The hacker-prone C-Suite: Why executives tend to get the short straw when it comes to cyber risk

By Darran Rolls, Chief Technology Officer and Chief Information Security Officer, SailPoint

A company’s executives inevitably undertake a number of important leadership activities, making them both visible and accessible. As the faces of the business, they often attend speaking events, giving interviews to the media and travelling the world as key representatives. However, this level of exposure also makes them (as well as the board) easy targets for hackers – and as technology advances, so does the threat landscape.

Why do executives tend to get the short straw when it comes to cyber risk? The necessary visibility in their positions coupled with their inherent access to business-critical information creates a powerful combination, and one that hackers seek out when they’re looking for an entry point into an organisation. This is why the hacker-prone C-Suite need to understand their points of vulnerability.

These are some of the main reasons executives tend to fall into a ‘high risk’ category for attacks.

Social engineering and phishing – As visibility on social media becomes more and more important not only for the business, but specifically for its leaders, an online footprint is a job requirement for most executives today. But for every interview they give, or personal detail they share on social media or in the press, hackers are able to gain more information about them – information that is a key ingredient for social engineering and phishing attempts. Information is power here, and the information needed to make these attacks effective comes from the trail of hundreds of tiny details we leave behind on the Internet everyday.

Gatekeepers – It’s common for executives, who are busy juggling multiple priorities, to receive help from an administrative assistant in the form of email and calendar sharing. While this assistance can relieve the burdens of time management and the ever-growing inbox, it also leaves the door open for uninvited guests. When executives aren’t solely responsible for their email accounts, there’s an added layer of vulnerability that can easily be exploited by attackers through social engineering, phishing, spear-phishing, malware and other forms of attack.

Multiple devices – With the proliferation of the mobile workforce, the average executive spends time on a range of different devices, and not all of these devices are under IT’s control. They are conducting business on phones, tablets, laptops and other mobile devices, whether they’re travelling or just taking lunch meetings. It’s increasingly difficult to ensure all devices used by an executive are implementing the same security measures.

Network headaches – Along with these multiple devices, executives are regularly logging on to remote networks, whether at home or on the road. As highly valued contributors, the security policies around them and the number of networks they can use are often be dangerously liberal. When your CEO needs to submit sensitive data for a board meeting, it’s entirely possible that they are doing so on a mobile device across an unsecured network – maybe on an airplane or standing in line for their morning coffee. 

It’s fair to assume they’re not checking Wi-Fi source data and network digital certificate events as they arise. And its not just outside networks. This extends to the home network too. Without careful configuration and management, a home network can provide the perfect attack vector. With kids and family running unmanaged devices on the same home network segment, all of the careful corporate protection in the world is just a short ping away.

These are just some of the reasons that the C-Suite tend to inherit a higher risk profile than the average employee. While it may seem that I’ve painted a bleak picture here, rest assured, there is hope. Familiarising yourself with some of these areas of vulnerability is the first step executives can take to understand when and where to have their defences up. Through some common-sense solutions, the C-suite can be armed with best practices for staying out of a hacker’s reach.

Tags social engineeringcyber attacksleadership developmentSailPointCyber riskGatekeeper

Show Comments