A hack attack on a chief executive officer can be a very lucrative enterprise. Experts say that’s because CEOs’ access to high-level information might be the keys to their corporate kingdoms.
“If someone is out there trying to plan a cyberattack, they’ll try to hack into [a CEO’s] e-mail or his laptop remotely because they know he’s going to be the holder of the most sensitive information,” said Jeremy Ames, president of Gaucho Group, an HR technology consultancy based in Massachusetts.
Incidences of cyberhacking are increasing. As the Los Angeles Times reported during the spring of 2013, “the nation’s top intelligence officials warned in a Senate hearing that cyberattacks and digital spying have eclipsed terrorism as the top threat to national security.”
Furthermore, in a nationwide study of 265 C-level executives—44 of whom were CEOs—51 percent said their company experiences cyberattacks daily or hourly. The study, The Business Case for Data Protection by Michigan-based data security consultancy the Ponemon Institute, was conducted in 2012.
Educate Executives to Reduce Potential Threats
Experts say the best arsenal in the defense of such activity is education—especially for senior executives. “The message that the HR team can deliver to the CEO [is to remind] him that he’s going to be a target of an attack and he needs to be even more diligent than everyone else,” said Ames, founder of #HRISChat on Twitter and a board member of the International Association for Human Resource Information Management (IHRIM).
Tom Eston, manager of profiling and penetration for Ohio-based information security management consulting firm SecureState, says CEOs should recognize that if their “most valuable information is what’s sitting on [their] desk or what’s in [their] e-mail … if any of that information is compromised, it could put them personally at a loss and hurt the reputation of the company.” It’s critical that they “know how to better protect that information if a dedicated hacker is going after” them, he added.
First and foremost, executives need to be made aware of types of new attacks. The most popular one is spearfishing—spoofed e-mails or text messages that are designed to get a person to click on a link, enter a site or enter information. Embedding links in news feeds within social media or Twitter messages is another way a hacker can fool a CEO into revealing corporate secrets.
“In a lot of attacks, these people will pretend to be friends and family members—people [the CEOs] know and trust—in order to get them to click a link or visit a site, which compromises their computers. Those are the most popular attack vectors,” Eston said, adding, “We’ve even had cases where people pose as other employees to physically gain access to a building or facility.”
There are other basic things companies can do to help prevent these attacks, including:
Making sure strong, varied passwords are used and changed often.
Being aware of the tactics of cyberthieves.
Using a virtual private network to connect to the Internet.
Not allowing children or family members to access and download items from untrusted sites on corporate-owned devices.
Not disclosing too much information on social networking sites.
“The biggest thing is to make sure the bulk of the work the CEO does is done within the firewalls of the company,” Ames added.
If the idea of telling the CEO he or she needs to be more careful while online seems daunting, start the discussion by reviewing existing company guidelines.
Ideally the HR team has an IT policy to refer to when beginning the conversation about the importance of following the rules. Instead of a “you vs. me scenario,” Ames said, “ideally what [HR] would do is go into that conversation armed with some basic excerpts from their company’s IT policies as it relates to data security.”
CEOs should be aware that what they post online goes a long way, Eston said, “so if they have a Facebook or a Twitter account, they shouldn’t post the location of everywhere they’re going because people can get their routine. It leaves a lot of avenues to be attacked,” he said. Everyone should be mindful of the people they’re sharing information with, too, because “the people they trust could be out there to attack them,” he said, adding that the most popular attacks come from “friends who can get access to their information.”
Aliah D. Wright is an online editor/manager for SHRM and the author of A Necessary Evil: Managing Employee Activity on Facebook, Twitter, LinkedIn … and the Hundreds of Other Social Media Sites (SHRM, 2013).