are showing the employees around     for a Friday evening to send out an   anything that came their way and
        them that this is acceptable behavior.   email to an Accounts Payable employee   were doers. The scammer took advan-
        This can range from using a simple   asking him to send out a payment    tage of the fact that there was this
        “shortcut” in a procedure, to using a   to a “new” vendor for $450,000. The   submissive culture within the firm of
        personal computer that has not been   email had a sense of urgency attached   not questioning anything that came
        approved by IT. Employees who see    to it as well as clear instructions that   in from a position of power, vis-à-vis
        leaders not complying with these     required the employee to pay the    the CFO. This is a classic case where
        measures may start to question why   vendor that very evening. The employ-  the scammer took complete advantage
        they have to do them or may follow   ees in this company never questioned   of a poor security culture.
        suit without asking for approval.

             Understanding Information
        D Security. While leaders within an
        organization may not be information
        security experts, they should be pro-
        vided with additional training. Having
        this knowledge will allow the leaders
        to better explain information security
        to the employees around them as well
        as reduce the likelihood of the individ-
        uals being involved in any incidents or
        events which may reduce their credibil-
        ity within the organization.
             Being Involved. Leaders within
        E the organization should be made
        aware of or involved in the creation of
        items such as the Incident Response
        Plan, Business Continuity Plan, Disas-
        ter Recovery Plan, and other key proce-
        dures. While leaders may not need
        access to all the details, being aware of
        such information may allow them to
        better contribute to the organization.

        Why is Culture Important?
           As an often-overlooked portion of
        “people, processes, and technology”,
        internal culture and security awareness
        are often the only things that come
        between an organization and a success-
        ful social engineering attack. A security
        awareness culture will encourage em-
        ployees to question suspicious activity,
        be more resilient to social engineering
        attacks, and will adhere to defined
        policies, procedures, and controls.
           A manufacturing firm suffered
        from a business email compromise in
        mid-2021. Business Email Compromise
        (BEC) is an exploit in which an attack-
        er obtains access to a business email ac-
        count and imitates the owner's identity,
        in order to defraud the company and
        its employees, customers, or partners.
        In this case, the scammer posed as the

        CFO. The scammer  followed and waited
                                                                                                 NBIZ  ■ December 2021  5