“My C-level doesn’t understand that they’re being directly targeted – help me scare them!”
Such was the request aimed at one of my colleagues at a cybersecurity conference not too long ago. Being in the security awareness industry, it’s not uncommon for others to solicit our feedback on how best to educate employees of all stripes. The appeal above, from a woman responsible for training at her organization, stuck with me, though.
Indeed, executives should be scared. CEOs and other executives represent some of the most attractive targets for cybercriminals, who seek sensitive data to sell on the black market.
Think of them as the ultimate privileged user for a given organization; individuals with the highest level of access and knowledge about company networks and infrastructure. Not only do they have the keys to the kingdom, so to speak; executives often have immense pressures on their time and resources, making distraction an inevitability.
A 2016 survey commissioned by document management company Iron Mountain found that half of managing directors and C-level executives have used a personal email account to send sensitive business information. Additionally, the report found that 40% have sent information over an unsecured wireless network. There’s no way to know if such actions were accidental or deliberate, but either way, they pose a risk to an organization’s sensitive data and finances.
To BEC, or Not BEC
The rise of the so-called business email compromise (BEC) scam is further proof of how valuable C-suite members can be to industrious cybercriminals. BEC attacks take advantage of a compromised email account or spoofed address to request funds transfers or sensitive employee information.
The FBI says BEC scams were the most expensive type of cybercrime reported to their Internet Crime Complaint Center in 2016, amounting to $360 million lost last year. Security firm Proofpoint reported a 45% increase in BEC attacks in the last three months of 2016 compared to the previous three.
The Proofpoint researchers found that two-thirds of the BEC attacks they analyzed involved spoofed email addresses. This means that scam emails looked as though they were coming from within the company itself.
BEC attacks involving members of the C-suite really have two victims: the compromised executive and the unwitting employee. These attacks stem from two main methods on the part of the cybercriminal.
One, a malicious hacker compromises an executive’s email account via phishing or some other means and sends emails to lower-level employees requesting financials or W-2 information. Two, a cybercriminal gleans enough information about a given executive via social media and other avenues to craft a convincing email from a spoofed email address.
In either scenario, the scammer’s job was made possible (at the very least, easier) after successfully targeting an executive in cyberspace.
What About Security Awareness Training?
With this much at stake, an organization’s executives cannot afford to be caught unaware by cybercriminals. Technical safeguards, especially in the email realm, have their uses, but none can take the place of a well-informed user.
But an executive should not be exposed to any old security awareness training. Taking best practices—such as interactivity, repetition and varied delivery—as givens, here are some other tips to consider when purchasing or building security awareness content aimed at your C-Suite:
1. Make it About Risk
Executives live in a world of risk management where the pros and cons of every business decision are scrutinized. A good idea is something that’s good for the company as a whole and the bottom line.
When it comes to infosec know-how, the benefits must be couched in terms of managing cyber-risk. That is, what’s at stake if a cybercriminal successfully mounts a successful phishing campaign or if sensitive client information is accidentally disclosed.
These scenarios will prove huge blows to an organization in a variety of ways. Corporate reputation will sink, not to mention the fines and possibly millions of dollars in lost revenue that could accompany a data breach. Impacts like these need to be made loud and clear as part of any executive security awareness training approach.
2. Varied is Best
Phishing attacks aimed at executives are becoming more and more commonplace but they are far from the only infosec-related threat facing the C-suite. As data from the Iron Mountain survey referenced above suggests, executives may be prone to poor cybersecurity hygiene while working out of office. A CEO transferring sensitive company data via an unsecured wireless connection can grant a cybercriminal the same access as a successful phishing attempt.
Additionally, much can be put at risk by an executive taking to Twitter or Facebook in a, let’s say, inappropriate manner. Corporate reputation, again, could unnecessarily be put at risk. But so could a company’s intellectual property if a CEO spills the beans about an upcoming product launch too early.
This varied threat landscape demands broad training content that covers a variety of infosec topics. All your organization’s eggs should not be put in the same security awareness basket.
3. Speak to Them as Leaders
Executives, and CEOs specifically, are the bridge crew and commanders of their corporate ships. Their employees look to them to set the tone and standard for what’s acceptable and what’s important at their organization.
Executives know this, or at least they should, and hopefully take their roles as leaders seriously. Putting security awareness training in the context of setting an example to their employees will ideally drive home its importance even more.
Make it clear to your C-suite that avoiding bold, screaming headlines about data breaches and compromised information starts with them embracing good cybersecurity habits.
Cybersecure from the Top Down
It’s often said that cybersecurity starts at the top. The same should be true for security awareness.
Focusing on strong cybersecurity knowledge for your C-suite will likely have the added bonus of planting a seed of a security-aware culture at your organization. By taking the initiative to engage in training designed for them, leaders can foster such a culture while equipping themselves against cyberthreats.
So, scare them if you have to! Your organization will be better for it.
About the Author: Jeremy Schwartz is a professional writer in the security awareness industry with a passion for nature and birds. He graduated from Western Washington University with a Bachelor’s in journalism and minors in philosophy and Latin. In a previous life, Jeremy worked as a reporter for a small weekly, then slightly larger daily, newspaper. In his downtime, he enjoys birdwatching, writing haiku, and spending time with his lovely wife.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.