Whaling is an evolved type of phishing attack aimed at the ‘big fish’ in an organisation (sometimes also called CEO fraud). The attack is usually in the form of an email, supposedly from the Managing Director or CEO to the accounts department, with an instruction to transfer money between accounts. In the UK, 10-15 businesses an hour suffer from this type of whaling attack.
This week AIG Insurance confirmed that Business Email Compromises (BEC) have overtaken ransomware and data breaches in cyber-insurance claims and accounted for nearly 25% of all claims within EMEA.
These types of attack are successful because there is typically a culture within an organisation that it is more than an employee’s job is worth, not to do what the MD says. Only 1 in 5 businesses in the UK carry out any form of cyber instruction so that employees are better prepared to deal with these types of situations. Those that do typically say they have a policy in the employee handbook which staff are taken through as part of their induction.
A recent Harvard study showed that when a business wants to communicate a message, they put 85% of their effort into the written word, into policies. The same study showed that on average only 3% received the message. This demonstrates that having a written policy about Cyber Security is not the most effective way to communicate best practice to a workforce.
Once a business embraces the culture that Cyber Security is not just an IT problem but that Security Awareness involves people, processes and technologies then it can begin to put into place appropriate staff training and education at every level. In order to achieve this, high-quality, relevant content is central to any security awareness program in order to engage users and provide a training program that is fun, resonates and changes behaviour.
As Cyber Security threats evolve so the training has to, as a continuous process rather than a one-off event. Tomorrows scams do not necessarily exist today.