Cyber criminals recently hit the email marketing giant Mailchimp with a multi-level attack aimed at the compromise of cryptocurrency wallets. According to a statement from the company, the threat actor
- Phished Mailchimp employees to gain access to customer accounts in the cryptocurrency and financial industries.
- Sent spoofed emails to customers of at least one cryptocurrency wallet provider, Trezor, with a message that, because of a “security incident”, customers should download an application to set up a new pin. The application was a convincing fake that collected the logon’s for the customers’ wallets and could enable the thieves to transfer currency to their own accounts (no word on how much if any was stolen).
Social engineering plus web application attack across multiple companies – it’s an alarming indication of the sophistication of attackers, and the sort of high-profile incident that provokes questions from the C-suite or the board: “What are the odds of it happening here and what would it cost us?”
Cyber Risk Quantification for Social Engineering
FAIR™ (Factor Analysis of Information Risk), the international standard for cyber risk quantification, analyzes risk based on two main factors:
Frequency: How often do we expect an external malicious actor will attempt to compromise sensitive information by gaining a foothold in the environment via social engineering?
Magnitude: How much financial loss will we experience each time that event occurs?
Event Frequency Data-gathering Questions
- How many phishing campaigns are reported in our organization, per year?
- What is the organization’s click rate on phishing email?
- Do we have endpoint protection controls to prevent a malicious file from executing? How effective are they?
- If a successful foothold in our network were gained, what other defenses, such as Identity Access Management are in place?
Event Magnitude (Financial Loss) Data-gathering Questions
Common losses that might occur:
- Incident response management
- Customer notification
- Regulator notification
- Credit monitoring for customers
- Legal costs, fines and settlements
- Customer loss
Users of the RiskLens enterprise-level cyber risk analysis platform can enter values for these factors and/or use pre-packaged data from RiskLens tailored to the user’s industry, run FAIR analyses for social engineering and a wide variety of other use cases – then game out the effect of various mitigations to reduce exposure.
A Fast, Low-Cost Way to Quantify Risk from Social Engineering
For organizations that don’t have the time, staff, or funding to field an enterprise-level cyber risk analytics team but still want to effectively answer management’s “what are the odds?” questions, RiskLens recently launched the Industry Cyber Risk Report as a free service.
We collected the best available data on the main categories of cyber loss events and applied FAIR analytics to power risk reporting based on real, historic cybersecurity events for your industry, region, and employee count.
Select your information and we’ll give you a ranked list of the three highest-risk categories based on the demographics selected. Each category will include an estimated probability of an event in that category impacting a company like yours as well as how much it would likely cost. You’ll see right away if social engineering is a top risk for organizations such as yours.
For a sharper focus, upgrade to the My Cyber Risk Benchmark tool and unlock metrics on the probability and impact on your organization of seven risk categories, including social engineering, web application attack, ransomware and more. Take a deeper look at your risk based on your security posture and specific data type and records count, among other variables. You’ll also see how your company compares to your peers across risk factors.
These metrics will provide you with a big first step in prioritizing cybersecurity investments, leveraging the power of cyber risk quantification in a fast and easy format.