High profile cyber incidents such as massive data breaches have become increasingly common across industries, especially in the past two years. Such events speak to the shift in perception for cyber crimes–from an overlooked and niche concern to a public, major security problem for organizations across industries. Everything from manufacturing, healthcare, and traditionally higher risk sectors such as banking and technology have been privy to such incidents. In the corporate realm, senior executives are primary targets of hackers, fraud and phishing scams due to their high level of access to valuable corporate information.
“Globally, 40% of companies cited their c-level employees, including the CEO, as their highest cybersecurity risk.” – Information Age
Threat actors will also pursue a principal’s family and immediate associates as an entry point into a security breach. Locating the information necessary to target high profile individuals, their families, and staff have never been easier. In addition to using executives as an entry point into a breach, attacks against executives can impart severe damage against the brand they represent.
Executives and their organizations can identify prevalent cyber threats in today’s risk environment and consider the measures required to maintain the integrity of their principal’s personal information along with their company’s data. By creating or augmenting existing protocols that ensure the digital protection of various senior individuals–c-suite members, board members, those in other leadership positions–organizations can secure business continuity and safeguard one of their most exposed assets: their leaders.
1. Mobile security
Executives and high-ranking officials are often called upon for domestic and international business travel. Their extensive use of mobile platforms while on the road and during their commutes increases the odds of a mobile security threat. Like viruses and spyware that can infect computers, there are security threats specific to devices such as smartphones, tablets, and connected IoT devices. Mobile threats can be divided into four basic categories: application-based threats, web-based threats, network-based threats, and physical threats.
Biggest mobile security threats according to CSO:
- Data leakage
- Social engineering
- Wi-fi interference
- Out-of-date devices
- Poor password hygiene
- Physical device breaches
A cyber attack on an executive can become a physical threat when various connected devices like a door lock or security camera are compromised. By breaching a fragile online connection, nefarious actors can potentially gain access to the executive’s home or monitor their activities from a distance.
2. Increased Likelihood of Cyber Crimes against Businesses
No matter the size of the organization, one of the most prominent challenges executives face is the risk of their business becoming a cyber crime target. Common motives for attacking a principal are financial, revenge, or activist related. Now more than ever, executive digital protection has become a business necessity. And with cyber crimes against businesses on the rise, it’s only a matter of time before executives are face to face with a cybersecurity threat.
“Overall, detections of threats to businesses have steadily risen. They increased by about 7% from the previous quarter, while consumer detections declined by nearly 40%. Compared to Q1 2018, business detections have skyrocketed 235%.”
3. Social media
An executive’s social media habits and preferences can be leveraged by a threat actor to gain access to their data, and in turn, damage their organization’s brand. When considering any form of executive digital protection, analyzing the social media usage of the executive and their family should be a key part of the conversation. Hackers can use public information on social media platforms such as LinkedIn, Instagram, Facebook, and other sites to build profiles of targets. This profile can be used to tailor a phishing attack or coerce the target. An attack on an executive can cause a significant amount of brand damage. And being able to protect them on the cyber front is very important.
While social media companies like Twitter, Instagram and Facebook do take measures to scrub data from the images users upload to their platforms, the initial metadata received from the images is stored on their servers. This data includes the users’ time of capture, geo coordinates or posting location, and much more. If a social media platform’s network is breached, this information can be accessed by threat actors and potentially used against executives in an attack.
4. Business Email Compromise Scams (BEC)
When targeting high level executives, hackers might rely on a combination of attacks: whaling phishing attacks, executive impersonation, and business email compromise. Business email compromise (BEC) scams can combine spear phishing, email spoofing, social engineering, and occasionally malware. BEC scams are an increasing problem for businesses of all sizes, resulting in massive losses to organizations. What makes these messages more devious is that they can usually avoid the spam filter since they’re not a part of a mass-mailing campaign. BEC scams are more targeted in nature, and typically avoid the usual spam indicators that get flagged by most email servers.
A recent survey by the Association of Financial Professionals found 77% of organizations experienced attempted or actual business email compromise scams, commonly called CEO fraud, in 2017.
Protecting Against Business Email Compromise Scams
Businesses can protect against scams that target high-level executives, especially whaling scams, by following these tips from the BBB:
- Be wary of short, generic messages. Scammers won’t write a long email; they’ll try to pass off something short and generic as harmless, hoping you’ll click quickly without thinking.
- Double check before clicking or downloading. A mouse click is all it takes to inadvertently grant access to your computer, accounts, and information, or unleash malware on your systems.
- Think about how you share. Never send sensitive, personal, or proprietary information via email, regardless of who’s asking you for it.
- Watch out for emails to groups. Sending an email “from the CEO” to a staff or employee email list is the fastest way for a scammer to attack and affect an entire business.
- Set up processes. Make sure your company has a procedure for all requests involving sensitive information or payments, and make sure that procedure is followed. For particularly wide-reaching requests or large amounts, require employees to check with their managers first.
5. Insider threats
What can executives do to protect themselves and their company against insider threats? To reduce the chances of a breach caused by current employees, former employees, contractors, or business associates, cybersecurity professionals recommend auditing, securing, and regularly patching software as the first step. According to Verizon’s 2015 Data Breach Investigation, “99.9% of successful hacks take advantage of vulnerabilities that have been known for at least a year.” Virtru recommends a strict software whitelist to be implemented for all employees and contractors to prevent breaches through the use of minimally secured apps.
Applications to secure:
- Legacy systems
- Communication and collaboration apps
- Cloud storage and file sharing tools
- Finance and accounting tools
- Social media and intranets
A proven strategy for reducing cyber attacks on executives and businesses is to implement and maintain counters to the threats outlined above through an executive digital protection program.
How to manage executive cyber risks:
|Measure your executive exposures||Protect your company’s critical assets|
|Incorporate frequent comprehensive risk reviews||Gain executive buy-in|
Call on Prescient to leverage our expertise and intelligence-community based methodology. Our specialized framework was built on years of tradecraft knowledge and can be used to accurately assess your executive level of cyber risk. We have the right mix of people and technology to guide the most effective measures to protect your executive’s personal information and company’s reputation. Let us assist implementation of the most effective and appropriate safeguards for your organization’s leadership and key stakeholders.
Executive Digital Protection Capabilities:
- Digital Footprint Assessments
- Threat Scenario Planning
- Custom Search String Creation
- Security Question Vulnerability Reviews
- Deep & Dark Web Searches
- Digital Scrubbing Recommendations
- Ongoing Monitoring
Executive Digital Protection Benefits:
- Locate and assess key personnel’s digital presence
- Remove compromised data
- Mitigate cyber risks with data-driven, real-time decision making
- Intelligence community analysis