The proliferation of cybersecurity threats, as well as the resulting breaches, had demonstrated that cyber risk mitigation requires a holistic, top-down approach - which, in turn, demands subject matter expertise and clear prioritization coming from the united executive office, and not exclusively from a CIO, CTO, CISO or even IT.
At the same time, the executives themselves are facing great professional and personal risk.
Let's start by looking at the numbers below.
C-suite executives face a double whammy when it comes to their cyber risk considerations:
C-level based breaches, phishing, and fraud attempts are increasing today. Cybercriminals are getting better at impersonating executives and sending e-mails asking for wire transfers, privileged access account resets, corporate credit card requests, and more, all in the CXOs' name. With bad actors fine-tuning their social engineering skills, CEOs and the C-Suite need to bolster their own cybersecurity awareness and practices.
In high-profile cases, cybercriminals do not hesitate to use any means necessary to achieve their intended outcome. This includes military-grade OSINT activities and research of the target's personal life, as well as their loved ones. Such information can then be used in social engineering, including intimidation, blackmail, impersonation, and other methods. This is especially true for well-funded nation-sponsored threat actors and APTs.
In addition to the above, a top-level executive has numerous cybersecurity-related factors to consider, whether they are at the office:
Is my financial and confidential information secured?
Am I sufficiently secured on our corporate network?
How approachable am I and my assets?
How physically secure is our corporate office?
How well secured are my home network and mobile devices?
How effective is my home's physical security?
What are my family members sharing about us on social media?
Are private and corporate data secured and separated at home?
...and while traveling:
What is my digital footprint while out of office?
Can I be easily identified or traced outdoors or while abroad?
What is publicly known or being said about my travel habits?
Am I using secure Wi-Fi networks while traveling?
Ultimately, and somewhat rightfully, in 2020, IT professionals still often view the C-suite as the weak link in the organization's cyber defense.
At the same time, however, CXOs can view themselves as being above at least some security protocols, compromising cyber risk mitigation controls and measures for convenience and efficiency.
There is a way to compromise, striking the right balance between user experience and security:
Seamless Cybersecurity Controls
Cybersecurity controls are only good if they are being used, not actively circumvented by the person or asset they were designed to protect.
Controlled Social Footprint
Executives must accept that their position is that of high importance and sensitivity to both their organization and their loved ones. Practicing social network hygiene, and carefully considering what information is shared, especially in public, is key.
Awareness and Training
Articulating the consequences of either inaction or poor cyber risk mitigation can be a difference between success and failure. It is critical for executives to clearly understand what effects can cyberattacks have on their professional and personal lives.
C-Suite as a Crown Jewel
A compromised CEO can be as, or more detrimental to an organization's business and market position as a breached database. Viewing the members of the executive office through the same lens as critical assets can help streamline the defensive measures.
Do you agree? Did we miss anything? Let us know in the comments or tag @wembleypartners on social media!