Keeping a business secure means more than just the CEO having antivirus software (opens in new tab) installed on their PC, and endpoint security software (opens in new tab) in the business MDM solution (opens in new tab) to protect their phone. Here Mike Lloyd describes the need for board-level awareness training in cybersecurity.
The cybersecurity industry talks a lot about the importance of “board-level buy-in” for projects and a security-by-design culture led from the “top down”. What does that actually mean? It means CEOs and senior managers who “get” security: leaders who know that security done right can be a competitive differentiator and growth driver, not a block on innovation.
The reality is that most still do not.
But their head-in-the-sand approach is not just bad for CISOs and their projects, it could also be exposing the organisation to unnecessary risk. It's an unfortunate truth that there are still significant gaps in cyber awareness amongst CEOs and understandably serious concerns over their exposure to smart technology threats.
Mike Lloyd is the Chief Technology Officer at Redseal.
A bad example
There are still CEOs in the UK that don’t receive cybersecurity training (opens in new tab), and are ultimately exposing their businesses to risk. UK IT pros are often designing cyber-plans for their senior exects, but it’s more often than not that it’s probably not being followed.
It’s hard enough for regular employees to keep up-to-date with the latest security advice let alone time-poor, high pressure execs. However, it is these individuals that are the most likely to be the biggest targets for hackers looking to hijack their accounts to launch convincing Business Email Compromise (BEC) (opens in new tab) attacks, or steal sensitive IP and other data.
A recent study amongst CIOs and senior IT pros argued that their CEOs should pay more attention to security in the future, while over one in 10 said their CEO or senior managers’ actions had actually put corporate security at risk.
The smart tech threat
We also uncovered a major blind spot to the senior exec: the smart home (opens in new tab). With many IT teams admitting they have no idea what smart tech their CEO uses outside the office, there is a very real concern given the increasing frequency of IoT attacks and the sheer number of devices in the modern home.
Devices could be hijacked if hackers can guess or crack the passwords protecting them, or exploit flaws in their firmware. This is highly likely in some cases because many manufacturers don’t require users to install a password and instead run easy-to-guess factory default credentials.
IoT (opens in new tab) makers often don’t hail from an IT development background and so may not even have infrastructure to issue security updates at all. Even those that do may find users ignoring them because they’re too difficult to install.
The infamous Mirai (opens in new tab) malware, and many of the variants that followed (opens in new tab), took advantage of the lack of adequate password protection on devices to automatically scan for those with easy-to-crack credentials before conscripting them into a botnet.
Similar techniques could be used not to launch botnet-powered DDoS and other attacks but to use the IoT endpoint as a stepping-stone into the home and even corporate networks. One 2017 report explained how even vulnerable smart speakers could be hijacked (opens in new tab) by attackers to infiltrate enterprise systems. Just imagine if your boss’s smart toaster ended up as a conduit for a large scale data breach.
A top target
In many ways the C-level is at a much higher risk of this kind of attack, not only because they’re more likely to be targeted, but also because even information which everyday users won’t consider valuable could provide a gold mine of data for nation states or rival companies.
Online calendars (opens in new tab) could offer up information on where the CEO is at all times to improve the success rate of BEC scams. Or they could reveal who they are meeting with, which could be used for insider trading purposes if other meeting attendees are lawyers, bankers and acquisition company representatives.
The impact of such risks should be obvious by now – major financial and reputational damage for the organisation and potentially even C-level job losses.
Time to act
So what can we do to insulate the C-level from cyber-attacks, especially those targeting the smart home? As we all know, 100% security is impossible, but there are things IT teams can do to reduce risk.
These would include a more rigorous approach to cybersecurity training for execs. Roll out real-life phishing (opens in new tab) simulation exercises, kept to short bursts of 10-15 minutes for maximum impact. It’s worth including in these exercises PAs and other types who may be tasked with reading and replying to the chief’s emails.
Back this up with watertight policy based on improved visibility of their use of tech inside and outside the office. For example, no smart home endpoints should be allowed to connect to the corporate network without prior scanning and approval. This could be a challenge if CEOs’ home networks are connected to the business via VPNs (opens in new tab) by default.
It’s good to see governments slowly coming round to appreciate the seriousness of the IoT security challenge facing the world. The UK is taking a lead here globally, introducing in May a proposed new law designed to force manufacturers to meet strict security requirements, covering areas like unique passwords and security updates.
Retailers will be forced to provide clear labeling to tell IT buyers how secure IoT kit is. Also announced this year, the European ETSI TS 103 645 standard was built on a UK code of practice and will further help to improve transparency and baseline security in the industry. After all, you wouldn’t buy a toaster without a safety rating, so why buy a smart device that hasn’t been tested and approved?
The US is following with its own laws, although it will only cover government vendors. In the meantime, it’s time to add IoT endpoints to your risk planning, and make sure C-level execs aren’t above the law when it comes to enforcing strict security policy. The impact of doing nothing could cost the company dear – and maybe even the CEO’s job.
Mike Lloyd is the Chief Technology Officer at Redseal (opens in new tab).
- Find the best cloud antivirus (opens in new tab) here