Security threats are not drastically different in the wake of COVID-19, but the frequency of attacks and the targets have certainly changed. The wide adoption of working remotely has led to increased attack surfaces and increasingly vulnerable enterprises. At any company, the C-suite’s access to treasure troves of valuable information, and change in work habits, requires them to remain on high alert during this lockdown period and beyond.
According to Verizon’s Data Breach Investigations Report, C-level executives were 12 times more likely in 2019 to be the target of social engineering incidents as compared to previous years. Further, research shows that nearly 40% of IT decision makers believe that their organization’s CEO is a weak link in their cybersecurity operation. Simply put, nefarious actors can see corporate executives as an easy entry point. The onset of the pandemic has only exacerbated this problem – scammers have impersonated more than 7,000 CEOs since March, cyberattacks have spiked, and INTERPOL noted that cybercriminals have shifted to targeting major corporations, among other entities. Organizations now have more potential vulnerable points with employees working from home, constantly videoconferencing, sometimes using less secure mobile devices and networks.
It is already well documented that billions of breached and leaked credentials are circulating throughout the deep and dark web. Threat actors leverage this compromised personally identifiable information (PII), such as names, emails, and passwords, to personalize their attacks while targeting corporate executives, board members, and others with high degrees of access and reputational risk. Attacks include phishing scams, business email compromise (BEC), social media fakes, and account takeover.
Of course, executives have known about these attacks and risks for years. Enterprise Security Group published its annual IT spending intentions research, prior to the pandemic, and noted that 62% of organizations planned to increase cybersecurity spending in 2020. However, amid the disruption in this past year, many companies chose to instead prioritize and allocate resources to departments that directly affect the bottom line, losing sight of the long-term benefits of cybersecurity.
Now more than ever, it is important to prioritize security, but as the saying goes, you are only as strong as your weakest link. An organization can invest all the money it wants into digital risk protection, but if its employees practice poor cyber hygiene, even the most innovative technologies and solutions will lose effectiveness.
Alarmingly, human error caused nine out of ten breaches reported to the UK Information Commissioner’s Office in 2019. Protecting your company’s executives from identity-based cyberattacks begins with cybersecurity training and awareness. This will help employees recognize the signs of suspicious activity and implement cyber best practices; it will bolster confidence in clients and other key stakeholders; and most importantly, it will save money in the long run (breaches are just as if not more devastating to a company’s finances as they are to its reputation).
Today and increasingly in the future, an Executives’ Cyber Pattern of Life is an extension of his and the company’s reputation. Because of this, it is crucial to understand an executives’ digital footprint – both in open web sources and underground markets. It can be very helpful to identify poor or risky behavior at the early stages before damage can occur and ultimately reduce or mitigate digital risks. For example, password re-use is rampant. If an executive’s personal email and password were exposed in a breach last year, threat actors could then attempt to gain access to corporate email by simply applying that same password or a similar variation. The company, however, when aware of the password exposure can make this vulnerability obsolete by requiring any employee or executive to change their password and implement a unique, complex password for all their accounts moving forward (and might recommend a password manager to keep track).
Some other tips to mitigate cyber threats at this time include:
- Mandate the use of a corporate virtual private network (VPN) to provide employees with secure, encrypted access to the company’s network.
- Use your work computer for business activity, not personal. This also means avoid using personal laptops for work.
- Be extra vigilant about the websites you visit – experts have observed a rise in malicious domains amid COVID-19.
- Recognize the signs of a phishing attempt: poor grammar; a suspicious sender; urgent call-to-action to click on a link or attachment; or an unsolicited request for a payload or credentials. Threat actors often spoof CEOs and email employees, demanding an urgent wire transfer. Make sure everyone errs on the side of caution – don’t fall for it!
- Protect your turf on social websites by having a secure and confirmed presence – even if it isn’t constantly managed. Even if a C-suite executive isn’t active on social media, removing the profile completely allows cybercriminals to fill the void.
We are still learning about the lasting effects of this pandemic on the world of cybersecurity. Once a vaccine is widely available and we all return to some form of normalcy, don’t let your guard down. Cyberattacks are inevitable, but taking the necessary proactive steps to improve your security posture can go a long way to preventing future incidents, both for yourself and your company.
Written by Kem Gay.