Protecting executives today is about much more than physically shielding them from danger. The cyber security risks are higher than ever, and organizations need to ensure that the network and data access many high-level executives have doesn’t become an easy entry point for attackers.
CSOs and CISOs need to make executive protection a high priority for the organization. Here are five fundamentals that security leaders should keep in mind.
1. Conduct a risk analysis
The first step CSOs and CISOs need to take is to conduct a comprehensive risk analysis. This includes identifying those individuals in the organization who are critical to the business and likely targets, and assessing the impact to the organization if they are the victims of attacks.
Some questions to ask as part of the analysis: Has there been a history of threats against any of these executives? Do they travel regularly to dangerous places? To what kinds of attacks are they most vulnerable?
Once you’ve determined which individuals need protection, learn about their public and private lifestyles—to the extent that it makes sense and can help reduce the risk factor. This step requires the executive’s full cooperation, because you will need to know all about the work and home life of the individual. Look into how easy it is for someone to get information on the executive and his or her family.
Based on what you learn about executives, you can get a clearer picture of what kinds of risks your facing and what security measures you’ll need to take. It’s important to keep in mind that risks are ever-changing, so you need to establish a baseline level of security for executives that can be increased as needed.
2. Make a strong case for protection, even if executives resist
Some executives will no doubt be unhappy about having their work and personal life under scrutiny, but that’s part of the price of achieving success in business and having lots of responsibility. To make this less of an ordeal for everyone involved, CSOs and CISOs need to demonstrate to executives why security is so important. One way to do this is to have executives pay attention to what they see when they do simple Google searches of their names.
Another way to demonstrate to executives how much of a target they are is to have them look in their email spam filters to see how many phishing emails have been sent to them. Fortunately, these emails didn’t reach the inbox and trigger an attack, but the sheer volume of these attempts should get the point across.
3. Ensure that executives’ personal and work devices are secure
Many business operations and interactions today take place via mobile devices, and a lot of executives are likely to be using the same devices for work and personal reasons. It’s ideal if they use different devices, such as smartphones, for work and home, but executives often won’t accept this. You might want to consider pushing for a company policy dictating how many and which devices can have for work and how they can be used.
In any case, it’s imperative that any devices executives use for business be highly secure and have the latest protections. All sensitive data should be encrypted and the devices should be protected via an enterprise mobility management (EMM) platform.
Part of ensuring the security of mobile devices includes evaluating not just the devices used by the executives, but those of their immediate family members within the household as well. That means determining whether each of the devices has password protection, updated operating systems, updated antivirus software, and so on.
4. Educate executives about attacks such as phishing
Business executives are among the biggest targets of phishing and whaling attacks, in large part because they have such a high level of access to important data. It’s vital that executives know what to look for that would indicate such an attack.
In general, it’s a good idea for executives to be vigilant in how they handle email. A big set of scams is now the ‘CEO phishing,’ when an adversary sends out email pretending to be the CEO working on a clandestine deal, needing assistance. Modern email clients can make it hard to tell when a message comes from outside the organization, but not all do. Consider advising your company to tag, or change colors, of all messages from outside the company.
5. Create and enforce rules for executive travel
Most executives are on the road quite a bit, for industry events, speaking engagements, or visits to clients. This puts them at risk, especially if the travel plans are well known ahead of time.
It’s important to have in place and enforce policies about what is and is not permitted during travel. This might include not allowing key executives to travel together at the same time and via the same mode of transportation.
The travel policy should cover the use of mobile devices on the road. For example, executives should not be allowed to take their main work laptop computer on a business trip, but instead use a loaner device that does not have any sensitive data stored.