Professional Documents
Culture Documents
Ratna Yudhiyati - 44047509 - Business Report Cybercrime
Ratna Yudhiyati - 44047509 - Business Report Cybercrime
Executive Summary
Westfarmers, as one of the biggest corporation in Australia, needs to pay more attention
to social engineering risk. Social engineering is a type of security attack which involve
misleading people to voluntarily perform specific action or disclose information by utilising
social interaction and persuasion method. Symantec (2016) found that retail industry was one
of the popular targets of social engineering attack. People aspect is very important in retail
industry and this is the main reason why social engineering attack often target retail industry.
The damages of social engineering attack can be classified into two categories; primary
and secondary. The three primary damages are stolen information, compromised information
system, and direct financial loss. These three damages may be caused by any social engineering
attack, but the most the most popular social engineering attack in retail industry is
impersonating identity.
There are also two secondary damages, which are reputational and operational damage.
Compromised information system will distract Westfarmers’ operation and harm company’s
reputation. Stolen information will make Westfarmers lost its competitive advantage.
Secondary damage is often considered as costliest damage of a sosial engineering attack and it
is difficult to estimate the lost.
This report provided recommendations for preventive countermeasure against social
engineering attack. The recromendations are as follows; (1) basic training about social
engineering for new employees, (2) security awareness training for partner, (3) advanced social
engineering training, and (4) security oolicies about corporate email.
Introduction
Social engineering is a type of security attack which involve misleading people to
voluntarily perform specific action or disclose information by utilising social interaction and
persuasion method (Albrecht et al 2016). Information Security Media Group (ISMG) found that
social engineering was regarded as the most dangerous threat in 2016 by 60 percent of
respondents (ISMG 2016).
Westfarmers, as one of the biggest corporation in Australia, needs to pay more attention
to social engineering risk. Westfarmer has interest in many industries, but retail industry is
Westfarmers’ main business (Westfarmers 2016). Symantec (2016) found that retail industry
was one of the main targets of popular social engineering attack, especially spam email, phising,
and spear-phising. If Westfarmers neglect this risk, the possible implication will be dangerous
for Westfarmers.
This report had two main purposes. First, this report analyzed and evaluated the risk of
social engineering attack on Westfarmers. Third, this report also proposed recommendations to
Westfarmers’ Board of Directors to manage the risk of social engineering.
Recommendations
There are three categories of countermeasures against social engineering; preventive,
detective, and corrective (Cullen and Armitage 2016). The report focus on preventive
countermeasure because stopping a cybersecurity attack before it happens is the cheapest and
most effective method (Albrecht et al 2016).
Education
1. Basic training about social engineering for new employees.
The main purpose of the training is ensuring that employees have similar level of
understanding about social engineering threat and how to respond it, despite their
different backgrounds.
2. Security awareness training for partner
Partner’s employees who work in company’s premise, such as security or cleaner staff,
are often the main cause of security breaches. They usually have low security awareness.
Westfarmers needs to address this risk by giving basic training for these employees or
requiring partners to provide security awareness training for their staff.
3. Advanced social engineering training
The targets of this training are higher-level employees which may become target of
complicated social engineering attack. These employees need to improve their knowledge
about the evolved techniques of social engineering.
Security Policies about Corporate Email
Westfarmers need to apply know-your-partner principle as part of its corporate email policy.
They can access attached file or hyperlink in an email only if they properly understand the
content of email they receive and who the sender is. Employees also need to validate the
sender’s background if they receive important request from unusual email.
Conclusion
Westfarmers had high risk of social engineering attack because its main business is retail.
Three possible primary damages of social engineering attack on Westfarmers are stolen
information, compromised information system, and direct financial loss. There are also two
secondary damages, which are reputational and operational damage.
This report focus on providing recommendations for preventive countermeasure against
social engineering attack.
1. Basic training about social engineering for new employees.
2. Security awareness training for partner
3. Advanced social engineering training
4. Security policies about corporate email
REFERENCE LIST
Albrecht, W, Albrecht, C, Albrecht, C, & Zimbelman, M 2011, Fraud Examination, Cengage
Learning.
Conteh, NY & Schmick, PJ 2016, ‘Cybersecurity: Risks, Vulnerabilities, and
Countermeasures to Prevent Social Engineering Attacks’, International Journal of
Advanced Computer Research, vol. 6, no. 23, pp. 31-38, viewed 11 May 2017,
http://dx.doi.org/10.19101/IJACR.2016.623006
Information Security Media Group 2016, Email Security: Social Engineering Report, ISMC,
Princeton, viewed 15 May 2017, https://www.agari.com/project/report-email-security-
social-engineering-survey/?pr
Janczewski, LJ & Fu, L 2010, ‘Social Engineering-Based Attacks: Model and New Zealand
Perspective’, in Proceedings of the 2010 International Multiconference on Computer
Science and Information Technology (pp. 847-853), viewed 15 May 2017,
https://doi.org/10.1109/IMCSIT.2010.5680026
Symantec 2016, Internet Security Threat Report, vol 21, Symantec, Mountain View, viewed
11 May 2017, https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-
2016-en.pdf
Westfarmers 2016, 2016 Annual Report, viewed 11 May 2017,
http://www.wesfarmers.com.au/docs/default-source/reports/2016-annual-
report.pdf?sfvrsn=8