteristics of known whaling attacks to handpicked individuals, to see how they react. If they respond to the message, they get a reply alerting them of their failure to follow the instructions of the training sessions.
Patricia Titus, chief information security officer at technology services provider Unisys, says in a previous job as CISO at the Transportation Security Administration, she and her staff periodically called people in the organization at random to try to socially engineer them into giving up information they should not be sharing. She plans to conduct similar activities at Unisys.
These inside attacks tend to get the point across. "Once you do it, everyone hears that story, and it shows that we really do care about this stuff," says Titus, who has been the target of a whaling attack from outside. "We want a security-minded workforce." She says the tests are not just aimed at senior executives, but at workers such as help desk employees who have access to information such as system passwords.
In addition to periodic testing, the Unisys security team conducts individual consulting with people who are repeat offenders of security policy. There might be a root cause of why people are performing notable behaviors, Titus says, so instead of just saying they can't go to certain sites or blocking access, the security team analyzes why the activity is happening. Eighty percent of the time, it's happening out of ignorance, she says.