Cybersecurity Practices for Executives
Imagine this for a second. You’re the CEO of a mid-sized, well-respected charity. You get a phone call from accounting: “Are you really sure you want to approve this $20,000 transfer? That’s a lot of money, and this is the first time I’m seeing this invoice.”
$20,000 invoice? What are they talking about? You haven’t heard of any invoice.
“I’m looking at an email from you saying that you approve this invoice . . .”
Here’s what happened. Cyberattackers spoofed your email address and sent a credible-seeming email and invoice to your accounting department – the only thing that stopped it was a skeptical accountant who decided to call to double-check. You were nearly the victim of a whaling attack.
Most CEOs and other C-suite executives understand that if their business is subject to a massive and successful cyberattack, it can be career-ending. What is less understood is that attacks targeting the C-suite are on the rise. Cybersecurity is vital for any business and any employee, but the bigger the target, the more important cybersecurity has become, and the C-suite has the biggest targets.
Beware of CEO Phishing / Whaling Attacks
A whaling attack is a specialized form of spear phishing. By targeting executives, attackers hope to gain a big payout or important data.
Executives need training to correctly identify phishing attempts and should be extra careful of emails requesting sensitive information or prompts for credentials. Similarly, other employees need to exercise particular diligence when they get communications from the C-suite. For example, it isn’t uncommon for attackers to spoof a CEO’s email address and send an email to an employee asking for sensitive documents “for a confidential project.”
Use Loaner Devices
Laptops and smartphones can contain reams of important company information, not to mention things like login credentials. Depending on the level of the executive and the nature of their business travel, it may be safest to set them up with loaner devices for some trips. It isn’t difficult, for example, for the customs agency of a less-than-friendly country to clone a phone to engage in a little corporate espionage. However, a more realistic and common cybersecurity concern is a lost, misplaced, or stolen device. Stolen devices result indata breaches all the time.
Avoid Free Wi-Fi
Free Wi-Fi, which is frequently poorly secured, is an excellent spot to launch a man-in-the-middle attack. This is an easy risk to avoid. Executives who need Wi-Fi while travelling should receive unlimited data plans and simply tether their phone. Free Wi-Fi is just too good an opportunity for a malicious actor to snoop the traffic of a less-than-security-conscious executive.
Stick to a Policy on Personal Devices
Does your company have a bring-your-own-device (BYOD) policy? Or does it issue devices to employees? Or does it depend on the employee?
Because of the sensitive nature of their jobs, C-suite executives may need a policy specific to them. More importantly, it should be more, not less, strict than the policy for junior employees.
Upgrade Home Security
What executive doesn’t take work home with them? At a minimum, executives need training on how to properly set up their home networks. For larger companies, executives who do a lot of work from home, or businesses with especially sensitive information, more may be needed. A security consultant could set up the home network, or the executive could be required to connect to a secondary home network.
Lock Down Social Media
Social media can be another vector for a phishing attack, or it can provide potential attackers with the information they need to launch a credible phishing attack. Executives need to ensure that their social media privacy settings are set to maximum. Further, they should periodically review their friends and contacts lists.
Set Up Policies for Sharing Information and Approving Spending
If an executive emails an employee for a sensitive document, should there be a policy in place to confirm that the request is real? Should there be a confirmation call after an email? Who gets to approve spending? And how can you ensure that the approval is real? Is an email good enough, or does there need to be something more when the spending request exceeds a specific amount?
Obviously, company size and structure, among other factors, will dictate the nature of these policies. However, given the damage a whaling attack can do, these policies are necessary.
The consequences of skimping on website security services, not preparing for DDoS attacks, or ignoring other common security gaps are widely understood. Businesses should give as much attention to executive cybersecurity. After all, the consequences of a whaling attack can be devastating.