CEOs need better cyber security skills as half fall victim to phishing scams

More company-wide cyber security training is needed

Executive boards need better cyber security training, given half of chief security officers fall victim to phishing attacks, according to research conducted by security firm AlienVault.

The research found that 82 per cent of IT security professionals worry that their high-ranking executives are still vulnerable to phishing scams.

Despite such concerns only 45 per cent provide cyber security training to all their employees including the executive board, while 20 per cent do not conduct any training and instead tackle the fallout of such cyber attacks when they occur.

Javvad Malik, security advocate at AlienVault, noted that the threat from phishing is more pervasive than it would first seem, given there are many tools to prevent scam emails from being opened or executing rogue code.

"The challenge that lies here is two-fold. Firstly, most phishing scams that target execs are well-crafted and researched. Similar-looking domains are registered and execs are carefully researched. Secondly, many execs have personal assistants who manage their day-to-day operations and who are often more susceptible to social engineering techniques," he said.

"As such, it is important to train all users within an organisation as attackers will always try to strike at the weakest links, who may not even be internal employees. CEO fraud also routinely targets third party suppliers, partners and customers, so awareness should be spread to all associated parties.

"To stay a step ahead, security teams need to monitor third party activity closely and use threat intelligence networks to keep abreast of the latest scams being employed by criminals."

While there are threat intelligence tools in the IT security market that allow IT professionals to get insight into nefarious activity on their networks, phishing still presents companies with an expensive threat.

According to the FBI there was a 270 per cent increase in CEOs becoming victims of fraud since the beginning of 2016. Such fraud has cost US organisation over $2.3bn over the past three years, while each attack is estimated to cost companies between $25,000 to $75,000.

AlienVault's research also found that 45 per cent of IT professionals thought it was likely their organisation would pay the ransom demands if their network was infected by ransomware, often trigged after a successful phishing attack.

"It's worrying to see how many people would consider paying up if they were infected with ransomware. Negotiating with criminals is a dangerous game that offers no guarantees, and cooperating in this way just encourages more attacks," said Malik.