The C-Suite Conundrum: Are Senior Executives the Achilles’ Heel of Cybersecurity?
2024-8-7 14:10:2 Author: securityboulevard.com(查看原文) 阅读量:4 收藏

In today’s digital landscape, an organization’s C-suite and senior executives hold the most valuable corporate data and sign-off authorities, representing the highest potential risk over email. Whether inbound spear phishing attacks or outbound mistakes resulting in a damaging data breach, the C-suite is vulnerable.

But what do cybercriminals want from these individuals, are breaches always a result of external actors, and what can organizations do to protect their top decision-makers?

Decoding Cybercriminals’ Fascination With the C-Suite

Sometimes referred to as a whaling attack, threat actors often dedicate more time and resources to a phishing email against a senior executive or C-level, using a less generic approach than they would against the rest of the workforce.

As a form of spear phishing, cybercriminals usually carry out heavy reconnaissance on the individual and the organization to leverage convincing impersonation and social engineering tactics. Because the attacks often lack an attachment or link-based payload, it is difficult for technologies that rely on signature-based detection to identify them.

They may pretend to be another stakeholder within the organization, a trusted business associate or someone within their supply chain, using minor, hard-to-notice typographical errors in an email address, or a compromised legitimate account. If a compromised account is used to send the phishing email, it can be nearly impossible for an individual to identify the email as malicious, but the attacks often bypass traditional technologies that use reputation-based detection methods.

Cybercriminals aim to trick an individual into revealing valuable corporate information, transferring funds from the organization, or heavily disrupting operations. Their considerable influence and authority make the C-suite an attractive target.

Reasons Threat Actors Target the C-Suite 

C-level executives have insights, access and control over privileged company data, systems and finances. Such information and access are highly coveted by cybercriminals, due to their potential for exploitation and illicit gain.

Secondly, senior executives are often busy, with a significant workload and tight deadlines, meaning they have less time to thoroughly review emails and determine their legitimacy. Egress’ 2023 Data Loss Prevention Report revealed that 66% of employees use a mobile phone to access their email outside of work, and this percentage is likely higher for time-pressed C-suites on the go. Mobile devices make spear-phishing attacks more difficult to identify, as usually only the display name is shown, so it is harder to spot an incorrect address.

Additionally, those in C-suite roles may find themselves in the spotlight, leading lives that are fairly public. Whether this is via an active social media account or speeches at conferences and events, cybercriminals have a wealth of open-source information (OSINT) readily available to them. This can then be used to craft convincing spear phishing or impersonation attacks.

How the C-Suite Has Been Targeted Over 90 Days

Egress data reveals that, from the C-suite, chief executive officers (CEOs) were the number one target for phishing emails, receiving 23% of attacks, closely followed by chief people officers (CPOs), who received 21%. Down from first place since Egress did a similar investigation in 2023, chief finance officers (CFOs) ranked third with 19%.

Having access to systems, data and funds, it comes as no surprise that CEOs and CFOs have placed in the top three targeted C-levels. Similarly, senior HR executives are privy to sensitive personal data including recruitment, employee relations and payroll, making them high-value targets for threat actors.

Another interesting note is that C-suite members whose roles related to information security, compliance and technology tend to rank very low – likely because cybercriminals still anticipate a lower success rate due to their elevated cyber awareness.

Risk Isn’t Just an Inbound Issue 

The human element accounts for 74% of all breaches, so, when thinking about an organization’s riskiest users, it is negligent to consider that employees are only vulnerable to external actors. In 2023, 91% of organizations experienced security incidents caused by outbound data loss within Microsoft 365, including misdirected emails and attachments, and data exfiltration.

These outbound events could include employees replying to a phishing email, clicking the wrong recipient in the Outlook autocomplete drop-down, accidentally sending the wrong attachment, or sending work to a personal device to look at after hours.

As innocent as these actions could be if carried out by a senior executive, the consequences could be devastating as they often hold the most sensitive company data, and if that data is sent to an unauthorized recipient it could amount to a full-scale data breach. Therefore, organizations must consider how to protect their senior executives, not just against external actors, but also against outbound incidents.

How can Organisations Protect Their Senior Executives?

The most common way an organization can help its C-suite is by providing them with regular security and awareness coaching. It is commonly known that, in the workplace, attitude comes from the top down, so not only is it important for the C-suite to show an enthusiasm for security awareness, but as the highest-value targets, they are the ones that need to be the most vigilant.

As an attack sent to a C-suite is likely to be much more targeted than those sent to the masses, organizations also need to ensure that they are tailoring coaching to each department or individual, based on the jobs they do and the attacks they receive.

In response to frustrations with static DLP being inadequate in dealing with the human element of outbound mistakes, three-quarters (74%) of cybersecurity leaders have considered turning off Outlook autocomplete to prevent misdirected emails and attachments.

However, only 20% have disabled the functionality – the likelihood being that removing autocomplete would cause immense friction to workflow and manually typing in an email address could give opportunity to an equal number of mistakes. This is even more true for busy C-suite roles, who don’t have time to write out a long address every time they want to communicate over email.

The Best Approach to Inbound and Outbound Threats

Given the responsibilities of the C-suite and senior executives, email security must not become an additional burden. Organizations must provide them with the necessary tools to mitigate the risk of inadvertently enabling a detrimental data breach. However, sophisticated attacks that target the C-suite use tactics that easily evade traditional security technologies and static DLP isn’t dynamic enough to catch the full spectrum of human error-related mistakes.

This is why many organizations are opting to layer their native security defenses in Microsoft 365 with an integrated cloud email security (ICES) solution that can neutralize advanced threats, and prevent data exfiltration and misdirected emails and attachments.


文章来源: https://securityboulevard.com/2024/08/the-c-suite-conundrum-are-senior-executives-the-achilles-heel-of-cybersecurity/
如有侵权请联系:admin#unsafe.sh