Preparing the hacker-prone C-Suite for attack

By Darran Rolls, Chief Technology Officer and Chief Information Security Officer, SailPoint

The visibility and accessibility inherent in the role of an executive make them a prime target for cyberattacks. It’s important for the C-Suite to be aware of their vulnerabilities and how they can combat these in their daily work. So how can executives prepare for a cyberattack, while also protecting and maintaining the goals of their company? With so much at stake, it’s vital that executives start to take this consideration seriously.

 Here are some of the practices the C-Suite can employ to prepare.

 Assume human failure – The best starting point for this discussion is to just assume the C-suite is under attack and assume they will be compromised. Assume executives (and all employees for that matter) are going to make mistakes, and these mistakes will lead to vulnerability. With the breakneck pace of business and the many demands of being an executive in today’s digital world, it’s easy to open a malicious email attachment or set down your smart phone in an airport lounge, leaving your organisation exposed. We’re all human after all, and humans make mistakes.

If you can’t trust the network, don’t connect to it – All people who are highly exposed, especially executives with access to sensitive business data, should use trusted network connectivity at all times. If you have to connect to an untrusted network, say the free airport Wi-Fi or local Starbucks network, always use a VPN to tunnel your traffic to somewhere you can trust.

Manage your home network – Untrusted networks at home are not only a personal problem, they’re a company problem too. If executives have weak, unmanaged home networks, they are back to square one. Home networks hosting weak IoT devices, or a router with out-of-date firmware and default passwords, are just as dangerous as the worst public Wi-Fi. Again, start assuming compromise, expect attack and take precautions.

Use smart multifactor authentication – It’s imperative to have smart multifactor authentication in place for key apps and services. Knowledge-based authentication (“please confirm your mothers maiden name…”) is not a viable solution in today’s digital world. A quick Internet search can determine a visible executive’s high school mascot, mother’s maiden name or favourite pet’s name. There are lots of options for multifactor authentication that go beyond basic personal knowledge. Use them. 

Practice least privilege – Often companies expect their executes should be given all the access they could ever need. However, when we assume compromise, we must also consider least privilege. Don’t give people access unless they actively use it. For key systems, think fine-grained access, with self-service access request and automated provisioning and de-provisioning. Give the right people the right access at the right time, and then take it away when they no longer need it. This should be the policy from the top-down.

Physical security goes beyond a name badge – When you say, “physical security”, most people think locked doors, name badges and tailgating.  But physical security goes a lot further than that and includes the space around us and who can see the screens of executives. We’ve all been on a flight and looked over a shoulder or into the seat next door and seen something on the laptop. Providing privacy screens for executives is cheap and easy. It helps to remind everyone that information leakage can be via line-of-sight as well as a line of bad code.

Education and awareness – Executives are the allowable exceptions to so many business rules, but security education and awareness shouldn’t be one of them. They are busy and often times miss out on security training because of this. While IT may shut off an employee’s network access when they haven’t completed their security training, this is generally not so for the CEO. However, it’s imperative that executives understand the risks and the mitigations we all need to keep top of mind.

As a high-risk employee category, the C-Suite need to be more aware of their cyber vulnerabilities and behaviour than any other employee. At the end of the day, security is like any other business initiative and its success is dependent on support from the top down. An organisations’ executives should be the primary security evangelists for the company, showing all employees that they too are willing to make the right trade-off between convenience and control for the good of the company and its information security.