According to a recent report published by the Federal Bureau of Investigation, losses due to social engineering scams are 200 times higher than those caused by ransomware and 20 times higher than identity theft.
This is surprising considering the amount of media coverage and IT spending related to preventing ransomware and identity theft. It makes us wonder:
- Why do organizations spend ten times more effort, time, and money on something that’s 200 times less destructive to their business?
- Why are organizations simply not paying more attention to social engineering fraud?
There are 3 main reasons for that:
- No clear ownership – When dealing with ransomware and identity theft, it’s clear who’s responsible to prevent it – the CISO. With social engineering scams, the victims are usually finance/AP teams, so sometimes it falls under the treasurer’s responsibility; sometimes it’s the CAO or CFO; and sometimes it’s the CISO. There is no single clear owner.
- Relying on manual procedures – It’s clear that we need to use technology to prevent ransomware and identity theft (multi-factor authentication, EMV, threat scanners, smart backups, etc.). Social engineering prevention, on the other hand, is considered a “soft skill” that relies on following strict manual working procedures. Humans, unfortunately, tend to make mistakes. This leaves the door open to successful social engineering fraud.
- Lack of regulation – Regulations such as GDPR encourage organizations to protect themselves against identity theft and ransomware. Until recently this was not the case with social engineering.
So, how can we change the situation?
- Ownership – There must be a single owner responsible for protecting the organization from social engineering scams. This should be the CISO, who needs to work hand-in-hand with the CFO and the internal auditor. The CISO is the best person to implement both the technology and processes to protect the corporation’s data, systems, and business.
- Technology – Organizations should adopt technology that prevents social engineering. Solutions that validate bank account ownership and monitor outgoing payments, in real time, prove to be extremely effective in mitigating the risk.
- Regulation – Auditing committees should treat losses due to social engineering with utmost severity and should not be satisfied with well-written manual procedures. We see this is beginning to happen because the lack of strong controls to prevent such incidents is now classified by auditing committees as a “material control deficiency.”
I believe that every CEO, CFO, and CIO who adopts the three recommendations above will put their organization in a much better position to protect itself from losing millions of dollars to social engineering scams.