Global organisations, governments and people have been facing a ‘cybercrime pandemic’ over the last one year, triggered by the Covid-19 induced widespread remote working. Large as well as small companies had to redefine their strategies for enhanced resilience, and build and upgrade cybersecurity capabilities. IT and security teams have been working around the clock, mobilising resources and technology to counter growing threats and defend the enterprise.
At the same time, cybercriminals continue to scout for new avenues and ways to attack. One of the major reasons for gaps in security is because of the fact that companies may not have adequate control over their employees or third parties’ activities during remote or hybrid working conditions. But this is not all. Another emerging area that can be potentially exploited is through the C-suite. A company’s vulnerability quotient can magnify significantly because their C-suite executives, particularly the CEO, may be safe at work but can possibly get compromised outside the physical workplace.
A risky trail to tread
A chain is only as strong as its weakest link — and in cyber and information security matters, these weak links can often turn out to be lucrative targets for cybercriminals. Spoofing, phishing, whaling, spyware, malware and ransomware attacks targeting corporate honchos may not be very new, but the trend has seen an uptick amid remote working during the pandemic. Management oversight and sign off to build a rock-solid cybersecurity infrastructure is essential.
At the same time, protecting the management, especially CEOs and promoters’ digital life is critical. There is a pressing need for greater vigilance and governance of company leaders’ digital habits encompassing their professional and personal lives. Hence, it is imperative to arrest any breach or compromise, so the issue does not become a security liability for the company or endanger its extended networks.
Social media ‘threat’
The expansive world of social media is another potential risk. According to an EY survey, 52 per cent of the respondents in India stated that risks arising from social media have risen in the last one year. Social media has become an indispensable element in everyone’s lives, and a popular medium to connect, engage and opine on personal and professional subjects.
Unsurprisingly, these platforms are exploited ruthlessly by cybercriminals to target innocent users through malicious ads, fake sites, and plug-ins. These hacks can bring threat actors closer to the company networks and run the risk of unauthorized access or potential breach.
While tools such as virtual private networks (VPN), endpoint protection, firewalls and others may keep the C-suite safe when they use company devices, it may not cover their personal devices, personal email accounts and even social media. There are cases where standard operating procedures (SOPs) on security are applicable for all company personnel, except for the C-suite — CEO or promoter. For cybercriminals and other online miscreants, it may become easier to violate home networks and personal devices, as opposed to striking the sophisticated cyber infrastructure that companies have in place.
CEO Fraud is another devious way that exposes management to cyber risks. It involves the C-suite being impersonated by threat actors using social engineering methods who appear to be legitimate, gain employees trust and persuade them to transfer large funds. This kind of fraud can not only tarnish the company’s reputation but may also lead to sensitive personal or business information (including confidential details, trade secrets or intellectual property) being leaked. The information can potentially be sold on the dark web, purchased through untraceable cryptocurrencies and in turn fuel further attacks on the company.
A cyber stronghold for the C-suite
CISOs, IT and security leaders are increasingly tasked to protect business leaders and top management in addition to strengthening the company’s security. With the lines between professional and personal lives turning hazier, it is no longer enough for CISOs and their teams to just safeguard the company networks and devices, and call it a day.
The present landscape may seem like businesses are faced with overwhelming and unavoidable risks, but it is not all doom-and-gloom. Companies can explore a three-pronged strategy to protect CEOs, promoters, management that extends to their personal networks.
Building digital security: The first step is to impart cyber literacy to all leaders, emphasising on securing their networks, managing their digital habits with diligence and conformity with leading cyber practices and guidelines. CEOs should be recommended to limit the number of devices used and all devices can be brought under the same security umbrella as the rest of the company. This should also cover the fundamentals of regularly changing passwords, installing anti-virus software and avoiding unsecure websites, as well as spread to sophisticated encryption, security audits and diagnostic scans.
Expanding physical security: Corporate espionage is a harsh reality and the C-suite should be exceedingly careful about this threat. Robust safeguards should be instituted through the use of counter surveillance measures to detect, locate and remove ‘bugs’ or devices that may eavesdrop, trackers, concealed audio and video receivers. There should be deeper focus to discover and remove physical and electronic security risks.
Revisiting people security: In addition to the C-suite, companies should cover all ground including those who closely work with the leaders at the workplace as well at home. Conducting periodic background checks of those with access to sensitive company information is vital, including senior management due diligence on even incoming executives. Threats should be nipped in the bud, with due diligence extended to even house staff. A cautious approach can not only mitigate untoward incidents but can also foster trust and confidence.
Organisational working cultures and styles have undergone a metamorphosis over the last year and a half. One of the most significant changes has been the overlap between personal and professional lives. Convenience and comfort may often have business executives, including those at the top of the corporate ladder, disregard good cyber practices. Personal devices may be used for work purposes, official devices used by family members, workplaces may be left unsupervised and cybersecurity discipline may get neglected that could end up exposing the entire company to vulnerabilities.
In today’s world, securing the digital Life of a CEO has become as necessary as securing company infrastructure and networks. CISOs and their security teams should cover the scope of protection beyond company owned devices, and pay closer attention to the digital, physical and people security, when it comes to shielding the C-suite.
The writer is Global Markets and India Leader, Forensic & Integrity Services, EY