When The Top Is Targeted: Protecting The C-Suite and the Boardroom From Cyber Risk
The online world is getting more and more personal. The ease of collecting personal data via online features such as “cookies” means that businesses are now much better at targeting individuals’ needs and tailoring products and services to best meet their preferences.
But there’s a darker side to this targeting: cyber criminals are turning their sights on C-suite executives and, through them, gaining access to corporate systems and information.
Not only C-suite executives but also Non-Executive directors (NEDs) are victims of exactly the same type of targeting; they are similarly high profile, easily identified and named through publicly available information. They are equally privy to a wide variety of highly sensitive commercial and personal information. We would also caution that they are not always afforded the same security offered to executives and employees of the firms they represent, as they will sometimes transact business over their own Wi-Fi and via their own personal Hotmail and Gmail type email addresses. The following insights will also be of relevance and interest to NEDs.
Cyber criminals often see executives as lucrative targets, offering top-tier access to an organization’s systems. As a result, senior business leaders are more likely to be victims of cyber crime than other employees, according to Aon’s 2020 Cyber Security Risk Report.
Why are executives such valuable targets for cyber criminals? Mainly because inadequate cyber crime education, one-size-fits-all cyber security training, frequent travel and bring-your-own-device (BYOD) policies provide easy entry points for cyber criminals.
“It’s not that the C-suite doesn’t understand the gravity of cyber risk,” says Stephanie Snyder, commercial strategy leader at Aon Cyber Solutions. “Most executives recognize cyber security as a business driver, and many have some management responsibility for that security. It’s the increasing sophistication of the opponent, the sheer increase in the number of attacks and leaders’ access to sensitive corporate information that make C-level executives more vulnerable.”
C-suite executives are 12 times more likely to be targeted in cyber attacks than other employees in their organization, according to Verizon’s “2019 Data Breach Investigations Report.”
Cyber criminals targeting senior business leaders typically focus on financial rewards: 71 percent of C-suite cyber attacks were financially motivated, with attackers looking to make money from company or employee data, intellectual property or ransomware.
“Compared with the average employee, executives offer very attractive targets for cyber criminals,” says David Yaches, senior vice president at Aon Cyber Solutions.
Executives typically have greater access to privileged information, often enjoy more lax security constraints than other employees, travel frequently – relying on mobile devices and public Wi-Fi – and are often surrounded by an “entourage” of privileged individuals who themselves provide access to the executive, says Yaches. “Executives tend to have more attack vectors – ways you can breach a person or a corporation – than the average employee,” he says.
CHANGING BEHAVIOR TO REDUCE EXECUTIVES’ RISK
Executives’ growing exposure to cyber attacks highlights the need for organizations to take a more comprehensive approach to managing cyber security risk, rather than leaving the issue for the IT security team to resolve. Given their role in promoting learning, development and change management, HR leaders are key players in the cyber resilience journey.
Cyber security training must be customized for the diverse roles across an organization – including at the highest levels of leadership. Executives must be educated about the nature and extent of the cyber threats they face and the important part they play in their own cyber security.
“Because of their demanding roles and frequent travel, executives may ask for exceptions to corporate security policies,” says Yaches. “Policy exceptions may be unavoidable. The key is to make sure that those exceptions don’t create a vulnerability in an organization’s infrastructure.”
Practicing good cyber security is largely a behavioural issue, Yaches says, but changing the way people access their information and how they protect it can be difficult, especially if it adds extra steps. Cyber security best practices such as using virtual private networks to encrypt communications, password managers and identity monitoring all require employees to invest more effort and time into making these solutions part of their everyday routine.
“The initial challenge is that cyber security protection solutions require people to change their habits and take actions they’re not accustomed to taking, and some of them are inconvenient,” Yaches says.
Executives must also understand that their cyber exposure goes beyond the company’s front door.
“It’s not about one individual. It’s about a whole network of individuals,” says Yaches. “Access to the executive can be gained through family, through the chief of staff or an executive assistant. The cyber security of the executive’s network must be just as resilient as the executive’s own security.”
STEPS TO ACHIEVE EXECUTIVE CYBER SECURITY
According to Aon’s 2020 Cyber Security Risk Report, several key elements can control for executives’ cyber security exposures:
Executive vulnerability assessments
Quantifying executives’ cyber risk vulnerability across the entire network – including their families – is essential. Assessments should cover not only the potential for corporate compromise but also individual and family compromises. Assessments can involve one-on-one discussions and data gathering, including examinations of both the open and dark web to evaluate an executive’s cyber security risk. Organizations can take steps to secure the executive and their family members with individualized cyber security solutions to bolster resilience in this particularly vulnerable threat vector.
Mitigating executives’ cyber risk can include information governance, training on phishing and social engineering attacks, instruction on reducing exposure and sharing knowledge of emerging fraud schemes. Resilience begins with executives’ awareness of the problem and guidance on how they can address their own risk.
Security technology such as identity monitoring and password management tools can also be useful in mitigating executives’ cyber security risk, but only if the executives use them.
“Many organizations have a great cyber story on paper – they’ve got powerful tools and training programs in place. But are employees across the company, including the C-suite, using those tools correctly and fully?” asks Snyder. “Regular audits can be helpful to ensure plans are being followed properly and tools are consistently used as intended.”
As with any culture change, building organizational cyber resilience works best when executives lead by example: modeling a culture in which every employee believes it is their responsibility to build and maintain a level of cyber vigilance. Implementation of cross-functional governance programs as well as comprehensive cyber awareness training programs – collaborating with learning and development experts in HR – can accelerate cyber risk maturity. Setting cyber maturity goals and expanding accountability for cyber resilience to leaders beyond the chief information security officer are also important.
Risk-transfer mechanisms such as cyber insurance can help executives address the impact of identity theft, business email compromise losses and ransomware attacks. Beyond cover that protects the organization from cyber attack losses, executives might consider adding a layer of personal identity theft protection. Many companies offer such coverage as an employee benefit and, while the market for personal cyber insurance is evolving, companies could consider offering it to board members, executives and employees.
WHEN CYBER CRIMINALS TARGET EXECUTIVES, ORGANIZATIONS MUST PERSONALIZE PROTECTIONS
As cyber threats continue to increase, the C-suite is square in the sights of cyber criminals. To protect both those executives and the business itself, organizations must start to treat the executive as an asset and account for executives’ unique cyber vulnerabilities – both at work and at home – and take steps to address them.
“Executives’ cyber exposure must be treated as a critical security issue for the company,” says Yaches. “A critical security issue is something the organization would address, and it would be on the radar constantly. That’s really what you have to do with executives’ cyber risk.”
And, as threats – and business leaders’ exposures – change, security models must constantly evolve and adapt.
“As we move toward increasing personalization as a society, our cyber resilience training programs should be no different,” says Snyder. “C-suite leaders have different vulnerabilities and access to information than other employees. Training and preparation should reflect those differences.”
This article originally appeared on Aon’s “The One Brief”.