Our visit to the RSA Conference in San Francisco started with a conversation on the plane with the C-level executive of a mid-sized organization about BEC incidents, phishing threats, and cybersecurity awareness training. With respect to BEC incidents, one of their customers suffered an email thread hijacking incident that resulted in $500k due for payment to the executive’s company being redirected to a threat actor’s bank account. When the executive’s company hadn’t been paid after three weeks, questions were raised. The error sat with the customer; after compromising an email account at the customer’s organization, the threat actor had watched email patterns over several months and observed a regular payment request, and then inserted a new email in an existing thread that asked for a change payment details.
In terms of phishing, the executive commented that this continues to be a problem, but thanks to new cybersecurity awareness training over the past 6 months, staff have become more adept at spotting threats. He acknowledged that he had failed a recent cybersecurity awareness test, but anyone who complains to the security team about the realism of training is sarcastically told that the team will “ask the hackers to be more obvious in their attempts.” He said state-sponsored attacks scare him the most and that he would prefer to be ignorant of all such threats.
Such a story (and undoubtedly there were others if we had interviewed everyone on board) sets the importance of cybersecurity for all organizations and hence the importance of the conversations about to happen at RSAC24 this week.
On a travel related note, the flight across the Pacific was one of the most bumpy flights we’ve ever encountered. Thank you to Air New Zealand for navigating the turbulent weather pattern and its shocks throughout the night. It was like a free visit to the roller coasters at Disneyland.
Leave a Reply