Back to school, part 2: no whaling allowed!

5 security safeguards to keep the CEO out of hot water.

phishing threat
Thinkstock

Now that the fall season is in full swing, and school has everybody focused about something other than Game of Thrones, let’s continue with the second half of the possible homework topics to review with the Executive teams…

1. Socially engineering the executive

“Don’t call me Ishmael!”

In the Digital Age, the term “whaling” is used to describe the technique social engineers and hackers use to gain access to senior executives, thus, “landing the big one.” Often, it’s nothing more than an innocuous email from “The CEO” (using his or her header information), to an unsuspecting subordinate, asking for some bit of important or relevant information (like a “forgotten” password or user name), which leads to a cascading compromise into targeted assets, like bank accounts, trade secrets, client lists, etc. According to a Verizon 2015 study of 150,000 phishing emails, 23% of recipients (especially executives) opened phishing messages, and 11% open attachments.

Executives, writes former CSO Editor-in-Chief, Joan Goodchild, “Are often no more security smart than your average employee and can be compromised with many of the common social engineering scams.”  That said, however, executives can take a few quick steps to reduce the risk of finding themselves on the end of a hacker’s harpoon:

  • Be sure that you recognize who your emails are coming from. If you don’t recognize the address, you probably want to stay away from discovering what is swimming under the surface. CSO Managing Editor, Ryan Francis wrote about 10 of the most common email slipups that can swim in, under the CEO’s net.  
  • If you suspect that an email allegedly coming from a known source is suspicious, call the sender. It never hurts to eliminate all doubt before getting hooked. Minnesota Attorney General Lori Swanson writes, “Call the sender directly and ask about the email.” Whalers, Swanson writes, “prey on people’s desire to respond quickly to requests from their boss or supervisor, [and] taking the time to verify the email could save you and others much more time and money down the road.”
  • If there’s an attachment, ask the basic questions:

“Do I know what this attachment contains?”
“Do I know where it originated?”
“Do I know who sent it to me?”
“Am I expecting it?”

  • When in doubt, stay out of the water! If executives (or anybody else), see something suspicious show up in their In box, don’t let curiosity send everyone in (and possibly, the whole organization), to the bottom of the sea!

2. Decision-maker email threats

If an executive wants to find out how big that virtual "Kick Me" sign is on their back, just have them check their Spam and Junk folders. Chances are, and if the IT Department is doing its job, those folders are stuffed full of phishing attempts. In her “Max Productivity” column, PCWorld writer, JD Sartain provides helpful processes through which executives can actively participate in reducing the fishing expedition.

How can CSOs advise their chief executives? Advise them that opening things they're not expecting (and not from sources they have not verified), is a good baseline, and it might be helpful to reinforce these three watchwords:

  • Validation
  • Encryption
  • Authentication

3. Safe web browsing with corporate devices

Security officers might ask, “What can our executive do to operate more safely than not while trying to work/live in a digital environment?” In his article, “10 Ways to Secure Browsing,” CSO contributor Joseph Guarino writes about IE, for example, “offers nearly 1,500 configurable settings, so you would be hard-pressed to say it's not flexible enough to meet your security requirements.”

The Web is a constantly moving source of fluctuations, temperaments and exploits. Nonetheless it has become the backbone through which most of the modern world communicates everything from recipes to national defense. In To safely browse the Web, here are a couple of steps to consider:

  • Use Strong Passwords:  Bad guys still like the easiest path to gain access into a target. Passwords may be a headache to remember, but if constructed properly, they’re an even greater headache to crack. Use passphrases, rather than simple key strings.
  • Biotechnology:  Many mobile devices now offer some sort of biometric component, such as a thumb print or eye scan, which adds a layer of protection from the Wild Wild Web.
  • Incorporate a VPN:  VPNs provide an encrypted connection for Internet access through a “Secure Tunnel.” Executives should consider mandating the use of only encrypted access for all mobile users with corporate-owned mobile devices, through which the Web may be “more safely” accessed.
  • Partitioning and Device Scrubbing:  Many executives consider the option of partitioning their mobile devices to protect part of their more sensitive data from externally facing controls. Part of segregating a device often also includes the ability for a host site to have access to “Scrub” all externally facing histories and related files, keeping corporate mobile devices under strict access control.
  • “Know Thyself”:  Just because you receive a text message doesn’t mean you know where it originated, and you certainly don’t have to respond to it. A good rule of thumb is, “If I don’t know you, I don’t WANT to Know YOU!”

4. Securely working from home

It's one thing to grab a laptop and head to the woods for the weekend, but it's a whole 'nother thing to head home, open up that laptop and start accessing secure files. What if little Suzy wants to do a quick Instagram with her BFF, or Junior wants to jump onto a gaming site with Dad's new, powerful device?

Computerworld’s Mary Brundel writes, “Home workers should be granted access to view and change data only from a distance.”

While similar to other issues mentioned here, the need for executives to be extra vigilant where threat exposure is concerned, is magnified when next-of-kin become at-risk accomplices to or victims of malicious activities. A couple of precautionary considerations before heading from the boardroom to the living room might include:

  • Keep sensitive and proprietary data encrypted.
  • Consider using a back-up or "portable" mobile device for off-site, after-hours and for personal use, and limit what can be accessed.
  • Make sure your organization has a check-in / check-out procedure, for both equipment as well as for file management.
  • Be sure the "Scrubbing" policy includes a timely response window, to keep data latency and availability to a minimum while "in the wild."
  • Is everything backed up and stored in a secure location?

5. Secure destruction of sensitive information

"Sensitive Information" is considered any data which, if compromised, would have an adverse impact on the owner connected to the object. On a regular basis, sensitive data becomes outdated and may require revisions or complete replacement. Depending on which business sector an organization finds itself, however, could determine how outdated sensitive information is archived or destroyed.

Here are a few basic considerations executives should take when considering the destruction of sensitive data:

  • The organization may have a GRC-directed mandate or requirement (i.e., SOX, HIPAA, etc.), for archiving and maintaining archived data for a period of time?
  • There should be a clearly defined and authorized procedure for handling, retrieving, archiving and destroying sensitive information.
  • An audit procedure for tracking data handling throughout its lifecycle should be clearly defined, managed and routinely reviewed.
  • The destruction of sensitive data should be managed by a designated group and whose procedures should be verified by a separate group. This two-party model ensures compliance with policy while maintaining propriety over sensitive assets.

It’s a lot to look at, but these safeguards could make the difference in keeping the boss in safer waters and out of somebody’s frying pan. The watchword of the day: never assume the Corner Office full understands what it means to be “secure,” and never expect senior leadership to know the best methods to apply to keep themselves safe. That’s where we come in.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.