There is a rumor that I take cybersecurity so seriously I won’t open attachments from anyone, even my wife. I can confirm, this is true. Some call it paranoia, but most security professionals would call it a “best practice.” I call it a matter of personal responsibility. In this increasingly dangerous environment, people are the first line of defense against cybercriminals.
One of the most important things any leader can do today, regardless of industry, is foster and perpetuate a culture of cybersecurity. This means instilling daily practices and protocols that help raise the collective level of cybersecurity across the organization – including among its leadership. According to an analysis of our database of recaptured compromised credentials, C-level executives are just as likely to be exposed as lower-level employees.
If the tumult of the past two years taught us anything, it’s that businesses have a responsibility to empower everyone from the summer intern to the CEO to recognize threats and take basic measures to protect themselves and their companies.
Big Phish
Around 2018, cybersecurity news was littered with stories about highly targeted phishing attacks aimed at senior executives. Dubbed “whaling attacks” – in reference to C-suite employees being the “big fish” of an organization – the goal of these campaigns was to steal sensitive information such as financial data or personal details about employees. There was much to gain from targeting senior executives who have top-down access to all business operations. Whaling took on several forms, but CEO impersonation, a variation on business email compromise (BEC), was among the most popular scams. In these instances, cybercriminals steal executives’ email credentials so they can log into their accounts and send emails to lower-ranking employees with the authority to approve transactions or wire money.
These types of attacks are decreasing in frequency. In fact, research suggests non-executives are now targeted 77% more often. But just because attackers are focused on “smaller” fish doesn’t mean C-level executives are not still targets. As long as employees have top-down access to all business operations and high-ranking titles, they are at increased risk of targeted account takeover attempts and BEC fraud.
According to SpyCloud’s 2021 Credential Exposure Report, the number of credentials for Fortune 1000 C-level executives available to criminals is alarmingly high. According to our findings, out of a total of 133,927 executive credentials recovered, 39,328 of them (nearly 30%) were from the financial sector. On average, the hospitality sector has the most exposed executives per company: 320 per company, versus 243 per company in the financial sector. Last year, it was widely reported that one threat actor was selling passwords for the Office 365 and Microsoft email accounts of hundreds of C-level executives. The prices ranged from $100 to $1500 per account.
Less than 10% of organizations have a dedicated cybersecurity committee overseen by a qualified board member to review risk policies & procedures.
Talk the Talk, Walk the Walk
Cybersecurity is lagging behind the sophistication of attackers. However, criminals getting access to an executive’s email because of poor password habits are typically the result of carelessness. Part of the challenge stems from the fact that cybersecurity has historically been viewed as an IT problem, rather than a discussion topic in boardrooms. In reality, cybersecurity encompasses risk management, finance, strategy, prioritization, and resource management, all of which places it firmly in the executive territory.
Though it might not be the C-suite’s direct role to manage day-to-day security operations, it is every leader’s job to understand the risk and allocate the resources necessary to ensure a secure data environment. Moreover, security must be part of a broader corporate culture that encourages employees to make thoughtful decisions, both in the office and at home – and that culture starts with leadership. Reducing risk requires full cooperation and engagement at the executive level, even if certain measures such as allowing for greater scrutiny of work and personal accounts cause discomfort.
Board members must do more to spearhead these efforts. Today, less than 10% of organizations have a dedicated cybersecurity committee with stakeholders from across the business overseen by a qualified board member. A security culture is more than just cybersecurity awareness and a few mandatory training sessions. It requires everyone to understand the security risk and the processes deployed to avoid that risk.
A leader’s role is to ensure an organization functions at its highest levels for success. The risk of lax cybersecurity protocols for data, PII, and intellectual property could seriously damage business objectives, as could the negative impact of a breach or ransomware attack on financial integrity and brand reputation. A company’s board and executives have a fiduciary responsibility to their organizations, investors, and stakeholders, and the impact of a cyber incident could undermine that responsibility. In an ever-evolving digital landscape, that duty is no less important.
Executives are not required to understand every minute detail about their businesses – they have hired leaders and teams they trust for that. But we lead the way in sustaining a secure organization: knowing how secure the organization is currently, how we personally are securing company assets, how we expect other leaders to protect themselves and company assets, what support we offer from the top to guarantee deep insight into risk and a plan to mitigate it. Ensuring executive teams and board members are educated and aware of security outcomes and investments is paramount to a successful cybersecurity culture. And if nothing else, we all need to be more careful with our credentials.
