People protecting people ... against people

We've just delivered the next block of security awareness materials, some 210 Mb of freshly-minted MS Office content on the human side of information security.

The module covers the dual aspects of people-as-threats and people-as-controls. It's all about people.

The threats in this domain include social engineers, phishers, scammers and fraudsters, while controls include security awareness and training, effective incident response procedures and various other manual and administrative activities, supplemented with a few specific cybersecurity or technical and physical controls.

Whereas the awareness program has covered phishing and spear-phishing several times before, our research led us to emphasize "whaling" this time around. Whalers use social engineering techniques to dupe financial controllers and procurement professionals into making massive multi-million-dollar payments from fat corporate bank accounts into the criminals' money laundering machinery, where it promptly disappears as if by magic - not the entertaining kind of stage show magic where the lady we've just seen being sawn in half emerges totally unscathed from the box, more the distinctly sinister tones of black magic involving chicken body parts and copious blood.  

In comparison to ordinary phishing, whaling attacks capture fewer but much bigger phish for a comparable amount of investment, effort and risk by the fraudsters. We are convinced it is a growing trend. Luckily, there are practical things that security-conscious organizations can do to reduce the risk, with strong security awareness being top of the list. As with all forms of information security, we accept that widespread security awareness (a 'security culture') is an imperfect control but it sure beats the alternative. What's more, awareness is much more cost-effective than most technological controls, especially in respect of social engineering and fraud. Artificial intelligence systems capable of spotting and responding to incidents in progress are under development or in the fairly early stages of adoption by those few organizations which can afford the technology, the support and the risks that inevitably accompany such complex, cutting-edge systems. In time, the technology will advance, and so will the threat. Security awareness will remain an essential complement, whatever happens. 

If building your security culture is something you'd love to do, if only you had the time and skills to do it, get in touch. Our people are keen to help your people.