The executives of global or national corporations have been 2013’s celebrities. With CEO profiles being discussed in a similar fashion to sport VIPs or A-list actors in the media, we have also seen an increase in cyber crime targeting key executives.
Cyber criminals go where the money is, so when the paycheck of executives becomes the talk of the media, we see the snakes greedily planning their manoeuvres.
Executives are increasingly finding themselves the subject to phishing and social engineering scams. Cyber criminals will focus on locating the private email addresses or working out how to infect the personal computers or company networks to cipher off information, place trackers or capture valuable data.
Other forms of threats include extortion, blackmail, death threats or defamation.
Most CEOs or high profile executives can be easier targets as they are usually absent from routine security training which now exists in most firms. Over 80% of breaches or threats result from common sense security protocols not being implemented by the executive or his/her immediate staff.
These can include:
- Not doing routine upgrades on personal machines
- Accepting or using random memory drives
- Not having apps verified by IT/security departments before installing on phones, tablets or computers
- Leaving an office unlocked or making it accessible
- Taking sensitive work home
- Using generic email addresses (gmail, hotmail etc) for work
- Not having the latest anti-virus or internet security software installed
- Giving low level IT staff access to Super Admin on company servers
- Not having a security filter installed on company emails
- Lack of proactive cyber scanning for threat chatter or discussion relating to the executive
- Using unverified cloud backup services
- Not using a shredder (old school trash digging is still done by serious adversaries)
- Using public wifi
- Never changing passwords or using passwords which are weak
- Not doing due diligence on vendors and giving them access
- Randomly clicking links on “alarming emails” or alerts (designed to make you click)
(This is by no means a complete list)
A Harvard Business Study showed that corporate security training seminars and programs will review the above, but the executive is the most likely to be missed or “inaccessible” during these. Some programs are oriented towards data protection and some are more technical, but security awareness has never been more vital than today. Belani, of Harvard’s Business Review stated some obvious points;
“If they see a message that contains an emotional trigger, such as ‘Company XYZ is filing a lawsuit against your company. Please find attached the details,’ they’ll click.”
The Damage Has Already Been Done
It is now 2014 and one would be naive to think key executives have not already been targeted. A study from Norton showed that there is 3 times the amount of cyber crime than physical crime (car thefts, robberies, purse snatching etc). Cyber crime is subtle and hard to detect, so operates quietly in the background while unsuspecting victims continue their daily lives.
This then leaves an additional problem. What is already out there on those executives? What data is being traded on the dark web or black market locations?
A recent study of VIP cyber breaches done by Massive showed that there is a vast amount of data being shared/sold on private individuals. We found the following on key executives after providing an in-depth internet scan:
- Personal information which could result in reputational damage and exposure
- Identity theft and impersonation
- Plots for extortion and blackmail
- Stolen personal financial information (credit cards and bank data)
- Information on their immediate family
- Stolen private photos and data to be sold to the media or competitors
- Strategies being discussed to target the executive
There are 2 programs you will see implemented at executive level this year. The first will be executive security awareness training and the next will be proactive monitoring of threats which may be out there and need to be shut down.
Perhaps this article should be titled, “How to survive as an executive in 2014”.