‘CEO Fraud’ Is The CEO’s Fault

Whichever way you look at it, the > $2Bn lost in ‘CEO Fraud’ is the CEO’s fault. Maybe not so much the first couple of cases (the ‘zero-day’ ones), but from that point forward, falling for such an obvious scam is indicative of broken processes that all point back to the CEO.

Even one of the most basic tenets of security; that of split-knowledge and dual-control, is all that was required to prevent these attacks! NO-ONE, including the CEO, should be able to authorise these transfers, and NO-ONE, not even the CFO, should be able to perform one.

Not for all transfers obviously, but when we’re talking hundreds of thousands to tens of millions, how was a single person able to proceed without sufficient checks and balances? For God’s sake, a simple CALL to the CEO’s mobile would have sufficed!

So, in the several thousand companies that have fallen for this scam, we can make several assumptions:

  1. The CEOs are above the processes of other employees – I have to believe that the transfer of [for the sake of argument] $100K requires the completion of a form of some kind. That form is then signed by the requestor, and forwarded on to finance for action. In every case where the fraud was successful, the process began with nothing more than an email.
    o
  2. The CEO is ‘God’ –  In this particular case, an accountant transferred $480K based on an email, then only became suspicious when asked for a subsequent $18 MILLION. Seriously? It didn’t occur to the accountant to call the CEO just to make sure? Is the CEO THAT unapproachable that s/he won’t take a 20 second phone call for $480K!?
    o
  3. There is zero oversight on the finance departments – As in the above case, there were clearly no checks and balances in place to confirm authorisation of a transfer, and no-one below the accountant thought to question their own actions based on largely undocumented request? Just following orders were they? What does THAT say about the company culture?
    o
  4. The Information / Cyber Security program is a shambles – Even the most basic Security Awareness & Training programs have sections on social engineering and fraud techniques, and no matter how well a thief did their homework, these emails should have been a huge red flag. How is it that people with such enormous impact on a business (i.e. finance) have no training in cyber security basics / essentials?
    o
  5. The organisations have zero ability to address the prevailing threat landscape – How easy would it be for the information / cyber security departments in these organisation to send out ‘mandatory-read’ emails to all-staff warning them of the ‘new’ threat? How do mitigation techniques not make their way into business process after a significant change in the threat landscape?

The saddest part of all this? This type of fraud is ON THE RISE!! Despite the significant press, despite > $2 BILLION in losses, organisations all over the world still haven’t taken appropriate action.

My most used phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEO’s fault, and no-one else’s.“.

In this case, replace “[enter any goal here]” with “immunity from email scams” and apply it the assumptions above. We can determine that;

  1. the CEO’s vision for the organisation does not include an appropriate security program – If they can’t even take care of their own MONEY, what is the chance they can take care of your sensitive data?
    o
  2. the CEOs put themselves above the company values – No company that I know of has ‘Do as I say not as I do.’ as a published value, but clearly the rules do not apply to these folks.
    o
  3. the direction of any organisation is towards its goals. Obviously. How does the loss of hundreds of thousands of €/£/$ and the sheer embarrassment of falling for this attack add to the company’s bottom line?
    o
  4. unfortunately security is up there with ethics when it comes to CEO priorities. They are a cost of doing business, not fundamental processes that add significant ROI when done properly.

The better CEOs who have been victims will look at the root cause of their incident, point their finger squarely in the mirror, and fix it. The rest will fire the finance person and leave themselves open for the next threat. The best CEOs led their company by example, and didn’t fall for the attack in the first place.

Which do you want to be?

Information Security Needs Teachers, Not Consultants

This blog could just as easily be titled “Information Security Needs Teachers, Not Technology”, but I’ll pick on technology vendors some other time. Then again, it could also be teachers vs. anything-else-you-care-you-mention, because there is nothing in security that cannot be made easier, better, cheaper, more sustainable etc by someone who passes on their skills to those who need them the most.

Their customer.

Teachers are rarely recent graduates of X University, or theoretical researchers at Y organisation (Gartner, Forester et al), and especially not a lot of PCI QSAs I’ve come across, teachers are the people who sit in front of their clients day in and day out trying to make themselves redundant. I use the phrase; “If you can’t do what I do at the end of this contract, I’ve failed.”

Even in 2016, information security expertise is a depressingly rare commodity, with few organisations able to afford the full, or even part-time retention of SMEs in-house. Instead, the vast majority of organisations hire consultants to help them through their security and/or compliance challenges. In and of itself this makes perfect sense, I have no issue with it, and have in fact made a career out of providing these services.

My issue is with those consultants who don’t teach their clients to do what the consultant was hired to do, perhaps with the assumption that the client will have no further need for the consultant’s input once the job is done. The fact is, if the client doesn’t renew the contract, it’s because either 1) they don’t care enough to accept the guidance given; 2) the consultant drained their available budget, or; c) the consultant didn’t know what the Hell s/he was doing.

In a previous blog (The 4 Consultant Types: Know Which You Are, Know Which to Ask For) I detailed the 4 consultant types:

  1. The ‘Auditor’: Extremely detail oriented, and can (and do) write massively detailed reports on exactly what you’re doing wrong. And that’s it.
  2. The ‘Assessor: Still very tied to the written instructions, but are better able to read the intent of the situation, and are subsequently better able to tell you why a things is not right. And that’s it.
  3. The ‘Consultant’: I reserve this title for people who are able to not only explain simply what you are doing wrong and why it’s wrong, but what you should be doing AND provide several options on how to fix it. That’s it for them too.
  4. The ‘Teacher’: These rare folks are able to enormously simplify the challenge at hand, and teach the client to fix it themselves. And not just once, whatever the solution was, the Teacher will show the client how to maintain the fix, and how to implement a cycle of continual improvement in line with business goals.

The silly thing is that a good security teacher will never be out of work, no matter how hard they try to pass on their skill-set. Whatever s/he was hired to do for the first contract is invariably just scratching the surface of the work that needs to be done. A consultant may be asked to come back to repeat a task, but a teacher will be invited to help the entire business move forward.

Every security teacher aspires to be invited to take part in an organisation’s Governance committee, where the IT side and the business side have real conversations. Some call this a Trusted Advisor, but frankly I’ve never seen one who was not a teacher first.

The Analogies Project, We Should ALL Be Involved

I’m sure that in an earlier blog I stated that I would never use this medium to promote a vendor or specific product. I cannot find that quote so it clearly didn’t happen, and seeing as this promo is for something that’s actually not-for-profit, I don’t feel like a complete sell-out.

An analogy is defined as; “a comparison between one thing and another, typically for the purpose of explanation or clarification.” and as such is an incredibly powerful tool to provide a necessary context to understand something for which we have limited knowledge or experience. For example, the immortal (well, except for his death and all that) Douglas Adams used what to me was the funniest analogy of all time;

The ships hung in the sky in much the same way that bricks don’t.

I have used analogies through my blogs and my career, and frankly, any ‘security expert’ who DOESN’T use them is likely a poor consultant, or just starting out. Too many of us are horribly guilty of the Curse of Knowledge, and end up blaming our clients for what, in the end, can only be our deficiencies.

In a conversation with Bruce Hallas, the founder and passionate driving force behind The Analogies Project, it was not surprising that two famous quotes from Einstein were used to perfectly summarise the issues faced by those giving, and those trying to receive, InfoSec services:

  1. Insanity: doing the same thing over and over again and expecting different results.”, and;
  2. If you can’t explain it simply, you don’t understand it well enough.”

And on further reflection, there’s this one that I have always loved by Alan Greenspan; “I know you think you understand what you thought I said, but I’m not sure you realize that what you heard is not what I meant.”

Any guidance we provide to our clients on information security is only as good as what is understood and retained. Imparted knowledge is meaningless without the listener’s understanding of it (knowledge = seeds, understanding = ploughed field, ooooh an analogy!!).  I have long maintained that the ultimate consultant is one who teaches, and there are no great teachers who do not take their audience’s individuality into account. You don’t explain where babies come from the same way to your 5 year old child as you would your teenager would you?

Yes, your client must WANT to learn in the first place, and the constant fight against the lack of security culture is not something we can fix by ourselves, but I firmly believe that a change in culture can only come with a true understanding of the benefits, and that will never be a one-size-fits-all, even within the same organisation.

This is where The Analogies Project could truly shine. Having an analogy for a risk assessment is one thing, but having a series of analogies for Receptionists, the C-level, and everyone one in between, broken down by personal interest or sector applicability and so on, will provide usable experience to everyone. Giver and receiver.

I am signing on as a contributor and will be mentioning The Analogies Project in all of my subsequent training or InfoSec presentations (ISC2, ISACA, ISSA etc.), I urge you to do the same;

Go here to begin; https://theanalogiesproject.org/contact-us/