I have no qualms about declaring that cybercrime is one of the greatest and most complex threats facing American businesses today. The total cost of cybercrime increased 24% in 2016 alone. Like handshaking confidence men, cybercriminals have an impressive repertoire of schemes and marks.
Executives, in particular, have a growing target on their backs. Their high network and data access make them intrinsically attractive to criminals. They often travel alone. They carry devices with sensitive corporate information. They stay at hotels and connect to questionably secure Wi-Fi networks.
Many scams target executives abroad. One of the newest and most successful cons I’ve heard about is called ‘Whaling.’
Here’s the typical way it goes. Cybercriminals first perform deep research on their chosen executive, looking for characteristics and travel schedules. Then they wait until the executive leaves. As soon as they know, they impersonate the executive and contact other employees to request urgent wire transfers.
Tragically, businesses fall for it. According to the FBI, such whaling attacks have cost U.S. organizations over $2.3 billion, with the number of scams rising 270% in 2016 alone.
But whaling is just the latest star. There are also classics—scams like device theft, phishing, router infection, and the timeless face-to- face swindle.
So how can you protect your executives?
First, I would advise that you analyze the risk. Which individuals have the greatest access in the network? Which executives are critically important to your firm? Is there a history of attacks targeting them? What kinds of attacks are they most vulnerable to? Where and when are they most likely to be targeted?
Most large enterprises already have executive security programs in place. Yet in many cases, these programs aren’t too popular with executives. I can understand their resistance (who would welcome invasive protocols for how they pack and travel?). However, I also grasp the enormous stakes in play whenever an executive travels through foreign countries. It is extremely fortunate, then, that executives nationwide are also realizing the importance of personal security.
Xledger IT manager Jan-Terje Normann stresses that security must begin at the top, with executives and the C-Suite. He advises that firms take the following steps when configuring executive devices:
- Install Bitlocker to encrypt the hard drive
- Install Applocker to control which applications users can run
- Install Credential Guard to protect user credentials
- Install IPSec to prevent connections from non-authenticated devices. IPSec will make it safer to go online in airports and other public spaces
- Consider using smart card authentication for added security
- Keep the device updated
- Remove admin rights.
Of these steps, Normann says that the most important is to remove admin rights. Without admin status, executives have no choice but to comply with security measures, even when inconvenient. In one sweep, you can eliminate many known vulnerabilities. You won’t have to worry about unapproved software or insecure update sources.
Yet traveling brings threats you can’t address by removing admin rights. A traveling executive is only a secure as their habits. Executives must exercise special caution while traveling, especially through regions such as Asia, the Middle East, and Eastern Europe.
The following list (for which I am heavily indebted to an excellent article in Security Magazine) includes steps executives can take before, during, and after travel.
Before you travel:
- Take only the data that you need. If you won’t use it on the trip, leave it at home.
- If at all possible, avoid bringing your personal device. See if you can borrow a company-owned device, one that has never connected to the corporate network and carries as few work files as possible
- Back up data and devices before departure.
- Ensure that your laptop and mobile devices have the latest data protection software. Update your operating system and anti-virus software. Install all available security patches. Consider encrypting your smartphone and installing disk encryption on your laptop.
- Use strong passwords. Change passwords on all devices, setting a different password for each. If you can, set your device to wipe all data after a certain number of failed login attempts.
- Ensure that you have a secure way to access remote data such as a VPN or secure remote desktop. Store data on an encrypted thumb drive. If traveling to countries like China, you may need to create a VPN before departure. An SSL VPN termination point will help you get unfettered internet access in restricted nations.
- Thoroughly research the laws and criminal trends of your destination country.
- Inform your financial institutions and the proper authorities of your travel plans.
While travelling:
- Always lock your devices when not using them.
- Use a trusted VPN connection. In the worst case scenario, use nothing less secure than HTTPS.
- Do not loan your devices, leave them unattended, or attach unknown devices (thumb drives) to them.
- Disable Wi-Fi and Bluetooth. Keep devices in airplane mode when not in use.
- Avoid public computers and unsecured Wi-Fi networks. Never use them for sensitive activities like banking or shopping. In most cases, a mobile network will be safer than public Wi-Fi.
- If you plan to transmit sensitive content via email or phone, consider using free apps such as Redphone or Wickr for encryption.
- Be prepared to comply with the destination country’s privacy laws. In some countries, customs officials will require you to decrypt data at entry and exit points. Surveillance and recording may be routine.
After you return home:
Upon return, it is incredibly important that you do not connect to your secure network before reviewing and testing everything—all devices, media and drives—for malware or unauthorized access. I’d strongly suggest doing so through a full forensic analysis of each device.
Bill Thirsk, vice president and CIO at Marist College, declares that security “can only be achieved when senior management is convinced that personal and operational cyber defense must be discussed at length with seriousness and intent to change behavior.”
Organizations need to maintain technological controls. For example, mail servers should make it mandatory for smartphones to have enabled encryption and password lock in order to access corporate e-mail.
Executives might grouse about it. But I think that they will come around, especially when you communicate what’s at stake.
Because when it comes to cybersecurity, the most powerful are also the most vulnerable.