Verizon: hackers are targeting C-level executives with social engineering attacks

Corporate computer attacks are on the rise as hackers increasingly target the C-level executives who have easy access to sensitive information, according to a report from technology provider Verizon released today.

The trend poses an escalating risk for supply chains as companies increasingly digitalize their operations and conduct e-commerce sales through online payments, placing vast amounts of personal data on computer databases.

C-level executives are now the major focus for social engineering attacks, where hackers pretend to befriend their targets through fraudulent business emails, winning their trust to convince victims to click on links or reveal passwords, according to the Verizon 2019 Data Breach Investigations Report (DBIR).

Also known as "pretexting," these attacks can reap large dividends because of senior executives' often unchallenged approval authority, and their privileged access into critical systems, Verizon said. One reason for the growing trend is that top execs are typically time-starved and under pressure to deliver, so they tend to quickly review and click on emails prior to moving on to the next, or even have assistants manage that email on their behalf.

Statistically, senior executives are now 12 times more likely to be the target of social incidents—and 9 times more likely to be the target of social breaches—than in previous years, the report found. Now in its 12th edition, the Verizon report analyzed 41,686 security incidents, and 2,013 confirmed breaches, from 86 countries.

Cyberattacks in the logistics sector have received growing attention in recent years, following supply chain incidents like a 2013 hack that stole millions of shoppers' credit card data from retailer Target Corp., and the 2017 "Petya" and "Wannacry" ransomware attacks that hobbled container shipper Maersk A/S and food supplier Mondelez International Inc.

The report also highlighted how the growing trend to share and store information within cost-effective cloud based solutions is exposing companies to additional security risks. Analysis found that there was a substantial shift towards compromise of cloud-based email accounts via the use of stolen credentials.

"Enterprises are increasingly using edge-based applications to deliver credible insights and experience. Supply chain data, video, and other critical - often personal - data WILL be assembled and analyzed at eye-blink speed, changing how applications utilize secure network capabilities," George Fischer, president of Verizon Global Enterprise, said in a release. "Security must remain front and center when implementing these new applications and architectures."

Other trends identified in the report showed that:

• human resources personnel have seen attacks decrease six-fold from last year, as W-2 tax form scams have almost disappeared from the study's dataset,
• credit card chip and pin payment technology has started delivering security dividends, pushing the number of physical terminal compromises in payment card-related breaches to decrease compared to web application-based compromises,
• ransomware attacks are still going strong, accounting for nearly 24 percent of incidents where malware was used,
• crypto-mining attacks were hardly existent, despite receiving much attention in media reports, accounting for roughly 2 percent of incidents,
• outsider threats remain dominant, with external threat actors remaining as the primary force behind attacks (69 percent of breaches) with insiders accounting for just 34 percent.

To build up defenses against these changing risks, enterprise businesses should see technical IT hygiene and network security as "table stakes" to help employees at every level to understand their risk posture and the threat landscape, Verizon said.

"As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed," Bryan Sartin, executive director of security professional services at Verizon, said in a release. "They really need access to cyber detection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyber threats. Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line."