Catch a fish or land a whale. For hackers the choice is getting easier.
Try to trick an employee and get past IT defences – then camp out on the network for months while searching for things of value; or try and hack the CEO directly.
Both take time, but option two could net you a trove of info crown jewels.
C-suite and board-level executives are increasingly on the cybercriminal radar, partly because they have direct access to the most valuable commercial information in the organisation, but also because so many senior leaders paint a virtual target on their backs.
You’d think that CEOs would be desperate to plug any holes that would leave themselves or their organisations open to cyberattack. But research suggests otherwise.
A 2019 report from UK hosting provider The Bunker says that many senior executives ignore cyber threats, and often feel that their unique position in the organisation places them above security policies.
The truth however is that their privileged access to sensitive conversations and business information makes their personal accounts and devices extremely valuable – key company assets that should be subject to the strictest security protections.
Targeting the top table
People at the top of the corporate ladder are as vulnerable as anyone else to attempts at social engineering, phishing, or infection by malware used to exploit vulnerabilities and gain access to accounts.
To land a corporate whale, hackers will do a thorough investigation into a senior executive’s personal and professional life, including in-depth monitoring of the company website and associated social media accounts of employees and their extended networks.
Part of that analysis will focus on executives’ personal devices. Last year’s iPass Mobile Security Report highlighted the growing number of mobile vulnerabilities that organisation are having to manage.
As they rank amongst an organisation’s most mobile employees, perhaps it’s no surprise that 40% of companies say that executives, including the CEO, are their biggest cyber security risk.
Insider threats at every level
You don’t have to look any further than the world’s richest man to understand how vulnerable senior executives are to breach.
Amazon founder and CEO Jeff Bezos had his phone breached this past April. Hackers broke in and stole highly personal photos, then shared them with US tabloid The National Inquirer.
While people in the public eye can take extra steps to avoid having their devices hacked –additional encryption, using disposable ‘burner’ phones, or regularly replacing devices – ultimately the security protections available for smart phones are pretty much the same for everyone.
So are the vulnerabilities.
With their access to systems and facilities, employees have the power to leak intellectual property, disrupt operations, damage company reputation, or expose sensitive information to third parties.
That’s especially true for c-suite employees – perhaps by an order of magnitude given their access to commercial secrets.
Better training is key to tackling insider threats at every level, to make staff aware of their own actions and sensitise them to signs of adverse behaviour in others.
But even as more senior executives support security training programmes, not enough take part themselves, or work to make cyber awareness central to the culture of the business.
It’s fair to say that many executives fall into a category of insider threat we call the ‘persistent non-responder to training’ – employees who don’t intend to behave badly, but cause concern because they can fall into consistent patterns of negligent behaviour.
Leading from the front
The Ponemon Institute says security breaches caused by insiders can cost a business as much as £6.9 million per year. IBM says insiders enable 60 per cent of cyber attacks.
With the cyber threat growing in both scale and complexity, more and more organisations are looking to create or strengthen a culture of cybersecurity at work.
Having C-Suite excutives promote and take part in security awareness training – and lead by exhibiting the behaviours of cyber awareness – has to be part of that effort.