Yet another example of why ...
... big business needs actual IT professionals in control of IT. Business-types are absolutely, totally, and completely clueless about computers/networking/security.
Internal anti-phishing programs are essential to prevent chief executive officers wiring money to fraudsters, threat man Donald McCarthy says. The programs are an underrated yet proven method for clamping down on what is perhaps the world's most successful and widely-used avenue to attack businesses and individuals. Business …
It is not an IT problem. The problem is CEOs that bypass their companies purchasing procedures. The procedures apply to everyone, not just the shop floor. If the procedure is too much hassle for the CEO then it's too much hassle for everyone else and need to be simplified.
In any case, requests for money should go to the accounts department who are supposed to control and check outgoing payments. It is very common for business to receive fake invoices, bills and other kinds of scams. Not just by email, sometimes by post or phone. Unless everything checks out they go in the bin.
Of course, the accounts dept might still screw up, because they are usually a bunch of useless idiots, who think they are financial geniuses because they can mistype numbers into a poorly designed excel spreadsheet, but that's a different problem.
The small engineering company I do occasional work for has it pretty tightly under control. There is only one person handling payments, and she absolutely will not pay out anything without a purchase order number and payment/account details that exactly match her records.
However, the company is remarkably lacking in Jags, Yachts & golf courses.
Company policy should be that you can only read emails to your company address PROVIDED
* You know the sender via the sender's address
* People with whom you are in regular email contact agree with each other how to recognise each other's
message
( eg. agree what the subject says exactlty even though it may have zero to do with the actual message.
I agree with Jane that her next important eamil will be headed 'It is raining in Borneo'. )
* a deparment ( sysadmin ? ) must manually allow me to read emails from people I have not previously
had email contact with ).
I agree with Jane that her next important eamil will be headed 'It is raining in Borneo'.
See, this secret squirrel stuff is why actual education is so important. If you think getting people to follow password security requirements is a chore, try implementing this "proposal."
Ongoing education and personal consequences for failing to follow policies are a much more reasonable and effective approach. This applies to both IT and accounting. Simply having a policy in place that no-one at any level may make expenditures above a certain amount without a defined set of individuals required for approval of the deal go a long way toward killing the effectiveness of phishing scams.
I work with teams around the world, with many email exchanges, on projects across large estates, with loads of people sometimes emailing in on threads if we have a problem, outside contractors, various different companies running sites, getting clearance for access to places etc etc.
Running an email policy like that would be more work than the actual work I do.
As a general rule people are stupid about how many of their emails they actually read
whether at work or at home. And that includes CEOs.
Ideally people should not open an email at all unless they absolutely positively MUST.
And for their own financial sake companies should teach their staff to do that.
A carrot and stick policy could work : in extreme cases getting fired for opening too many dodgy emails
and bonuses for avoiding them ( and warning cow-orkers about the latest dodgy subject lines).
Over the years I've come across a number of boss types who are paranoid about what the staff do. To the extent that they will spend more time and money on preventing petty, theft not following purchase rules or skiving than they could actually save. But a good rule of thumb seems to be that the tighter they are with the people below the less likely they are to follow procedures themselves.
More to the point, when I did some mangelment courses they said that the evidence was that just trusting staff do the job correctly and honestly got better results than trying to control their every move. And there was also a mention of managers being seen to lead by example.........