CEO fraud victims had weak cybersecurity

A recent U.S. Securities and Exchange Commission report of nine companies that had been victims of CEO fraud…had sufficient internal controls in place as required by law.

The report focused on what the FBI calls “business email compromise” and what in InfoSec circles is known as CEO Fraud: cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The FBI estimates such scams have led to a whopping 12 billion dollars in losses since 2013.

In some cases, attacks on these companies lasted months and were only discovered when law enforcement intervened. Each had securities listed on a national stock exchange and lost at least 1 million, though two lost more than 30 million and one lost more than 45 million.

Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a statement: “We did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”

Regulators and lawmakers are increasingly focused on the risks cyber criminals pose to companies and their customers following a series of high-profile incidents.

Not Just Public Companies

It’s not just public companies that are required to have internal controls to protect against risks like this. There is a lot of recent case law that shows you need to have defenses against social engineering in place. Any organization needs to have what the courts view as “Reasonable Cybersecurity”.

Here Are Three Free Resources

  1. VIDEO: In two very short videos during SecureWorld interviews, attorney Shawn Tuma explains what the courts view as “Reasonable Cybersecurity” and what your organization needs to have in place. Take 3 minutes and watch these two videos. You are going to be glad you did, because they have fantastic ammo to get budget.
  2. WHITEPAPER:  This whitepaper from Michael R. Overly shows you the common threads in compliance laws and regulations. Are you familiar with the concept of Acting “Reasonably” or taking “Appropriate” or “Necessary” measures? Did you know you are supposed to “scale security measures to reflect the threat”? Find out how this can keep you from violating compliance laws or regulations.
  3. Free Phish Alert Button: Train your users to not fall for spoofed social engineering attacks like this. Install the free phish alert button on their machine so they can report incidents like this.

Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/heads-up-u.s.-government-your-weak-cyber-security-violates-federal-law. Cyber Safety Net – keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.