The rise of social engineering claims, along with the number and sophistication of attackers, has grown exponentially in recent years. Cybercriminal agendas range from political to economic to social. As attacks and attackers have matured in recent years, c-suite leaders and their teams are continually targeted in new and innovative ways.
To mitigate these factors, companies must plan around individuals who are more at risk for an attack, specifically those that attackers can easily link to the company. Cyber criminals often target the most visible individuals within a company, primarily those in the c-suite and those who support and have access to them. Executives must be constantly proactive in promoting the importance of security to employees.
What Makes C-Suite Leaders Vulnerable?
C-suite leaders are often vulnerable for a number of reasons. They’re the face of the company and visible to the community physically and online. C-suite executives are decision makers on everything from partnerships to budgets, have the authority to approve large payables, and have comprehensive access within the organization. Lastly, these individuals are on the move. Their schedules are tight and direct reports are expected to get the job done with minimal guidance. Compromising C-suite credentials gives attackers key placement and access within an organization to perform reconnaissance, move laterally across networks and execute on their malicious objectives.
CFOs and their teams are particularly vulnerable. The complexity of their work, the number of direct reports, and the high visibility of their role (earnings calls, board meetings, M&A activity, etc.) creates a unique opportunity for social engineering ploys. Whaling, the targeted variant of spear-phishing where the attacker targets and researches a member of the c-suite who becomes the victim of the attack, is a tactic tailored for CFOs. The attack leverages a trustful relationship between employees and key executives. Once attackers gain access to key accounts, they make plausible requests to employees posing as a key executive to accomplish a number of different objectives such as expanding access across the network, executing a wire transfer, obtaining W-2 data on employees or conducting internal reconnaissance.
In certain instances, an attacker will present themselves as another member of the organization requesting payment to a certain account or the transfer of sensitive data, often times with a feigned sense of urgency such as a board of directors request or tax deadline. The attacker hopes the victim will complete the request, assuming it came from a trusted peer. With access to company resources and sensitive data, and the authority to approve large payments, CFOs make for excellent whaling targets.
The Human Angle
Attackers continue to find success by leveraging an essential company asset: trust. CFOs have trustworthy teams charged with diligently overseeing company financials. From their executive assistants to internal counsel to IT departments to accounts payable/receivable teams, CFOs of complex organizations trust their teams to get the job done. Trained attackers are skilled at leveraging this trust to conduct an initial attack, maintain multiple footholds on a network, conduct reconnaissance and escalate privileges, all in an effort to carry out their specific mission.
Because attackers are also adept at penetrating an organization outside the c-suite and moving laterally throughout the network to obtain more privileged access, educating all employees on plausible attack vectors (crafty social engineering emails, social media requests and trusted network requests like LinkedIn) must be a priority. Sending a believable email with a malicious attachment to an employee in vendor management, identified by the attacker on LinkedIn or Facebook, is just as effective at establishing a network foothold as emailing the CFO directly. The pervasiveness of attack methods and attack vectors should push executives to emphasize cybersecurity training for all employees and invest in key technologies to identify and neutralize attacks.
Protecting Your Organization
Creating a holistic IT security plan is critical for leaders in today’s organizations. Conducting a full IT audit will allow c-suite leaders to map out key objectives for hiring, vendor vetting and management, technology enhancements, and prioritization of budgeting for IT spend. Once a plan is in place, leaders can set clear goals for executing on their defense-in-depth plan in a multi-year process. In short, c-suite leadership needs to expect that breaches will happen on their networks, plan and budget for quick identification and remediation, and train their teams to continuously harden their defenses. In addition to the above risk management strategies, cyber liability insurance provides an effective risk transfer solution that can help address these risks and exposures.
Companies are looking to cyber liability insurance for an established, vetted network of partner firms to assist with everything from incident response to data breach counsel to victim notification and credit monitoring following a breach. A policy also provides several proactive resources that can help companies prepare for and mitigate a cyberattack. In the developing cyber insurance marketplace, carriers are frequently innovating to provide preemptive services, such as penetration testing and phishing training, to combat future attacks. Alongside the risk mitigation strategies that target a company’s people, processes and technology, cyber liability insurance is a critical risk transference tool to help an organization respond to and recover from devastating cyber attacks.
Additional Resources
Webinar: What's on the Horizon: Cyber Readiness and Insurance Projections for 2023
Your Cyber Risks: An Underwriter's Perspective