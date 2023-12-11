Security Strategist and Vice President of User Experience networkixVisionary and technology evangelist in the cyber security sector.

Social engineering attacks have increased since 2022, and the average amount stolen from these incidents has reached $50,000, up from $30,000 in 2018. While IT and security teams are doing their best to minimize the risk of a successful attack, they may be overlooking one important group: the C-suite.

Given their high-profile status, these executives are attractive targets for cyber adversaries, particularly in social engineering scams. Let’s talk about how big bosses can help secure the organizations they manage and what IT leadership should reevaluate when delegating privileges to the C-suite.

Why C-Suite Access Privileges Can Be Leveraged?

Hackers and cybercriminals are highly adept at exploiting human psychology, behavior, and social interactions to compromise security. When it comes to attacks involving executives, they often rely on these three pillars of corporate behavior:

• Many people are obliged to trust and obey authority figures such as CEOs or managers.

• Most employees want to appear productive, especially when it comes to helping the boss.

• Senior executives are often considered too busy to be bothered, even if a request appears questionable.

These professional norms may lead well-intentioned employees to ignore established protocols. Consider a seemingly harmless request from a CEO at the help desk asking for administrator rights to install an application. Would the technician dare to reject it? What if an employee receives an email requesting a financial transaction? Such small incidents open the door to complacency, and complacency opens the door to risk.

Several years ago, Chinese hackers copied the email address of the new CEO of a major global corporation and asked a member of the finance team to transfer $3 million to a specific account. Of course, the employee wanted to make a good impression and authorized the transfer, unknowingly sending it all to the scammers.

C-Suite Self-Assessment

C-suite executives must understand how their inherent authority can be used in social engineering attacks. The first step is to openly participate in any internal cybersecurity training. Leading an entire team by example is a powerful way to coach an organization. For example, if a CEO becomes the victim of a simulated phishing test, it is important that they acknowledge it and undergo the necessary corrective training, just like any other team member.

Additionally, the CEO should engage in regular, constructive conversations about cybersecurity with the CISO. These discussions can range from formal briefings to casual coffee chats – whatever format best ensures that cybersecurity remains at the forefront of leadership conversations. What is important is that cybersecurity becomes a prominent topic in all C-suite discussions.

Last but not least, C-level leaders should advocate for confirming suspicious events and unusual behavior through communication through alternative channels outside the corporate network. If such out-of-bounds communication protocols come from the IT department, employees may still feel reluctant to bother the boss. Therefore, the CEO himself should encourage open communication and double-check the validity of suspicious requests allegedly coming from a C-level executive.

Lock up the C-Suite

First things first: To secure your organization’s C-suite, start by implementing basic security measures. All executive accounts must be secured using multifactor authentication (MFA). Avoid relying on SMS, as it can be compromised more easily than other options.

Second, a thorough audit is important to determine what access privileges the CEO and other executive officers currently have. Given the unpredictable demands on their time, senior executives may be granted access to key systems outside predefined time windows. However, this added flexibility comes with risks.

Any access senior executives have to new products or proprietary information should be on a temporary basis to eliminate the possibility of long-term vulnerabilities. It is also important to implement robust monitoring, logging, and alerts to monitor such access and ensure it is used lawfully.

Third, the least privilege approach should apply to senior executives as well. For example, C-level executives are more concerned about overall sales trends than the details of each deal, so they usually have no need for write or modify permissions to CRM or other critical databases. . Would aggregate analysis in Tableau or Power BI suffice instead? It is important to grant sufficient privileges to minimize risks.

Fourth, regular access reviews can further reduce the attack surface associated with C-level accounts. Let’s say the CEO has access to the product code base. how did that happen? This is usually because years ago when the company was still a startup, each position held more responsibilities, and the current CEO may also be writing code. Today this access is clearly outdated, but it may seem awkward to the security team to ask if this access can be removed. CEOs should make it clear that they welcome such reviews because they prioritize cybersecurity.

conclusion

Privilege creates insecurity. Most employees want to do the right thing, and experienced threat actors are eager to exploit this human trait in social engineering attacks. Open communication between the CIO and CISO about this issue is essential to mitigating risk, as is a strong willingness on the part of the CEO and his executive team to lead initiatives to improve the security culture of his organization.

After all, the safest form of leadership comes from turning executive power into a symbol of security—rather than letting it become a backdoor to compromise.

