The news that Ubiquiti Networks Inc. recently lost $46.7 million to cyber criminals perpetrating a so-called ‘CEO fraud’ is alarming to say the least.
The company revealed in an SEC Form 8-K filing that an incident involving “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department … resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.”
Following an investigation, “the Company, its Audit Committee and advisors have concluded that the Company’s internal control over financial reporting is ineffective due to one or more material weaknesses”.
Ubiquiti’s Chief Accounting Officer resigned.
Human error
Employee impersonation and fraudulent banking requests are becoming increasingly common – and successful.
Brian Krebs reports that CEO frauds and similar scams cost businesses $215 million in the 14 months to January 2015. Such frauds typically begin “with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name … the fraudsters will forge the sender’s email address displayed to the recipient, so that the email appears to be coming from example.com. In all cases, however, the “reply-to” address is the spoofed domain (e.g. examp1e.com), ensuring that any replies are sent to the fraudster.”
The phishing attack that yields access to the executive’s email account could be avoided – as could the email request that exploits the credulity of the financial controller who, wanting to please their boss, transfers funds without checking.
Enterprise-wide information security
A robust information security management system (ISMS) recognizes that human error is a major risk, and addresses people and processes as well as technology.
The international standard for information security management, ISO 27001, sets out the requirements of an enterprise-wide ISMS that requires staff training and fully documented processes that address specific risks through the application of best-practice security controls.
ISO 27001 presents a comprehensive and logical approach to developing, implementing, and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments.
The additional external validation demonstrated by accredited registration to ISO 27001 will improve an organization’s cybersecurity posture while providing a higher level of confidence in customers and stakeholders, which is essential for securing certain global and government contracts.
Live Online ISO 27001 training
IT Governance’s ISO 27001 training courses are built on the foundations of our extensive practical experience of designing and implementing ISMSs. They provide a structured learning path from Foundation to Advanced level for practitioners and implementers, and help you to develop the skills you need in order to deliver best practice and compliance in your organization, as well as providing the tools for career advancement via industry-standard qualifications.
Now, thanks to our Live Online training courses, anyone in the US – and, indeed, anyone in the world – can attend an expert-led training course without needing to incur the costs and inconveniences associated with classroom-based training courses, and can still go home at the end of each training day.
Available ISO 27001 training courses include ISO 27001 Foundation, Lead Implementer, Lead Auditor, and Transition.
Click here for more information >>
