iWeb Blog

At iWeb, we help manage your IT infrastructure so you can focus on growing your business. And that's why we publish articles here that we think will be of interest to founders, executives, IT professionals...and anyone interested in building successful businesses.

The consequences of skimping on website security services are widely understood. Businesses should give as much attention to executive cybersecurity. After all, the consequences of a whaling attack can be devastating.

Cybersecurity Practices for Executives

April 25, 2019

Imagine this for a second. You’re the CEO of a mid-sized, well-respected charity. You get a phone call from accounting: “Are you really sure you want to approve this $20,000 transfer? That’s a lot of money, and this is the first time I’m seeing this invoice.”

$20,000 invoice? What are they talking about? You haven’t heard of any invoice.

“I’m looking at an email from you saying that you approve this invoice . . .”

Here’s what happened. Cyberattackers spoofed your email address and sent a credible-seeming email and invoice to your accounting department – the only thing that stopped it was a skeptical accountant who decided to call to double-check. You were nearly the victim of a whaling attack.

Most CEOs and other C-suite executives understand that if their business is subject to a massive and successful cyberattack, it can be career-ending. What is less understood is that attacks targeting the C-suite are on the rise. Cybersecurity is vital for any business and any employee, but the bigger the target, the more important cybersecurity has become, and the C-suite has the biggest targets.

Beware of CEO Phishing / Whaling Attacks

A whaling attack is a specialized form of spear phishing. By targeting executives, attackers hope to gain a big payout or important data.

Executives need training to correctly identify phishing attempts and should be extra careful of emails requesting sensitive information or prompts for credentials. Similarly, other employees need to exercise particular diligence when they get communications from the C-suite. For example, it isn’t uncommon for attackers to spoof a CEO’s email address and send an email to an employee asking for sensitive documents “for a confidential project.”

Use Loaner Devices

Laptops and smartphones can contain reams of important company information, not to mention things like login credentials. Depending on the level of the executive and the nature of their business travel, it may be safest to set them up with loaner devices for some trips. It isn’t difficult, for example, for the customs agency of a less-than-friendly country to clone a phone to engage in a little corporate espionage. However, a more realistic and common cybersecurity concern is a lost, misplaced, or stolen device. Stolen devices result indata breaches all the time.

Avoid Free Wi-Fi

Free Wi-Fi, which is frequently poorly secured, is an excellent spot to launch a man-in-the-middle attack. This is an easy risk to avoid. Executives who need Wi-Fi while travelling should receive unlimited data plans and simply tether their phone. Free Wi-Fi is just too good an opportunity for a malicious actor to snoop the traffic of a less-than-security-conscious executive.

Stick to a Policy on Personal Devices

Does your company have a bring-your-own-device (BYOD) policy? Or does it issue devices to employees? Or does it depend on the employee?

Because of the sensitive nature of their jobs, C-suite executives may need a policy specific to them. More importantly, it should be more, not less, strict than the policy for junior employees.

Upgrade Home Security

What executive doesn’t take work home with them? At a minimum, executives need training on how to properly set up their home networks. For larger companies, executives who do a lot of work from home, or businesses with especially sensitive information, more may be needed. A security consultant could set up the home network, or the executive could be required to connect to a secondary home network.

Lock Down Social Media

Social media can be another vector for a phishing attack, or it can provide potential attackers with the information they need to launch a credible phishing attack. Executives need to ensure that their social media privacy settings are set to maximum. Further, they should periodically review their friends and contacts lists.

Set Up Policies for Sharing Information and Approving Spending

If an executive emails an employee for a sensitive document, should there be a policy in place to confirm that the request is real? Should there be a confirmation call after an email? Who gets to approve spending? And how can you ensure that the approval is real? Is an email good enough, or does there need to be something more when the spending request exceeds a specific amount?

Obviously, company size and structure, among other factors, will dictate the nature of these policies. However, given the damage a whaling attack can do, these policies are necessary.

The Takeaway

The consequences of skimping on website security services, not preparing for DDoS attacks, or ignoring other common security gaps are widely understood. Businesses should give as much attention to executive cybersecurity. After all, the consequences of a whaling attack can be devastating.

Categories

Recent Posts

Montreal, CANADA Montreal city at sunrise. Amazing view from Mont-Royal with colorful blue buildings. Stunning panorama of Montreal downtown skyline in the fall morning.
Why We Love Montreal
March 28, 2019
Code on device
Founders’ Reading List: 5 Security Gaps in Startups
February 20, 2019
Unicorn Swim Tube
Full Stack Developers: Unicorn? Or Reality?
February 7, 2019
cybercrime-hacking-and-techno-241244080
How to Prepare for a Distributed Denial-of-Service (DDoS) Attack
January 17, 2019
With fewer servers to maintain, virtualization offers savings not only on hardware but also on maintenance. Consolidating your workloads will reduce your costs. It’s the most efficient way to deploy resources, and that efficiency translates into lower operating costs.
Introduction to Virtualization
December 19, 2018
Distributed denial-of-service attacks involve a whole family of methods and techniques. The complexity of the attack dictates the complexity of the response.
Understanding Distributed Denial-of-Service Attacks
November 15, 2018
How Does a Dedicated Server Work?
How Does a Dedicated Server Work?
October 29, 2018
Managed web hosting is very different from its closest relative, dedicated web hosting. If you need a mission-critical server, don’t have the in-house expertise to manage it, or can’t spare the capacity, then managed web hosting is worth the price tag.
Understanding Managed Web Hosting
October 2, 2018