The daughter of the CEO of a high-profile corporation went out to lunch one day with friends. Within a few minutes of being seated in the restaurant, union protestors appeared in front of the establishment. They were not protesting the eatery’s labor conditions; instead, they were shouting the demands of union leaders in negotiation with the organization that the CEO led.
Soon after the incident, the question arose as to just how the protestors knew the daughter was going to be at that particular restaurant at that precise time. A professional checked her phone for malicious software and discovered a hacker had infested the device with spyware. Someone had been tracking her movements and reading her texts.
When the CEO heard about the incident, he was furious with the organizers of the protest and the labor union negotiators. The nature of the disruption to his daughter’s lunch derailed negotiations. The time it took to bring the parties back to the table had cost the company millions of dollars.
As cybersecurity threats become increasingly sophisticated, cybercriminals feel emboldened to target the C-level of corporations, their friends, and their family members. Hackers are after the information and relationships the CEO has. Sometimes, they are after an executive’s reputation.
Now, it’s not just the personal bank account black hats are after when they track a member of the Board of Directors, for instance: they watch business travel patterns, vacation plans, even their children. Once criminals gain even fragments of personal information, they target executives and their family members with phishing emails and text messages.
The problem may be insoluble for internal IT departments, however. Instead, a new kind of executive cybersecurity protection service may be the answer to repelling two types of digital attacks: Pivot and Endgame. Both can wreak havoc to company finances and personal lives.
Pivot Attacks
Corporate IT departments are already familiar with spear-phishing attacks. Phishing is the act of hackers sending emails and mobile phone text messages with embedded links to malicious websites that steal data from users. The criminals then use the data, which may include user ids and passwords, to break into other parts of the organization’s networks. Spear phishing is a more sophisticated form of attack that sees the “bait” more personalized, more intimate than general requests to click on website links.
As the universe of Internet of Things (IoT) devices expands, users are becoming more vulnerable to phishing and spear-phishing attacks. Tablet computers, smartphones, and even smartwatches are primary targets. From IT’s point of view, the problem with many of these devices is that they are also being used to do work for the company. For instance, many people also receive and respond to office email with their smartphone. While many organizations support a Bring Your Own Device (BYOD) policy, working from personal machines creates a plethora of cybersecurity challenges called Pivot Attacks.
Pivot Attacks occur when a hacker breaks into a personal device that employees also maintain for work, and then “pivot” to break into the enterprise’s network. IT departments, in general, are well aware of the dangers of BYOD and use specialized software filters to manage the corporate data to which personal devices have access. Endgame attacks, however, are singular and most effective because they are backed with a great deal of specific information about the behavior of company executives.
Endgame Attacks
The objective of endgame attacks is to use the data gathered about executives and their first- and second-degree relationships to foil enterprise operations obliquely. Access to the personal information of high-level executives is as simple as following the Facebook and Instagram pages of their spouses and children.
Out of town this week for a holiday in the Bahamas? What teenager could resist posting photos of the family vacation online, complete with mom and dad flashing peace signs? This sort of revelation about a CEO leaves the enterprise open to all kinds of invasions, direct and indirect. It’s no wonder that cybersecurity attacks on enterprises peak during holiday periods when executives are least available for verification of directives to staff.
One cybersecurity poll found that 77 percent of organizations experienced some form of Business Email Compromise (BEC) involving CEO fraud. Hackers had enough information about an executive to impersonate them in text messages and emails directing staff to wire funds or reveal sensitive company data. Hackers coerced a movie theater chain to wire a total of $21.5 million over several weeks at the direction of who it thought were executives of its parent company. The solution requires a mix of technology, corporate policy, and perhaps a new breed of cybersecurity “cybersecurity protection service”.
A New Kind of Cybersecurity: A Protection Service for Executives
Corporations — mainly publicly traded ones — are loath to extend their cybersecurity umbrellas to include the personal lives of their staff, especially of the C-level. In the case of public companies, in-house lawyers will insist they do not want an executive’s home network logs on the enterprise network to be discoverable by hackers. Nor do the lawyers wish to such personal information showing up accidentally or intentionally in an SEC filing.
If the Board of Directors accepts that the online world has become a digital jungle populated by hostiles, then the solution presents itself through precedence. When executives travel to dangerous parts of the real world, organizations enlist the help of security agencies to protect the corporate officer and their families. Companies can use the same model to monitor and safeguard the digital lives of executives and their immediate families.
Lesser, in his interview with Cyberwire Cyberwire interview, moots the idea of a cybersecurity bodyguard who would not have a direct connection with the enterprise. The agency would not provide home network logs, text message threads, or even detailed incident information to the executive’s employers.
Instead, the privacy of its client would be paramount and would mitigate a significant threat vector to the organization, while enabling executives to enjoy their lives in peace.
