Research on Cybersecurity repeatedly shows that a company’s biggest asset is also their biggest risk, their employees. Companies are more susceptible and more likely to be attacked internally by an employee, whether malicious or accidental, than by a hacker outside the company. Furthermore, a company’s CEO and other C-suite executives are the biggest targets for hackers, which has led to a new term in cybersecurity – whaling. A whaling attack is a phishing attack or scam that targets a “big fish”, a company’s executive. (Phishing is the attempt to obtain sensitive information such as usernames, passwords, and financial records, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.)
A few recent, high-profile cyber-attacks involving company CEOs and executives include a hacker spoofing a Fortune 500 CEO and requesting Human Resources send him every W-2 from the past 5 years for thousands of employees, another hacker spoofing a CEO and requesting the CFO wire millions of dollars to an offshore account, and a hacker spoofing an IT department requesting employees to click a link to update a core application and asking them to enter their username and password to ensure authenticity.
With each of these cyber-attacks, the hacker didn’t penetrate a company’s network or even use a virus. The hackers researched their potential victims and used the information they found to manipulate someone at the victim’s company, which is known as social engineering.
Why Your C-Suite is a High Risk for Phishing Scams:
- Easy to Spoof – Hackers can find the name of the CEO of nearly every company on Earth making it easy to create an alias to send spoof emails, texts, and other correspondences pretending to be the CEO.
- People Don’t Question Higher Ups – In most companies, when a CEO or other executive asks for something, the employees don’t question the request. Employees become lemmings and do as their told, and in many cases, they drop what they’re doing and immediately send sensitive data to a hacker spoofing the CEO or CFO without questioning the authenticity of the request.
- Access to Sensitive Data – While most employees have limited access to a company’s data through file permissions, most executives, especially the CEO and CFO, have access to everything. This access makes them a great target for hackers, which is why they call it whaling instead of just phishing.
- Mobile Workplace – Most executives are glued to their mobile devices between meetings and while in transit, meaning they are outside the protection of the company’s physical firewalls and other security measures. Additionally, if they use more than one mobile device (business and personal), data tends to leak from one to another accidentally and their personal device may not be as secure as necessary.
- Global Traveler – For many companies, the CEO is the face of the company, and are at every important event, meeting, and conference, whether it be across town or across the globe, so blocking inbound web traffic and emails from countries like Russia or China isn’t possible.
- Odd Hours – Most executives do not “unplug” when out of the office, so it isn’t uncommon for them to send emails at 2 am. Additionally, world travel means they are in a different time zone, further skewing any potential red flags that most employees would have with an email sent from their executive at an odd time.
- Unsecure Wi-Fi – Because many CEOs spend more time out of the office than at their office, they access different public Wi-Fi hot spots such as at airports, hotels, and coffee shops. A 2017 report by iPass found that 42% of coffee shop connections are unsecure and risky to utilize.
I don’t know of a company that can remove all the associated risks from having executives and employees because they wouldn’t be a company without those people. However, a good IT team can help minimize those risks.
How to Reduce Your Risk of a Social Engineered Cyber-Attack:
- Employee Awareness – The best thing you can do to protect your company is to shore up the biggest vulnerability, your employees. Start with a cybersecurity awareness training that educates your team about the dangers of cyber-attacks and likely methods hackers use to deceive them, red flags to look for, and how to protect themselves and the company. (I say, “protect themselves” because hackers also phish personal emails posing as credit card companies and banks to steal personal identities.) Some cybersecurity experts are calling these trained employees the “Human Firewall” because they block hackers from accessing your data much like a firewall does for your network. Don’t let your executives skip this training either; remember they are your biggest risk.
- Review & Improve Your Cybersecurity – Besides having a “Human Firewall”, review your other cybersecurity protections like your firewall, monitoring, spam filtering, web filtering, backups, patch management, and other systems. Additionally, review your physical security protection such as alarms, access control systems, and even locks on your doors. This review should include how you protect your data onsite such as securing your server behind a locked door. (You’d be surprised how often a server is left out in the open.)
- Tighten Company Policies & Procedures – With spoofing, hackers can bypass your cybersecurity protection because they are not penetrating your network or installing a virus, so you need to have company protocols in place to ensure all requests for sensitive data are legit. Something as simple as a code word can prove the authenticity of a request. Take that a step further and require a secondary authentication such as text or phone call to the CEO makes it easier to identify potential fake requests. Just recently a bank approved a faux money transfer for over $500,000 from one of our clients. The bank did not verify the transaction and fell for the hacker’s request because he spoofed our client’s email address. In the end, the bank’s cyber-risk insurance policy had to cover the damages. This could have been prevented if the employee would have looked at the email address of the sender, double-checked the employee’s name, or called our client.
- Test Employees Periodically – Just like a fire drill, you need to practice what you’ve learned in training, so we suggest testing employees by sending them simulated phishing emails to see who clicks and who responds. These tests provide you metrics on the effectiveness of your cybersecurity awareness training. We’ve seen companies reduce their likelihood of failing for a phishing scam go from 25% down to 4% in just a few months because we’ve increased everyone’s awareness. Now, instead of clicking on the links, users are reporting suspicious emails. That reduction means the company has less risk!
- Require Cybersecurity from Vendors & Contractors – Besides training your employees and shoring up your own cybersecurity efforts, you need to require the same level of security from your vendors. In healthcare, HIPAA requires all vendors (known as Business Associates) to be HIPAA compliant as well as the medical practice and hospital. This requirement to vendors reduces the healthcare provider’s risk because each company meets a certain level of data protection. We suggest all companies, regardless of their industry, have similar cybersecurity and data protection requirements for their vendors.
- Assessments & Audits – Besides testing your employees with simulated phishing scams, test your company’s own cybersecurity efforts with periodic assessments and audits of your protections and company policies.
A good IT firm can help your company by performing a cybersecurity assessment and making recommendations to shore up your cybersecurity protections, which should include both technology (firewalls, email filtering, etc.) and human aspects (awareness training and policy review). Ongoing, a good IT firm will continually improve your cybersecurity protection and make suggestions to implement efforts to reduce your risk of a cyber-attack.