A guide to
executive cyber
security protection

Cyber risk was ranked as the No. 1 organizational threat by global CEOs according to a 2021 KPMG survey. Yet many executives may not realize just how close to home this threat is as awareness of the risks of cyber attacks may not translate into increased resources or cyber hygiene. Executive cyber security protection needs to balance the unique risk profile and elite working practices of the C-suite, particularly around security fundamentals. Cyber security for executives should be specifically tailored to help protect them, with aims to create a more engaged and cyber-aware C-suite.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of breaches involved the human element, including social attacks, errors and misuse. The ultimate goal of security programs is to reduce business risk, minimize financial and reputational damage, and enhance competitive advantage. What C-level executive wouldn't want those things?

However, half (49%) of C-level executives reported that they've requested to bypass one or more security measures over the past year. Another study claims that only 38% of business decision-makers think their C-suite fully understands cyber risk. This attitude may partly explain why so many executives themselves represent a growing risk to the organization. 

Some of the top reasons executives are targeted are because:

• They have privileged access to highly sensitive corporate and customer data.
• They wield significant power in the organization, which means they can be spoofed for a big impact.
• They possess a larger public profile, providing more information to build a credible spoofing operation.
• They frequently travel to regions where they may be more exposed to attacks.
• They are a potentially big payout if compromised.
  

C-suite executives are therefore very much in the crosshairs of threat actors, making executive cyber security protection essential. Major threats include:

Also known as "whaling" or "CEO fraud," these fraud schemes target the C-suite. Hackers typically hijack an executive's email account through a phishing attack and then send an email to a member of the finance team requesting an urgent wire transfer of funds. There are various versions of these attacks, but they all rely on social engineering and leveraging the executive's authority to persuade the recipient to act without thinking. BEC attacks made fraudsters nearly $2.4 billion in 2021. 

According to the 2022 DBIR, about two-thirds or 66% of breaches involved phishing, stolen credentials and/or ransomware. More traditional phishing emails are also a threat, particularly as executives work in a fast-paced, decision driven environment, which can lead to overlooking spelling errors, unusual sender domains and other telltale signs of impersonation fraud. In fact, personal assistants may actually be the ones who check inboxes and reply to emails. Unsurprisingly, C-suite executives' credentials are highly sought after, potentially unlocking the door to sensitive legal, financial and other corporate information. This information could be held to ransom, sold to competitors or even used to commit securities fraud.

EY claims senior executives' and board members' personal data is "bread and butter" for cyber criminals.

Convincing artificial intelligence-powered fakes imitating audio or video could also be used to trick time-poor executives into making bad decisions. One case saw a British CEO tricked into wiring $243,000 to scammers after they impersonated his boss's voice over the phone.

High stress levels, little downtime and/or a general apathy to best practices when it comes to cyber security for executives may also mean that executives don't keep their personal technology systems patched and secure. This could leave them exposed to vulnerability exploitation through phishing or other vectors. Last year, ransomware group Clop was reportedly targeting executives' workstations to steal sensitive data. Alternatively, hackers could target family members.

It's not always the executives themselves that are to blame. Security vendor BlackCloak identifies a potentially unmanaged risk in the form of third-party data brokers, who can become unwitting allies to cyber criminals. It brands data broker websites "akin to Walmart for hackers," posing challenges to executive cyber security protection. 

The research reveals that:

• 99% of executives have their personal information listed on over three dozen online data broker websites.
• 70% of executive profiles on these sites contained personal social media information and photos, scraped from sites like LinkedIn and Facebook.
• 40% of online data brokers had an executive's home network IP address, which could help actors craft eavesdropping attacks.
• 95% of executive profiles contained personal and confidential information about family members and neighbors.

While the threat is certainly greatest from the cyber crime community, intrusions from state-backed actors can't be ruled out, especially if targeted companies are deemed strategically important to governments. The threat from nation states has arguably increased since the start of Russia's war in Ukraine. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to adopt a heightened security posture.

Targeting a C-suite leader may get hackers where they need to go faster, but ultimately the impact will be similar to any serious security breach and should reinforce the need for enhanced cyber security for executives. According to Dark Reading, “the Cost of Data Breach Report 2022 report, based on a survey of executives and security professionals at 550 companies, says the average cost of a data breach continued to rise in 2022, reaching an average of $4.4 million globally (up 13% since 2020) and $9.4 million in the United States.”

Some or all of the following may apply following a security breach:

• Legal costs (especially if customers launch a class action suit)
• Regulatory fines
• Lost productivity
• IT overtime
• Third-party forensics fees
• Damaged reputation
• Job losses for the C-suite

Many C-suite executives have stepped down or were fired following serious incidents. And it's not always only the cyber security executive in charge who goes. For example, in 2017, Equifax’s chief security officer and chief information officer departed after a data breach that exposed the Social Security numbers of approximately 143 million people. A few months later the CEO also resigned. And it’s not only breaches that precipitate job losses. The CEO of Austrian aerospace manufacturer FACC was fired after a business email compromise (BEC) attack that occurred on his watch.

Organizations can enhance their executive cyber security protection on several fronts by:

• Providing executives and organizations with security awareness education: Short bursts of 10-15 minute lessons, featuring real-life simulations of common phishing attacks, can work best to hold executives' attention. These lessons should be tailored to executive-specific threats and run regularly.
• Reminding executives of the impact of breaches: Any discussion of potential threats should be framed in the language of the business. That could mean explaining the financial and reputational cost of serious compromise. Sharing historic examples of breached companies that got things wrong can help focus the C-suite's attention.
• Altering corporate reporting structure: Ensure the chief information security officer has a seat at the top table and reports directly to the CEO to provide more cyber security exposure for the C-suite.
• Formalizing the cyber security program: Align security more closely to the business and its leaders through established key performance indicators and metrics. CISA offers a guide to the key questions CEOs should be asking.
• Updating the C-suite regularly: The threat landscape moves at a staggering pace. Regular updates on the latest threat intelligence are essential to keep the C-suite informed and engaged. Always focus on business-centric metrics and contextualized dashboards to keep their attention and ensure funds flow to the right areas.
• Understanding the risks: Learn the risks most relevant to your organization based on an analysis of the surface, deep and dark webs. Better threat intelligence can give you an edge by enabling proactive detection and response to threats.
• Consider training your whole C-suite on how to react to a cyber attack with Executive Breach Attack Simulations (BAS).

“IDC believes that BAS gives enterprises a robust set of features and functionality that not only help validate the effectiveness of the security controls put in place but also enable a more proactive approach to cyber defense by utilizing automation. This has become a common theme in security services, where the goal of becoming cyber resilient is predicated on the ability to continuously monitor the environment for threats in a proactive way and accelerate the time to remediate issues in order to minimize the impact to the business. Subsequently, we believe that BAS will become an important component of an enterprise’s cyber defense strategy.¹”

Executive cyber security protection is only one part of the company-wide security strategy, but an important one. By creating a culture that arms the C-suite with an understanding of the latest security risks and proactive measures, you can enhance cyber security for executives and help to drive a more coherent long-term security strategy. Because after all, cyber risk is business risk.

Verizon can help you understand how your organization stacks up against threats. Get an objective assessment of your cyber security controls.

The author of this content is a paid contributor for Verizon.