There is growing evidence that cyber attacks are now deliberately targeting executives and board members – not businesses themselves – which shows that attackers believe this group is particularly vulnerable as well as valuable.
More must be done to raise awareness of potential cyber threats at the board level, as well as supporting businesses in developing a strategy that offers solutions to combat potential weaknesses in a company.
Typically, hackers attack companies and their employees to steal credentials before either selling this information on the dark web or using it to further compromise a company. However, there has been a recent shift, with more attacks aiming for the big fish in the company pond (hence their name: phishing).
Ideal targets are the c-suite and board members who not only have greater access within a company but are privy to valuable company secrets. On top of that, many sit across multiple business boards and have a network of valuable and influential contacts. Thanks to this, executives working in sectors such as finance, insurance and legal present the most tempting targets.
By using basic stolen credentials as leverage, attackers are tricking company executives into allowing access to key company information, ranging from upcoming mergers and acquisitions to board meeting minutes. This shows that businesses need to prioritize a cybersecurity strategy that caters for all potential targets of cyber attacks and ensure that when it comes to training, no groups are neglected.
In addition to attacks becoming much more narrowly targeted against key senior personnel, phishing attacks are becoming increasingly sophisticated, making them even more difficult to spot. Savvy hackers are increasingly tailoring their attacks towards untrained business executives through clever misuse of external websites – from the classic “card payment failed” emails to Doodle polls.
With many employees and senior executives struggling to differentiate between legitimate business communications and these spear phishing attacks, there is a significant risk that personal and company details will be handed to the hackers. From an attacker’s point of view, the great thing about successfully phishing a senior executive is that you get access to their address book, full of contacts of other senior targets as well.
The lack of awareness around these rapidly changing and evolving attacks obviously poses a very serious risk to companies. A small phishing attack on one employee’s email can quickly spiral, potentially resulting in a massive financial loss, significant data breach or severely affected business operations.
Companies must also be aware of the potential effects on their relationships with clients or customers. Although there is a change in perceptions, with customers and clients increasingly viewing large-scale breaches as part of the “cost of business” of internet convenience, consumer-facing businesses are now being judged on how they respond to breaches.
While customer attitudes have changed, business-to-business (B2B) organizations are not so lucky. We are not going to stop booking our holidays at fancy Marriott hotels or using our Playstations, but who would take legal advice from a law firm that has been hacked and tricked into transferring millions of pounds? Who would buy components from a supplier that was found to be inadvertently shipping malware?
This changing nature of the risk these businesses face is often unrecognized, which is why understanding where business is today – followed by threat modeling – can deliver a successful cyber strategy that improves a business’ ability to identify and respond to attacks and breaches.
Company executives and boards need to be involved and supported in gaining an awareness of the relevant risks they face. We have all seen the “Russian hackers in hoodies” headlines, but in reality, it’s a busy executive clicking on an email from someone’s PA – not a nation-state – that leads to the most costly breaches.
Employees – and that includes the c-suite – are key elements of a company’s defense. While staff usually undergo regular security training, executives and board members are not typically included – which is a critical mistake, and the first thing we should always try to address.
Until we see more training and education aimed at the unique needs of company boards and c-suite executives, we will continue to see avoidable security incidents causing big headaches for business leadership.