It’s no news that it has become increasingly important for companies to protect themselves against cyber-attacks during the past few years. Going the extra mile with security is now the bare minimum.
When we talk about CEO hacking, what comes to your mind?
- Someone impersonating the CEO of a company tries to extort an employee out of money (the usual modus operandi)
- Your company’s CEO is being directly attacked by hackers.
There is a lot of confusion on what CEO hacking means. So, to be on the safe side and in case you were looking for a particular answer between the two, we’ll cover both.
What is CEO hacking fraud?
In its most common definition, it’s usually an email attack in which the perpetrators impersonate your company’s CEO. More than likely they will try to extract money from you or your company, claiming that it’s urgently needed for the CEO to conduct business.
Other types of attacks might ask you for confidential information about the company, or to reveal personal details about you or your staff. By disguising the situation as urgent, the attacker minimizes the chances of the reader going into too many details, or asking too many questions.
We must pay special attention to this type of attack.
Not long ago, attackers would spoof and use the same name as the company’s CEO but use a slightly different email address. Changing just a single letter could make it look close enough.
As an example, for email@example.com an attacker might use firstname.lastname@example.org. If you’re not looking close enough, that slight change might go unnoticed, making you think that the message is legit.
Easy to solve, right? Create awareness for employees to look into the email address in detail, block domains that have attempted to attack you, and problem solved. If only life were so easy.
Lately, attackers are spoofing both exact names and exact e-mail addresses. So even an email coming from email@example.com spelled correctly, could be fake. We can now easily see why it’s moreimportant than ever to have extra security measures in place.
Things that you can do to make sure you don’t fall for spoofed email attacks:
- Setup SPF records for your domain: It’s a sender policy framework. In short, it’s a list of which hosts are authorized to send emails from your domain. If the instruction comes from a non-authorized host, it will block it before it’s sent.
- Setup DMARC: Working alongside your SPF record, DMARC will tell your servers what to do with emails that do not pass security or authentication requirements, so you don’t even need to deal with them.
- Firewalls: Third-party firewalls might come with a cost, but they will get you to the next level of security. A secure gateway constantly scanning and protecting you from inbound malware, spam, and phishing can save you hours of work. Time is money!
- User awareness: When all else fails, a bit of common sense is all you need. Educating your employees and helping them identify fake emails even if they are coming from legit addresses is invaluable, and could save you thousands if not millions of dollars.
What if attackers are constantly targeting your company’s CEO directly?
By now know that we are never 100% safe. And if we assuming that something could happen at any time, adopting a top-down strategy is always recommended. Why? It is your executives, after all, that manage the bulk of your company’s sensitive information.
The CEO of course, being at the top of that list.
What does it mean to protect your commander in chief, who holds the most valuable information?
A bit more than you would imagine.
CEOs are the prime targets for cyber-criminals, and they know it. 80% of a group of thousands of CEOs interviewed by PwC say they believe cyber threats are the biggest risk to their business, even more so than lack of skills or technological change.
If your CEO is a public or easily identifiable individual, you should avoid general-purpose or one-size-fits-all strategies. It’s important to recognize that higher-up executives have much different risk profiles than their colleagues.
Extra security aspects to have in mind for your CEO:
- Multi-Factor Authentication: If your company has not implemented a general MFA rule (which it should), at the bare minimum your CEO needs to have it activated. Non-negotiable, even if he or she doesn’t like it.
- Social Media Use: More often than not, cyber-criminals will get into your executive work devices via hacking their social media. Have them seriously consider limiting the use of social profiles outside of work, even on personal devices.
- E-mail Pre-Screening: Having a firewall or even a real person pre-screen any suspicious e-mail could be more than worth it. CEOs are usually on the run and work at a fast pace. Because of this, a phishing e-mail slipping by them wouldn’t be too uncommon, but it’s highly dangerous.
- Encryption: Make sure their corporate device hard drive, end-to-end messaging applications, and emails are encrypted. Even if they end up in the wrong hands, it shouldn’t cause too much of an issue.
Lots of work is needed to keep the commander in chief protected. They might be the biggest strength of a company, but they could be the biggest weakness just as easily.
Make sure you are prepared.