How CISOs can manage the cybersecurity of high-level executives
High-level executives, including board members and C-level executives, often have access to sensitive information, making them prime targets for bad actors looking to penetrate corporate defenses. Their personal devices, among other points of entry, are glaring attack vectors for cybercriminals looking to get in on the top floor.
As CISOs know, cyber incidents all too often include the human element—and executives are all too human. According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches involved a human element, the bulk of them involving phishing, business email compromise (BEC), and stolen credentials.
Home is the new attack surface
Driven by numerous factors, a new class of risk is emerging that targets the highest ranks of an organization through deeply personal avenues. The message to CISOs is that an executive’s digital life could be the company's weakest link, and not just their corporate devices and accounts: home servers, home security equipment, family devices, and even social media interactions can present vulnerabilities and pose workplace security risks.
“It means home is the new attack surface,” says Chris Pierson, CEO at BlackCloak.
It’s a no-brainer to ensure that internal systems and people are in place to protect an organization, but it’s much harder to manage risks from outside that can’t easily be controlled. The digital lives of the leadership team, Pierson says, could be something of a ticking time bomb.
In Pierson’s experience with onboarding executives, a significant proportion (39%) have an aspect of their personal digital life that’s been compromised. When personal and corporate lives connect, this can spell trouble for CISOs who find themselves fighting fires in an environment they don't control.
The risk faced by executives has grown rapidly as the pandemic-driven rise of hybrid work increased the blurring of professional and personal digital lives. Complex geopolitical tensions, opportunities for digital activism against corporates—particularly in industries with higher risk profiles—and the prospect of financial gain from targeting wealthy leaders have all raised the stakes on the personal digital lives of executives.
A large organization, especially if it's a publicly listed company with a C-suite leadership team that has a presence in the media and on social media can be a lightning rod for the attention of bad actors, says Gergana Winzer, partner of cyber services with KPMG Australia.
“Some of these small-time criminals have awakened to the reality of being able to make monetary returns by utilizing easy-to-buy malware or ransomware online and just deploying it across those types of high-net-worth individuals,” Winzer says.
When personal breach leads to enterprise attack
This class of personal risks can take many different forms, according to Pierson, who says one of the biggest risks is to intellectual property—the loss of corporate documents from executives’ personal devices or personal accounts where there are fewer or no controls.
“Corporate executives tend to have complex smart home systems with security cameras and servers hosting a multitude of devices and services, and these present potential points of entry,” he says.
But that’s not to discount the lure of financial gain. “Executives, because they are also high net worth, can be attractive targets to criminals over banks and financial institutions that have more controls in place,” Pierson says. "We see their personal emails being breached in business email compromised attacks, we see their personal devices being breached through malware, as well as other social engineering scams all the time. As a result, money is a big motivator for a lot of these attacks.”
Then there are the deeply personal attacks with malicious intent. Personal doxxing—the exposure of names, addresses, phone numbers, and even personal photos and videos—violates privacy and leaves executives open to exploitation.
“These things are used as a means of extortion but can also have very impactful reputational damage and even intimidation,” Pierson adds.
According to experts, addressing these complex security considerations must not create added friction between the executives, their families, and their interactions with technology. Rather, the attack surface for those types of accounts, services, and devices needs to be shrunk and assurance needs to be there that the risks can be mitigated, Pierson says.
How CISOs can mitigate risks for executives
Ensuring executives are protected outside the office environment and hardware can be difficult when CISOs can’t directly intervene in their personal digital life.
“They want to keep church and state separate,” says Pierson. “They want that privacy divide, but they just want the risks covered and to know at a high level what's being done.”
Pierson says CISOs need to understand precisely how and where the two risk environments—corporate and personal—intersect. “Look at your ‘About Us’ leadership page. That's where it starts. Understand how deep that goes in terms of the next layers down and then figure out the biggest risks that those individuals may face in their personal lives and what the CISO can do to try to reduce or mitigate them.”
Sophisticated, well-coordinated cyberattacks may not begin in the company’s systems but start by compromising an executive and then propagate from there, Winzer says. As a precautionary measure, CISOs need to be vigilant for changes in leadership and executive team risk profiles, which means staying curious and being constantly interested in finding the blind spots.
And those blind spots can be huge—a CEO who makes frequent media appearances, has stock market dealings that are open to public scrutiny, or is simply well enough known to be included in social media conversations is sending up a flare for potential hackers.
“As a CISO, I need to be aware of the threats that can potentially harm that individual and their ability to do their work within the organization,” she says.
Protect the corporate “crown jewels”
To address the potential vulnerabilities that can bleed from personal into corporate, Winzer recommends CISOs undertake a risk assessment that includes identifying the company’s “crown jewels” that need to be protected. This needs to include an evaluation of potential risks, including through personal attack, and developing mitigation strategies.
Winzer says this means making sure as many threats or vulnerabilities as possible are documented and taken into consideration, which helps to assess the likelihood and impact of any personal breach.
“Calculate what the threat means to the C-level executives and board members and then take action from there," she says. "But it needs to be based on the risk appetite and what the company believes to be important to protect."
Mitigation strategies might include policies around what and how much information these executives can disclose about themselves publicly, according to Winzer. “It’s really important to get as much information as possible to evaluate the threat, put it in your risk register, and then do something about it, rather than ignoring it. Because that's everything in cyber—every time we have ignored something it has come and beaten us up.”
Ensure high-level executives get cybersecurity training
In addition to risk assessment and mitigation strategies, in-house education can also help in securing an executive’s digital footprint. Steven Sim, a member of the ISACA Emerging Trends Working Group, says C-suite, like all staff, should attend tailored awareness training which includes phishing simulation exercises and tabletop exercises.
“These should be part of a multiyear security improvement program, if not already put in place as business-as-usual, that should cut across people, processes and technologies,” Sim says. And with the specter of regulatory fines and reputational damage, it needs to extend across the digital and business supply chain and intelligence ecosystem of the security community.
Sim recommends the risk register for both C-suite executives and their enterprises be updated consistently, as the cyber threat landscape evolves rapidly with new tactics or techniques. Security metrics, key risk indicators, and key performance indicators of cybersecurity initiatives and projects must be continually measured to ensure the delivery of a successful cybersecurity improvement program.
Consider corporate culture
Culture is another important element that mustn’t be overlooked in managing executive risk, according to Winzer, which should ensure everybody carries shared responsibilities when it comes to cybersecurity. In practice, this means the CISO taking a holistic approach, rather than relying on patches or education programs. While many CISOs have been doing this for years, she recommends that to really uplift the cyber culture requires a strong collaborative approach across the C-suite.
“The CISO, the CFO, and the CEO all need to work together to ensure the culture [of shared responsibility] is being propagated across the organization,” she says.
Above all, shared responsibility is to understand that there’s shared risk. “If a CEO gets affected and personal data and files are leaked, including sensitive information about their status or the things they know about the company, trade secrets and the like, then it becomes the CISO’s problem. It's not just the CEO’s private problem anymore.”
This article was written by Rosalyn Page from CSO Magazine and was legally licensed through the Industry Dive Content Marketplace. Please direct all licensing questions to legal@industrydive.com.