It's no secret that cybercriminals are doing all they can to find direct lines to end users and using social engineering techniques to fool them into making bad decisions. What may not be totally clear is that attackers are not simply concentrating on higher-echelon roles; they are looking up, down, and across org charts to identify their targets. It’s a topic we covered at length in our 2019 State of the Phish Report, and we pose this question now: Is your organization contributing to the problem?
Get to know your VIPs… and your VAPs
It’s natural to regard C-Suite and board members as high-value targets within your organization; their VIP status, access privileges, and inside knowledge make them desirable marks for cybercriminals. But these individuals aren’t the only targets within your organization—nor are they necessarily the most frequently attacked staff members.
There is a clear distinction between VIPs and “VAPs” (very attacked people). And it’s to your advantage to understand the difference.
Following is an example of a VAP chart for a healthcare service provider. It notes the top 20 most-attacked inboxes over a three-month span; the anonymized data was pulled from Proofpoint’s proprietary threat analysis technology, which helps to detect, mitigate, and block advanced threats that target people through email. There are several individuals on the list who would be classified as VIPs—like the President and CEO, Senior Financial Analyst, and VP of Strategy and Innovation. However, there also lower-level staff members, as well as third-party contacts and general inboxes, in this VAP mix.
Source: 2019 State of the Phish Report
The variations among the targets (and methods) illustrated in this chart reflect attackers’ preparedness, agility, and tenacity. Attacks were far from “one size fits all” during the three-month measurement period. Of note: The only instances of ransomware were sent to the general HR alias—an inbox likely to receive legitimate attachments on a regular basis.
The takeaway here? The assumption that VIPs are the only valued targets within your organization is a dangerous assumption indeed.
Ask yourself: How much visibility are you giving to attackers?
Social and digital media have made it much easier to find information about people and open lines of communications. As those of us in cybersecurity already know, this is a double-edged sword: Visibility is fine for customers and trustworthy people who want to reach out to your company and find answers, but a nuisance—even a danger—when it comes to unsolicited and malicious emails, text messages, phone calls, and social connections.
It can be difficult to determine the right line to walk when it comes to sharing details about your organization and staff via public-facing channels like websites, social profiles, and even annual reports. In the end, this decision is one that organizations must evaluate individually, based on their communication goals, brand vision, and regulatory requirements.
Still, there are some basic thoughts and best practices to consider with details like this.
Know what’s out there... and tell people about it
Since InfoSec teams are on the hook to protect organizations from attack, they should become familiar with the information that’s being offered on public channels, including the following:
- Email aliases
- Names, roles, and personal details about staff members
- Insights into travel and event schedules for particular individuals
- Staff members who have high-visibility social channels and/or who have permission to post about company business
Cybercriminals use public facing pieces of information to launch phishing and other social engineering attacks, so InfoSec teams also should be well-versed about this data. All inbound email channels (even aliases) should be monitored, and individuals who receive and respond to messages received via aliases should be trained to treat these communications with extra care. In addition, any individuals whose information is being placed on a public channel should be alerted to that fact and cautioned that cybercriminals could use those details to craft attacks (phishing, vishing, or otherwise) that feel more personal.
Become a privacy advocate
When possible, work with marketing, human resources, and legal teams—as well as executives—to determine the right level of detail for public channels. Many times, there’s a desire (from a brand perspective) to add a personal touch to customer-facing assets. But how much is too much?
As noted prior, this can be a difficult question to answer, but it should be thoughtfully answered. We suggest trying to strike the right balance between what needs to be available (from a business perspective) and details that are strictly designed to promote a feeling of personal connection. Here’s a good example: Is it necessary that any visitor to a website be given the ability to directly contact specific individuals within the company, without any sort of qualification? Frankly, in many cases, that answer is no.
For instances in which it’s determined that a specific person’s contact information (email, phone number, or otherwise) should be made public, try to offer some level of insulation, particularly if it’s a person with privileged access. For example, instead of publishing a corporate email address, use an alias that doesn’t match internal email conventions—for example, JosephSmith@company.com rather than firstname.lastname@example.org—and provide some education about what to look for. This approach can help recipients to better qualify incoming messages, and because they break “normal” email address constructions, spoofing may be more likely to raise a red flag.
Educate users about cybercriminals’ methods
Our State of the Phish Report clearly illustrates that targeted individuals vary from industry to industry and organization to organization. (Download your copy to compare the earlier VAP chart to one from a manufacturing organization.) Virtually anyone could be (or become) a VAP. As such, you should take steps to:
- Raise awareness of cybercriminals’ use of channels like LinkedIn, Google, Facebook, and other public sources of personal information;
- Provide education about best practices for sharing data; and
- Train employees to identify and avoid attacks that exploit these identifying details.
- Utilize threat intelligence to identify the VAPs within your organization.
- Examine your anti-phishing training data to reveal the most vulnerable users.
- Use these metrics to quiet the perfect storm that’s brewing: the overlap between the populations identified in steps 1 and 2.
- Never squander the opportunity to deliver the right training to the right people at the right time.