[BreachExchange] Five things you need to know about executive protection

Audrey McNeil audrey at riskbasedsecurity.com
Fri Aug 11 14:20:49 EDT 2017


http://www.csoonline.com/article/2112401/business-
continuity/infosec-staffing-the-six-things-you-need-to-know-about-executive-
protection.html

Protecting executives today is about much more than physically shielding
them from danger. The cyber security risks are higher than ever, and
organizations need to ensure that the network and data access many
high-level executives have doesn’t become an easy entry point for attackers.

CSOs and CISOs need to make executive protection a high priority for the
organization. Here are five fundamentals that security leaders should keep
in mind.

1. Conduct a risk analysis

The first step CSOs and CISOs need to take is to conduct a comprehensive
risk analysis. This includes identifying those individuals in the
organization who are critical to the business and likely targets, and
assessing the impact to the organization if they are the victims of attacks.

Some questions to ask as part of the analysis: Has there been a history of
threats against any of these executives? Do they travel regularly to
dangerous places? To what kinds of attacks are they most vulnerable?

Once you’ve determined which individuals need protection, learn about their
public and private lifestyles—to the extent that it makes sense and can
help reduce the risk factor. This step requires the executive's full
cooperation, because you will need to know all about the work and home life
of the individual. Look into how easy it is for someone to get information
on the executive and his or her family.

Based on what you learn about executives, you can get a clearer picture of
what kinds of risks your facing and what security measures you'll need to
take. It's important to keep in mind that risks are ever-changing, so you
need to establish a baseline level of security for executives that can be
increased as needed.

“Risk analysis should start off with their home life, where they live, the
current crime climate in the area, whether or not they have a home security
system,” says Robert Siciliano, a security consultant and identity theft
expert. “A large factor here is determining the individual’s ‘significance’
and whether or not they are considered a high-value target.”

2. Make a strong case for protection, even if executives resist

Some executives will no doubt be unhappy about having their work and
personal life under scrutiny, but that’s part of the price of achieving
success in business and having lots of responsibility. To make this less of
an ordeal for everyone involved, CSOs and CISOs need to demonstrate to
executives why security is so important. One way to do this is to have
executives pay attention to what they see when they do simple Google
searches of their names.

“Periodic ego searches demonstrate to them that they are a target,” says
Jason Taule, CSO at FEI Systems, a provider of health-related technology.
Once they’ve done this they can see how a hacker could easily find out all
kinds of information about the executive, and launch an attack by
leveraging that knowledge.

Another way to demonstrate to executives how much of a target they are is
to have them look in their email spam filters to see how many phishing
emails have been sent to them, Taule says. Fortunately, these emails didn’t
reach the inbox and trigger an attack, but the sheer volume of these
attempts should get the point across.

The best and most effective way to make the case for security is to put on
a challenge, Siciliano says. “Most people, especially Americans, think ‘it
can't happen to me’, which is a societal norm based on myths that these
things only happen to other people in other places,” he says. “Essentially
challenging that executive to determine his or her vulnerabilities and
showing just how vulnerable that person is, in both their physical and
virtual environment, will get their attention.”

3. Ensure that executives’ personal and work devices are secure

Many business operations and interactions today take place via mobile
devices, and a lot of executives are likely to be using the same devices
for work and personal reasons. It’s ideal if they use different devices,
such as smartphones, for work and home, but executives often won’t accept
this, Taule says. You might want to consider pushing for a company policy
dictating how many and which devices can have for work and how they can be
used.

In any case, it’s imperative that any devices executives use for business
be highly secure and have the latest protections. All sensitive data should
be encrypted and the devices should be protected via an enterprise mobility
management (EMM) platform.

Part of ensuring the security of mobile devices includes evaluating not
just the devices used by the executives, but those of their immediate
family members within the household as well, Siciliano says. That means
determining whether each of the devices has password protection, updated
operating systems, updated antivirus software, and so on.

“It's important to keep in mind what devices are ‘shared,’ meaning if a
child is sharing the same device as the executive and what kind of trouble
the child may get the executive in,” Siciliano says.

4. Educate executives about attacks such as phishing

Business executives are among the biggest targets of phishing and whaling
attacks, in large part because they have such a high level of access to
important data. It’s vital that executives know what to look for that would
indicate such an attack.

“This begins with security awareness training and conducting phishing
simulation training,” Siciliano says. “Any third-party apps revolving
around encryption and isolating email communications is a must.”

Another way to address these threats is to have executive assistants screen
emails for indicators of phishing, to remove the burden the executives
themselves, Taule says.

In general, it’s a good idea for executives to be vigilant in how they
handle email. “A big set of scams is now the ‘CEO phishing,’ when an
adversary sends out email pretending to be the CEO working on a clandestine
deal, needing assistance,” says Andrew Ellis, CSO at Akamai Technologies, a
provider of content delivery network services.

“The more that your normal mail looks like this, the easier it is for
adversaries to get your company to behave inappropriately,” Ellis says.
“Modern email clients can make it hard to tell when a message comes from
outside the organization, but not all do. Consider advising your company to
tag, or change colors, of all messages from outside the company.”

5. Create and enforce rules for executive travel

Most executives are on the road quite a bit, for industry events, speaking
engagements, or visits to clients. This puts them at risk, especially if
the travel plans are well known ahead of time.

It’s important to have in place and enforce policies about what is and is
not permitted during travel. This might include not allowing key executives
to travel together at the same time and via the same mode of
transportation, Taule says.

The travel policy should cover the use of mobile devices on the road. For
example, executives should not be allowed to take their main work laptop
computer on a business trip, but instead use a loaner device that does not
have any sensitive data stored.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170811/f83b09d7/attachment.html>


More information about the BreachExchange mailing list