Cybercriminals are adept at exploiting any opportunity to launch and complete their attacks. In particular, they will take advantage of the identities and actions of C-level leaders in organisations to find a way into the network and move laterally to attain their goals, writes Ilia Sotnikov, pictured, Security Strategist at the data security product company Netwrix.
While IT and security teams keep an eye on the whole IT infrastructure, senior leaders can play a major role in keeping their workplace safe simply by setting an example of responsible behaviour and encouraging open communication.
How the C-suite can be exploited for cyberattacks
Cybercriminals have long recognised the opportunity of scams that use the identities of senior-level figures. For example, some years ago, hackers spoofed the email address of the new CEO at a global corporation and asked a finance team member to transfer funds to an account. The nature of the request was not suspicious and the scammers had done their homework to make it appear legitimate, so the recipient complied.
The accounts of C-level leaders are enticing targets for scams like this because communications sent in their name are rarely ignored. Employees are likely to open emails they believe to be from their superiors and will feel obliged to follow their instructions. Indeed, they will be eager to be helpful, efficient and responsive, which attackers exploit by framing the phishing email as urgent.
When put under pressure to act quickly for an executive, even well-intentioned employees may go against their instincts and training and proceed without contacting their manager or other senior party to verify the request fail. Some recipients may not even think to challenge the request at all. For example, an IT helpdesk technician who receives an email from the CEO asking for admin rights to install an application might simply comply without considering the risk.
Talk the talk: actions for C-level leaders
As a first step in combatting this serious threat, senior leaders should remind everyone on a regular basis that all suspicious communications and unusual actions need to be investigated, no matter what account they seem to be from. By emphasising to everyone that it is not just OK but actually imperative to verify requests before complying with them, they can preempt the pressure that employees naturally feel to act quickly on C-level requests.
In addition, all executives should speak regularly with the CISO about cybersecurity to stay informed. They should keep the topic at the forefront of leadership conversations — not just deliberations that directly concern security but all C-suite discussions that have cybersecurity implications.
Walk the walk: C-level support for IT action
C-level leaders must also demonstrate their personal commitment to learning and following cybersecurity best practices. To begin with, they must take part openly in cybersecurity training, both to gain knowledge themselves and to set an example to the whole organisation. If they fall victim to a simulated phishing test, they should acknowledge it and willingly undergo remediation training like any other team member.
Senior leaders should also support their IT teams in implementing security for the C-suite. This starts with basic security measures, such as requiring multifactor authentication (MFA) for all executive accounts.
More broadly, they should insist upon strict enforcement of the least-privilege principle for their own accounts. This approach should include regular and thorough audits of C-suite access privileges. For example, a technology CEO might have access to the product code base because back when the company was a startup, they actually wrote code; the CEO should willingly give up this access now that it is not needed and serves only as a security risk.
The business benefits of proactive C-level cybersecurity
Cybersecurity is a shared responsibility among everyone in the organisation. However, because C-suite executives are a particularly enticing and valuable target for cybercriminals, they have a particular role to play in shoring up cyber defences.
By choosing to set an example through both their words and actions, the C-suite can reap significant benefits. Well-defended organisations are more likely to repel attempts to breach their defences. As a result, they reduce their risk of costly downtime, financial expenses, reputational damage and compliance penalties. Indeed, C-level leaders do their organisations a great service by acting to improve the cybersecurity culture and supporting IT teams in enforcing best practices for everyone.
