Protecting executives today is about much more than physically shielding them from danger. The cyber security risks are higher than ever, and organizations need to ensure that the network and data access many high-level executives have doesn’t become an easy entry point for attackers.
CSOs and CISOs need to make executive protection a high priority for the organization. Here are five fundamentals that security leaders should keep in mind.
1. Conduct a risk analysis
The first step CSOs and CISOs need to take is to conduct a comprehensive risk analysis. This includes identifying those individuals in the organization who are critical to the business and likely targets, and assessing the impact to the organization if they are the victims of attacks.
Some questions to ask as part of the analysis: Has there been a history of threats against any of these executives? Do they travel regularly to dangerous places? To what kinds of attacks are they most vulnerable?
Once you’ve determined which individuals need protection, learn about their public and private lifestyles—to the extent that it makes sense and can help reduce the risk factor. This step requires the executive's full cooperation, because you will need to know all about the work and home life of the individual. Look into how easy it is for someone to get information on the executive and his or her family.
Based on what you learn about executives, you can get a clearer picture of what kinds of risks your facing and what security measures you'll need to take. It's important to keep in mind that risks are ever-changing, so you need to establish a baseline level of security for executives that can be increased as needed.
[Related: Using risk for adaptive security]
“Risk analysis should start off with their home life, where they live, the current crime climate in the area, whether or not they have a home security system,” says Robert Siciliano, a security consultant and identity theft expert. “A large factor here is determining the individual’s ‘significance’ and whether or not they are considered a high-value target.”
2. Make a strong case for protection, even if executives resist
Some executives will no doubt be unhappy about having their work and personal life under scrutiny, but that’s part of the price of achieving success in business and having lots of responsibility. To make this less of an ordeal for everyone involved, CSOs and CISOs need to demonstrate to executives why security is so important. One way to do this is to have executives pay attention to what they see when they do simple Google searches of their names.
“Periodic ego searches demonstrate to them that they are a target,” says Jason Taule, CSO at FEI Systems, a provider of health-related technology. Once they’ve done this they can see how a hacker could easily find out all kinds of information about the executive, and launch an attack by leveraging that knowledge.
Another way to demonstrate to executives how much of a target they are is to have them look in their email spam filters to see how many phishing emails have been sent to them, Taule says. Fortunately, these emails didn’t reach the inbox and trigger an attack, but the sheer volume of these attempts should get the point across.
The best and most effective way to make the case for security is to put on a challenge, Siciliano says. “Most people, especially Americans, think ‘it can't happen to me’, which is a societal norm based on myths that these things only happen to other people in other places,” he says. “Essentially challenging that executive to determine his or her vulnerabilities and showing just how vulnerable that person is, in both their physical and virtual environment, will get their attention.”
3. Ensure that executives’ personal and work devices are secure
Many business operations and interactions today take place via mobile devices, and a lot of executives are likely to be using the same devices for work and personal reasons. It’s ideal if they use different devices, such as smartphones, for work and home, but executives often won’t accept this, Taule says. You might want to consider pushing for a company policy dictating how many and which devices can have for work and how they can be used.
In any case, it’s imperative that any devices executives use for business be highly secure and have the latest protections. All sensitive data should be encrypted and the devices should be protected via an enterprise mobility management (EMM) platform.
Part of ensuring the security of mobile devices includes evaluating not just the devices used by the executives, but those of their immediate family members within the household as well, Siciliano says. That means determining whether each of the devices has password protection, updated operating systems, updated antivirus software, and so on.
“It's important to keep in mind what devices are ‘shared,’ meaning if a child is sharing the same device as the executive and what kind of trouble the child may get the executive in,” Siciliano says.
4. Educate executives about attacks such as phishing
Business executives are among the biggest targets of phishing and whaling attacks, in large part because they have such a high level of access to important data. It’s vital that executives know what to look for that would indicate such an attack.
“This begins with security awareness training and conducting phishing simulation training,” Siciliano says. “Any third-party apps revolving around encryption and isolating email communications is a must.”
Another way to address these threats is to have executive assistants screen emails for indicators of phishing, to remove the burden the executives themselves, Taule says.
In general, it’s a good idea for executives to be vigilant in how they handle email. “A big set of scams is now the ‘CEO phishing,’ when an adversary sends out email pretending to be the CEO working on a clandestine deal, needing assistance,” says Andrew Ellis, CSO at Akamai Technologies, a provider of content delivery network services.
“The more that your normal mail looks like this, the easier it is for adversaries to get your company to behave inappropriately,” Ellis says. “Modern email clients can make it hard to tell when a message comes from outside the organization, but not all do. Consider advising your company to tag, or change colors, of all messages from outside the company.”
5. Create and enforce rules for executive travel
Most executives are on the road quite a bit, for industry events, speaking engagements, or visits to clients. This puts them at risk, especially if the travel plans are well known ahead of time.
It’s important to have in place and enforce policies about what is and is not permitted during travel. This might include not allowing key executives to travel together at the same time and via the same mode of transportation, Taule says.
The travel policy should cover the use of mobile devices on the road. For example, executives should not be allowed to take their main work laptop computer on a business trip, but instead use a loaner device that does not have any sensitive data stored.