There's nothing preventing cyber-savvy criminals from attacking companies with tactics that have already shown their effectiveness in the political realm.
Identity deception played a major role attacks like the one that struck the email system of John Podesta, Hillary Clinton’s presidential campaign chief, last year. Such deceit has become a major cyber security challenge because it targets the weakest link: the end user. Social engineering techniques have evolved to a state where it is no longer a question of if someone will fall for an attack, only when. But does the private sector really understand the business threat, and are corporate cyber defenses strong enough?
The problem is that many companies are blind to the threat, as well as the potential damages. Between October 2013 and December 2016, the FBI documented $5.3bn in losses from business email compromise (BEC) attacks, a prevalent form of targeted email attack which typically uses some form of identity deception. Key company executives have also been fired after their companies fell victim to a cyberattack.
The first step in addressing the threat is to understand it. Some organizations are concerned that attackers may attempt to spoof them to consumers, typically as part of phishing campaigns. Others worry about emails targeting their employees (e.g., BEC emails); attempts to trick employees to download ransomware; or attempts to infiltrate the organization to steal sensitive data.
