Top execs make big targets, especially when traveling abroad. Here’s how to protect C-level officers from whaling, espionage, and themselves.
Senior executives are among the favorite targets of malicious hackers and other bad actors, in part because they are more likely to hold valuable information — or have a high level of access to such data.
That’s why it’s so important for organizations to make sure C-level officers and other top executives are adhering to the strictest data protection standards and are using appropriate security technologies whenever possible, including when they travel to high-risk locations.
“Executives are targeted for their access and influence within organizations, especially those whose purview includes sensitive financial data or personally identifiable information,” says Wayne Lee, chief cyber security architect at West Monroe Partners, a business and technology consultancy.
Pretty much anyone who has access to information of potential value is at risk of cyber attack, says Steve Durbin, managing director of the Information Security Forum, an independent organization dedicated to investigating and resolving key issues in information security and risk management.
“Of course this will include the usual suspects in the C-suite, but it is no longer restricted to the boardroom,” Durbin says. “Personal assistants, systems admin staff, pretty much anyone who has the ability to provide access to the determined cyber criminal on the hunt for valuable information are now in play.”
Here are some steps organizations can take to protect executives and their immediate associates from being the entry point into a major security breach.
Make it clear to executives that they will be targets
Busy executives don’t want to worry about the possibility of being the next target for a cyber attack. But this is something they need to be thinking about.
“Executives need to internalize that they are targets,” says Bill Thirsk, vice president of IT and CIO at Marist College. “Cyber attackers take time to watch, plan, practice, hone, and harden their art before going after a high-value target. Attackers have the luxury of stealth, time, duplicity, and multiple platforms for designated random attacks — all of which work against normal human behavior, curiosity, and the need for connectedness.”
An executive’s “digital footprint” needs to be understood and gaps must be closed as a matter of practice, Thirsk says. Social accounts should be registered, confirmed, and monitored, he says.
But getting executives to buy into protection is a challenge. “Every statistic I’ve seen shows that executives are the least likely to adhere to policies that they expect everyone else to follow,” says Paul Boulanger, vice president and chief security consultant at SoCal Privacy Consultants. “In part, this is because they are the people most willing to sacrifice security for convenience.”
Organizations need to ensure that technological controls are in place rather than expecting executives to operate in a secure manner. “For instance, the mail server needs to make it mandatory for smartphones to have encryption enabled and password lock enabled in order for access to corporate email to be allowed,” Boulanger says. “If the executive — or any other user — disables the password lock, email access is automatically removed.”
In some cases, limitations will not work with executives. “We have found that for our executives in higher education, hard fencing — placing digital boundaries — of any sort does not work,” Thirsk says. Engaging with all kinds of people requires contact and attention, “so restriction is not in the executive’s lexicon,” he says.
The only way to stay ahead of threats is through intelligent and mainly self-imposed, informed behavioral modification designed to ensure safety online. Executives can’t rely solely on someone else to protect them anymore. “They must be able to easily discern bogus email addresses, nefarious links, or other tell-tale ‘wanky’ context,” Thirsk says.
Take threats seriously — and educate execs attacks
Phishing attacks — and more recently ransomware — are common ways to get executives to provide critical information hackers need to steal data. “When thinking of recent threats that destroyed leaders and their organizations, phishing attacks and ransomware are not getting the press they deserve,” Thirsk says. “They certainly aren’t regularly discussed at the board table with seriousness.”
It’s natural for executives to want to be connected to a rapid stream of up-to-date information, and because of this need they are sometimes too eager to click on what appears to be an important or intriguing message, Thirsk says.
At the same time, executives demand to have one device connected to all of their channels of information — business and personal. “Commingling different security requisites onto one single device is a disaster waiting to happen,” Thirsk says.
It’s up to IT and security leaders to convince senior executives about the severity of these kinds of attacks and to do something about it before an incident takes place. “This can only be achieved when senior management is convinced that personal and operational cyber defense must be discussed at length with seriousness and intent to change behavior,” Thirsk says.
Phishing can take various forms that are designed for high-level executives.
“There is an increase in the sophistication of ‘whaling attacks’ that target the harvesting of credential information or request a wire transfer from company accounts,” Lee says. Whaling is used to describe phishing attacks that specifically target high-level executives, celebrities, and public figures.
“These attacks historically have a high success rate,” Lee says. “There are many campfire stories of the executive who fell for the travel rewards phishing attack, the one that asked for special privileges on their computer. Each one of these stories usually ends up with the executive becoming the victim of some type of cyber attack, and in some instances results in a data compromise at the company level.”
It’s important to keep in mind that hackers can use public information on social media sites such as LinkedIn, Instagram, Facebook and other sites to build profiles of targets, Lee says. This profile can be used to tailor a phishing attack or coerce the target, he says.
Make secure use of email a priority
Keep in mind that email is one of the most common sources of attacks against executives. “We encounter frequent and increasingly sophisticated email attacks on executives and the accounting department,” says Barr Snyderwine, director of information systems and technology at Hargrove, a provider of event services.
“It is the typical spoofing attack trying to trick someone into paying to what looks like a legitimate site or bank,” Snyderwine says. “Recently they get on the phone with AP [accounts payable] and spoof an email from the exec to send payment. Interesting since getting on the phone is time consuming. Execs also get the emails from attackers spoofing other execs to send payments.”
A good practice is to use endpoint protection to strip out malware attachments, Snyderwine says. “We update frequently,” he says. “Patching is also critical; everything is automatically patched.”
In addition, have in place policies that any email be verified with the sender either face to face or on the phone, and get confirmation by another executive. “Training has been very successful,” Snyderwine says. “Our execs identify the spoofed emails now.”
Also, test executives and other staff several times a year to make sure they’re adhering to policy regarding email.
Protections when executives travel on business
Executives can be victimized by cyber attacks anywhere, but the threat can be especially high when they’re traveling overseas.
Organizations should have check-out/check-in procedures and security guidelines for electronic devices and media that leave the organization’s home country, Lee says. “This would include the quarantine and inspection of such electronic resources upon return,” he says.
“When travelling to certain high-risk regions in the world, there must be an expectation that any device executives travel with will be copied when crossing the border,” Boulanger says. “Executives should take ‘burner’ laptops that contain only what they need off-line, such as a presentation.”
Any data that they need access to remotely should be made available over a secure channel, such as a secure remote desktop or virtual private network (VPN), or stored on a hardware-encrypted USB drive where encryption cannot be disabled, Boulanger says.
“When returning, laptops and other data storage devices should be treated as if they had malware installed and go through a routine wipe prior to re-use or connected to the corporate network,” Boulanger says.
Hargrove has a standard policy to never use public Wi-Fi, but that is difficult to enforce because so many staffers travel. “We provide both Mi-Fi cell units and encourage staff to use their own phone hotspots and pay them to use them,” Snyderwine says. “This has been effective.”
Wi-Fi networks can indeed be risky, whether they’re in hotels, restaurants, airports, conferences facilities or other locations. Bad actors can set up a simple fake Wi-Fi hotspot to gain access to an executive’s laptop or mobile device, Lee says.
Bolster the security of the IT infrastructure
It kind of goes without saying that having a strong security program in the first place will help reduce or avoid damage from cyber security attacks against individuals. But it’s a critical component of protecting against data breaches aimed at executives.
“We suggest starting not with the individuals, but with the critical information assets that an organization is trying to protect,” Durbin says. “This will naturally lead on to include an assessment of naïve users who may be vulnerable” to a number of threats such as spearphishing attacks.
It will also enable the discovery of unpatched systems that allow technical vulnerabilities to be exploited, poorly secured systems that can be discovered using scanning tools, inadequately protected wireless network routers that can be accessed by attackers, and the systems in place for disposal of information that can be easily stolen or copied, Durbin says.
“Whichever area you are examining it is important to take into account three primary sets of threats: adversarial, accidental, and environmental,” Durbin says. “The approach adopted to securing the information — and its users — will then lead the business into the development and communication of security controls that are appropriate for the information asset and the user.”
As an example, there’s little point in trying to implement a policy that includes the wholesale prevention of the use of public Wi-Fi if the business depends highly on a distributed staff that’s constantly on the road.
Don’t forget about training
Executives, like any other employees, need to be reminded of the importance of security. “If these folks are required to access sensitive information, better to look at encryption, at virtual network solutions, and above all else at education and training,” Durbin says. “But link all of these things to the business benefits that the individual will gain by adopting a safer approach to the use and sharing of information.”
Executives must participate in security awareness training on a regular basis, have their assigned workstations, laptops and mobile devices updated and patched regularly, and use VPNs and other secure communication technologies when needed, says Nathan Wenzler, chief security strategist at consulting firm AsTech Consulting.
“Security teams should augment their standard employee security awareness training with additional guidelines and details for executives, highlighting the greater risk and information exposure executives face because of the more public-facing aspect of their positions,” Wenzler says. “Encouraging greater awareness of how and why executives are specifically being targets will increase the chances that a social engineering attack will be caught and thwarted before it can be successful.”
Restrictions might have short-term effect, but if you can’t win over the hearts and minds of executives and show clear business and personal benefit of restrictions, they will fail as the users discover workarounds that enable them to get their jobs done, Durbin says.
“Effective security, now more than ever, requires an understanding of how information is accessed and used at all stages of the lifecycle, at all times of day and in all variety of locations,” Durbin says. “And above all, [it] requires an understanding of the most complex interface of all — the user.”
This article originally appeared on CIO.