Developing personal OPSEC plans: 10 tips for protecting high-value targets

Attackers are increasingly targeting executives and employees who have access to sensitive enterprise data. Here's how to protect those individuals with personal OPSEC plans.

Criminal hackers are targeting a wide range of employees, from administrative assistants to the C-suite executives they serve. As cybersecurity firm Proofpoint puts it, the hackers’ goals are to “trick your workers into opening an unsafe attachment or clicking on a dubious web link. They impersonate your CEO and order your finance department to wire money. And they con your customers into sharing login credentials with a website they think is yours.”

Most enterprise IT systems are well protected against, though not invulnerable to, cyberattacks. But the personal devices and online tools employees use after hours can be less secure, providing a potential bypass around enterprise security.

At the same time, crooks are increasingly targeting specific individuals such as Chief Financial Officers because these executives have high-level access to sensitive enterprise data, says Stephanie Carruthers, Chief People Hacker of IBM’s X-Force Red team of veteran white-hat hackers. Other potential targets are often employees with access to sensitive information, such as IT and cybersecurity, human resources, and legal department team members.

“Who is targeted really comes down to what they have access to,” Carruthers says. Such targeting is on the rise because, simply put, it can be more efficient, she adds. “Targeting high-risk employees helps criminals go straight to the source for what they want to obtain, rather than digging around in the weeds.”

Criminal hackers can piece together information about someone and their organization from public social media accounts or other online sources, which supply the open source intelligence (OSINT) needed to impersonate people for criminal purposes, notes Chester Wisniewski, Principal Research Scientist for Sophos.

At the same time, because so much communication is digital, it’s harder to spot imposters. “If someone you know calls you on the phone, you can authenticate them by their voice,” Wisniewski adds. “But that’s not always so easy to do online.”

In an effort to block targeted attacks against employees, some organizations are beginning to develop personal OPSEC plans for high-risk individuals, to better safeguard them both at work and in their personal lives. Such plans go beyond standard enterprise security protocols, practices and tools in order to provide individualized cybersecurity training and protection.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!