C-levels most vulnerable to cyberattacks, finds Verizon

With access to organizations’ most sensitive information, c-level employees are becoming the major focus of social engineering attacks by cybercriminals, according to Verizon.

The telecom giant’s 2019 Data Breach Investigations Report included data from 73 contributors and analyzed 41,686 security incidents— as well as 2,013 confirmed breaches from more than 80 countries globally.

Insights from that mass of data revealed that senior executives— owed to their unique access and ‘time poor’ nature— were 9x more likely to be the target of social breaches than in previous years.

Unsurprisingly, financial motivations remain a key and growing driver, and financially-motivated social engineering attacks represented 12 percent of all data breaches analyzed.

For attackers, senior executives represent worthwhile targets. Their approval authority frequently unchallenged and they will most likely have access to privileged systems and data.

Meanwhile, the report notes that c-level workers are often “time-starved and under pressure to deliver”. This can result in them skim-reading and clicking on emails, or handing the task to assistants, meaning suspicious emails are more likely to get through the net.

Business email compromises (BECs) represent 240 confirmed breaches— and 370 incidents— of those analyzed. This vulnerability, says Verizon, is linked to the “unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.”

Silver cloud?

Not just carelessness, though, the report found that the increasing reliance cost effectivity of storing information in the cloud-based solutions is exposing companies to additional security risks.

Analysis revealed the cloud-based email accounts were increasingly subject to breach via the use of stolen credentials.

In fact, while 35 percent of all breaches could be traced back to human error, roughly a quarter arose from web application attacks, most of which were attributable to the use of stolen credentials used to access cloud-based email.

At the same time, misconfiguration errors led to a number of “massive, cloud-based file storage breaches” in the last year, and show of a trend of rising in the year ahead.

“As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed,” said Bryan Sartin, Executive Director of Security Professional Services at Verizon.

Sartin urged businesses to gain access to cyber detection tools in order to achieve a better view of their security posture, backed by up-to-date statistics on wider security threats.  

“Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line,” he added.

According to a report at the end of 2018 by email protection startup Inky Technology Corporation, email phishing attacks are becoming increasingly personalized and difficult to detect.

In this case, Inky found that 12 percent of corporate phishing attacks took the form of VIP impersonations, whereby an email purporting to be the ‘CEO’ of ‘finance manager’ would claim they are tied up in a meeting or otherwise, and engage a more junior member to hand over sensitive information.

The personalized approach to these types of attacks could be linked to data scraped from LinkedIn, owed to the attacker occasionally targeting ex-employees by accident.