Go Back
With cybersecurity being the top concern for the C-suite, Senior Intelligence Analyst at Constella Intelligence Kem Gay explains why CEOs need to practice what they preach.

While we continue to rely on remote tools to communicate in today’s virtual workplace, cybersecurity must be a top priority for the C-suite. Encouragingly, cyber seems to be on the radar. When asked how concerned CEOs were on various economic, policy, social, environmental and business threats to their organization’s growth prospects, PwC’s ‘24th Annual Global CEO Survey’ found that CEOs are highly concerned about cyber threats – 14 per cent more so than in 2020.

In fact, cyber threats ranked just under pandemics and health crises as the second biggest concern to growth prospects. Among CEOs in North America and Western Europe, cyber was the top threat due to the digital transformation during the pandemic. However, it’s tough to remain sanguine when data tells us that while CEOs understand the severity of cyber threats, they do not necessarily adhere to best practices.

Unfortunately, Mimecast’s ‘State of Email Security’ report revealed that nearly 40 per cent of IT decision-makers believe that their organization’s CEO is a weak link in their cybersecurity operation. Further, in 2019, 76 per cent of C-level executives surveyed admitted to requesting to bypass one or more of their organization’s security protocols. Expediency at the expense of security is never a good thing. Cybersecurity is an organization-wide responsibility.

Data tells us that while CEOs understand the severity of cyber threats, they do not necessarily adhere to best practices.

Because many CEOs do not practice what they preach, in addition to the valuable data they hold, they make for easy targets. Verizon’s 2019 ‘Data Breach Investigations Report’ stated that C-level executives were 12 times more likely to be the target of social engineering incidents compared to previous years. One can assume that this figure has only risen in the wake of COVID-19.

Cybercriminals may conduct different types of attacks toward executives, so business leaders should be aware of the most common malicious activities on digital systems or networks, including spear phishing attacks, business email compromise, social media impersonations and account takeovers. Threat actors leverage compromised personally identifiable information circulating throughout the deep and dark web – such as names, emails and passwords – to personalize their attacks while targeting corporate executives, board members and other high-ranking officials.

Even on the surface web, through social media or your company’s website, personal information such as your email and phone, job title and responsibilities, and even voter records may be publicly available and can aid in criminals’ efforts.

Nearly 40 per cent of IT decision-makers believe that their organization’s CEO is a weak link in their cybersecurity operation.

Combatting CEO fraud begins with allocating adequate resources and implementing sufficient security protection; however, the human factor in cybersecurity is just as important. Human error accounts for millions upon millions in financial and reputational losses each year. Cybersecurity will always be a complex build of process, technology and people. There will always be that one employee who makes a mistake.

Consider an example such as password re-use. Suppose an executive’s personal email address and password were exposed in a breach last year. In that case, threat actors could then attempt to gain access to a company’s corporate email by simply applying that same password or a similar variation. Another common example is an employee in accounting or HR executing an unauthorized wire transfer due to a scammer spoofing their CEO’s email.

Protecting a company’s executives from cyber attacks begins with cybersecurity training and awareness. This training has benefits that include recognizing the signs of suspicious activity, bolstering confidence in key stakeholders that their data will remain protected, and cost savings in the long run.

How to avoid CEO fraud

In addition to training, there are a handful of other actions to take in order to mitigate cyber threats directed to your executives.

  1. Do not re-use passwords across accounts and, when possible, activate two-factor authentication.
  2. Provide employees with secure, encrypted access to the company’s network with a corporate virtual private network.
  3. Understand an executive’s digital footprint, both in open web sources and underground markets. Review that executive’s digital footprint, understand vulnerabilities and close gaps.
  4. Be extra vigilant about the websites you visit, links you click and attachments you open.
  5. Even if an executive is not active on social media, register an account so that a cybercriminal can’t make a fraudulent account.
  6. Recognize the signs of a phishing attempt: poor grammar, a suspicious sender, urgent call to action to click on a link or attachment, or an unsolicited request for a payload or credentials.

It can be beneficial to identify poor behavior at the early stages to ultimately reduce or mitigate digital risks. Taking the necessary proactive steps today to improve your C-level security defense can go a long way to preventing future incidents, both for yourself and your company.

Back to top