James Legg, Chairman, delinea
One of the most common misconceptions in the age of digital transformation is that cybersecurity has become a C-level conversation. This gives the impression that every executive team meeting focuses on (or at least discusses) cybersecurity. Fortunately, this is true of some companies and organizations, but they are in the minority.
While it is helpful to evaluate the overall cybersecurity posture and potential cyber risks threatening an organization, the risk to the executives themselves is often overlooked. When all roads lead to compromised identities as the leading cause of data breaches, business leaders are ripe for the hack.
But how easy is it to obtain or steal the combination of email address and password for a particular businessman? According to ZDNetfor as little as $100 to $1,500, it can be yours, sold on a closed section of the underground online forum for Russian-speaking hackers called Exploit.in.
Why would someone pay $1,500 for someone else’s credentials? C-level executives hit the mark because their position often gives them privileged access that other employees don’t. Their accounts can often open the door to essentially every other facet of the business: staff, proprietary technology, customers, finance, and more. If that information is misused, the financial, reputational and operational losses can be disastrous.
That’s not just theoretical. In February 2020, shark cage investor Barbara Corcoran was cheated out of nearly $400,000 from a scammer using a fake renovation bill. The Democratic National Committee and the Clinton Foundation lost treasure of sensitive documents to people impersonating Gmail officials and asking them to reset their passwords. And in 2015 a 15-year-old British boy worked his way into the bills CIA Chief John Brennan, FBI Director Mark Giuliano and Secretary of Homeland Security Jeh Johnson, who are reported to be stealing sensitive government documents.
Emails pretending to be executives demanding wire transfers, resetting passwords for accounts, credit card requests from companies and more are widely used by cyber criminals to steal money from companies. Protecting executives from cyber-hijacking is therefore particularly crucial.
But it’s getting harder, and part of the reason is that executives themselves often bypass their company’s proprietary security protocols to get things done quickly. While good security typically requires a modest investment of time, sacrificing security for speed is a poor trade-off because it exposes users, the company, its partners and customers to a world of risk.
That’s because the information being sold on Exploit.in is just the beginning. It doesn’t contain the much larger stock of stolen information, such as credit card numbers, that are for sale on the Dark Web. Nor does it include the growing family of DIY information-stealing products, which are also available on the Dark Web. IT-Online, a news site for the IT industry, even gives monthly ranks to various malware based on their use in attacks reported around the world.
For example, Azorult is a type of software popular among cyber criminals that “collects and exfiltrates stored passwords, browser login data, cookies, history, chat sessions, cryptocurrency wallet files, and screenshots”. according to Trustwave† It is a Trojan horse, a type of malware that downloads itself onto a computer, disguised as or embedded in a legitimate program. Azorult is actively traded on underground forums, but – and this is important – cannot work if not let in.
That’s the good news: unless someone already has the keys, essentially none of this malware will work if it’s not allowed on the network. But preventing it from getting in isn’t just a matter of installing antivirus or firewall software, nor is it just a matter of IT.
It requires the active involvement of individual employees, especially business leaders. Here’s how every employee on the organization’s network can take steps to minimize the chance of malware getting through.
• Security training is essential, not only for employees with access to sensitive information, but also for those in the executive suite. It should aim to make employees aware of what phishing emails, spoofing and bait attacks look like, how social engineering works, and then train staff on how to deal with them. There are companies that specialize in providing this type of training to employees.
• Create more layers of security such as multi-factor authentication that works in tandem with the organization’s firewalls, anti-virus and anti-malware protection. It is important to encourage best practices such as logging out of systems when not in use. The same goes for using privileged access controls, which can help automate and store complex passwords, making it more difficult for attackers to crack them.
• Set up a message verification system† Employees need independent ways to verify the authenticity of suspicious-sounding requests. If those authentication procedures are clear and cannot be circumvented without peer review, they can catch fraudulent requests.
• Never be afraid to ask for advice, either from your own IT people or from others inside or outside the organization. Always help employees refer suspicious requests they receive to the appropriate verification process.
• Participate in incident response simulations† Serious security incidents can happen in any organization. Executives need to be ready when they do that. Exercises that simulate attacks can be extremely valuable.
Data breaches or ransomware attacks are not just an IT problem; they can jeopardize the survival of your business and require a strong business response. Boardrooms and executives must now focus on cybersecurity best practices to prevent future attacks and protect themselves.
If you’re a leader, lead by example and show that security is a top priority in your organization’s culture.