Upper Management and the Tech Gap

Ask anybody who works in an organization to describe the age group of upper management at their workplace. I’m sure there’s that older guy in procurement who types with both index fingers and is never in his office, or that lady who reminds one of the head mistresses assistant in primary school.

What i’m trying to put across is that some of these older folks in upper management have no clue how to handle IT intensive situations, most of them have assistants who handle all their digital tasks. All a hacker needs is one malicious email and the guy in procurement is done for.

Recent Events

Major hacking events that have come to light in recent months such as the SEC, Deloitte and Sony hacks, highlight a glaring weakness when it comes to managing cyber security on the executive level.

All these major hacks involved a simple email targeting upper management also known as a  High Value Target (HVT), this kind of attack is commonly referred to as a spear phishing attack. This attack normally goes like this:

  1. A HVT in the organisation/company receives an email from a seemingly legitimate source such as the finance department.
  2. Being that the email seems to be from within the organisation, the HVT does not hesitate to download the pdf attached labeled 1st quarter earnings.
  3. Unbeknownst to the HVT they have just downloaded a malicious pdf with a persistent back door.
  4. The attacker has now completed the first stage of the attack, now they can steal, modify and deny access to all of the organisations data.

Antivirus you say! There are videos online that teach people how to to make malicious documents that can not be detected with regular anti-virus.

Hacking Hillary

Another example of upper management and the tech gap rearing its ugly head happened to the Hillary Clinton campaign team. The Clinton team was hit with a total of 29 carefully designed spear phishing emails that requested top Clinton lieutenants to increase their security and change their passwords.

screen shot of the phishing emails recieved by the Clinton team

Twenty eight of the emails were red flagged but the hackers struck gold when one unfortunate HVT fell for the trap. They managed to steal 50,000 emails some containing attachments containing confidential data and revealing that Clinton, the most HVT had installed a work server at home!

A man calling himself Guccifer 2.0 in a recent interview revealed that he used a very simple method, readily available tools and human error to defeat the DNC parties already substantial digital security team.

Sony Speared

With the Sony hack , the modus operandi was similar. A phishing campaign targeting upper management and with in no time the hackers were in. The hackers revealed private emails of movie studio heads discussing the attitude of some A-List stars, movies budgets, movie star salaries, upcoming projects and much much more.

In East Africa

Research companies have revealed that only a fraction of organisations report when  they have fallen victim to cyber crime. The study reports that organisations would rather stay quiet than risk damaging their reputation and brand image.

In East Africa we have corruption, and a certain belief that if the next gen firewall cost one million shillings then it must be 100% secure. Certain folks in upper management believe that as long they put all the money in technology then they are protected!

Training is the Answer

Upper management should be in fact receiving more training in becoming cyber aware individuals, this is because they are the Most Valuable Targets in the organisation.

A compromised customer service rep may reveal a network map to a social engineering attack but a compromised manager will reveal a lot more valuable data that will put the company at risk.

The cheapest and best way to bridge this managerial tech gap is continuous integrated training. This is a type of training that aims to keep the HVT aware of the Cyber dangers and the digital risk that they pose to the company, the fact that it is continuous ensures that one is always aware of the latest tricks and tactics the hackers are using.

Training is not only cheaper but its return on investment is higher than installing “shiny new tech”. Training instills a sense of responsibility in the trainee and eventually resulting in the whole organisation having cyber aware employees.

So next time you are at work and your manager is getting your case, you can rest easy knowing that sooner or later they are going to be on the hot plate. Unless said manager has received training from Red Lion Cyber Solutions