• United States




Back to school, part 2: no whaling allowed!

Sep 12, 20177 mins
CybercrimeData and Information SecurityDLP Software

5 security safeguards to keep the CEO out of hot water.

phishing threat
Credit: Thinkstock

Now that the fall season is in full swing, and school has everybody focused about something other than Game of Thrones, let’s continue with the second half of the possible homework topics to review with the Executive teams…

1. Socially engineering the executive

“Don’t call me Ishmael!”

In the Digital Age, the term “whaling” is used to describe the technique social engineers and hackers use to gain access to senior executives, thus, “landing the big one.” Often, it’s nothing more than an innocuous email from “The CEO” (using his or her header information), to an unsuspecting subordinate, asking for some bit of important or relevant information (like a “forgotten” password or user name), which leads to a cascading compromise into targeted assets, like bank accounts, trade secrets, client lists, etc. According to a Verizon 2015 study of 150,000 phishing emails, 23% of recipients (especially executives) opened phishing messages, and 11% open attachments.

Executives, writes former CSO Editor-in-Chief, Joan Goodchild, “Are often no more security smart than your average employee and can be compromised with many of the common social engineering scams.”  That said, however, executives can take a few quick steps to reduce the risk of finding themselves on the end of a hacker’s harpoon:

  • Be sure that you recognize who your emails are coming from. If you don’t recognize the address, you probably want to stay away from discovering what is swimming under the surface. CSO Managing Editor, Ryan Francis wrote about 10 of the most common email slipups that can swim in, under the CEO’s net.  
  • If you suspect that an email allegedly coming from a known source is suspicious, call the sender. It never hurts to eliminate all doubt before getting hooked. Minnesota Attorney General Lori Swanson writes, “Call the sender directly and ask about the email.” Whalers, Swanson writes, “prey on people’s desire to respond quickly to requests from their boss or supervisor, [and] taking the time to verify the email could save you and others much more time and money down the road.”
  • If there’s an attachment, ask the basic questions:

“Do I know what this attachment contains?” “Do I know where it originated?” “Do I know who sent it to me?” “Am I expecting it?”

  • When in doubt, stay out of the water! If executives (or anybody else), see something suspicious show up in their In box, don’t let curiosity send everyone in (and possibly, the whole organization), to the bottom of the sea!

2. Decision-maker email threats

If an executive wants to find out how big that virtual “Kick Me” sign is on their back, just have them check their Spam and Junk folders. Chances are, and if the IT Department is doing its job, those folders are stuffed full of phishing attempts. In her “Max Productivity” column, PCWorld writer, JD Sartain provides helpful processes through which executives can actively participate in reducing the fishing expedition.

How can CSOs advise their chief executives? Advise them that opening things they’re not expecting (and not from sources they have not verified), is a good baseline, and it might be helpful to reinforce these three watchwords:

  • Validation
  • Encryption
  • Authentication

3. Safe web browsing with corporate devices

Security officers might ask, “What can our executive do to operate more safely than not while trying to work/live in a digital environment?” In his article, “10 Ways to Secure Browsing,” CSO contributor Joseph Guarino writes about IE, for example, “offers nearly 1,500 configurable settings, so you would be hard-pressed to say it’s not flexible enough to meet your security requirements.”

The Web is a constantly moving source of fluctuations, temperaments and exploits. Nonetheless it has become the backbone through which most of the modern world communicates everything from recipes to national defense. In To safely browse the Web, here are a couple of steps to consider:

  • Use Strong Passwords:  Bad guys still like the easiest path to gain access into a target. Passwords may be a headache to remember, but if constructed properly, they’re an even greater headache to crack. Use passphrases, rather than simple key strings.
  • Biotechnology:  Many mobile devices now offer some sort of biometric component, such as a thumb print or eye scan, which adds a layer of protection from the Wild Wild Web.
  • Incorporate a VPN:  VPNs provide an encrypted connection for Internet access through a “Secure Tunnel.” Executives should consider mandating the use of only encrypted access for all mobile users with corporate-owned mobile devices, through which the Web may be “more safely” accessed.
  • Partitioning and Device Scrubbing:  Many executives consider the option of partitioning their mobile devices to protect part of their more sensitive data from externally facing controls. Part of segregating a device often also includes the ability for a host site to have access to “Scrub” all externally facing histories and related files, keeping corporate mobile devices under strict access control.
  • “Know Thyself”:  Just because you receive a text message doesn’t mean you know where it originated, and you certainly don’t have to respond to it. A good rule of thumb is, “If I don’t know you, I don’t WANT to Know YOU!”

4. Securely working from home

It’s one thing to grab a laptop and head to the woods for the weekend, but it’s a whole ‘nother thing to head home, open up that laptop and start accessing secure files. What if little Suzy wants to do a quick Instagram with her BFF, or Junior wants to jump onto a gaming site with Dad’s new, powerful device?

Computerworld’s Mary Brundel writes, “Home workers should be granted access to view and change data only from a distance.”

While similar to other issues mentioned here, the need for executives to be extra vigilant where threat exposure is concerned, is magnified when next-of-kin become at-risk accomplices to or victims of malicious activities. A couple of precautionary considerations before heading from the boardroom to the living room might include:

  • Keep sensitive and proprietary data encrypted.
  • Consider using a back-up or “portable” mobile device for off-site, after-hours and for personal use, and limit what can be accessed.
  • Make sure your organization has a check-in / check-out procedure, for both equipment as well as for file management.
  • Be sure the “Scrubbing” policy includes a timely response window, to keep data latency and availability to a minimum while “in the wild.”
  • Is everything backed up and stored in a secure location?

5. Secure destruction of sensitive information

“Sensitive Information” is considered any data which, if compromised, would have an adverse impact on the owner connected to the object. On a regular basis, sensitive data becomes outdated and may require revisions or complete replacement. Depending on which business sector an organization finds itself, however, could determine how outdated sensitive information is archived or destroyed.

Here are a few basic considerations executives should take when considering the destruction of sensitive data:

  • The organization may have a GRC-directed mandate or requirement (i.e., SOX, HIPAA, etc.), for archiving and maintaining archived data for a period of time?
  • There should be a clearly defined and authorized procedure for handling, retrieving, archiving and destroying sensitive information.
  • An audit procedure for tracking data handling throughout its lifecycle should be clearly defined, managed and routinely reviewed.
  • The destruction of sensitive data should be managed by a designated group and whose procedures should be verified by a separate group. This two-party model ensures compliance with policy while maintaining propriety over sensitive assets.

It’s a lot to look at, but these safeguards could make the difference in keeping the boss in safer waters and out of somebody’s frying pan. The watchword of the day: never assume the Corner Office full understands what it means to be “secure,” and never expect senior leadership to know the best methods to apply to keep themselves safe. That’s where we come in.


U.S. Navy Veteran Drew Williams has a core philosophy about life and work: "Keep busy, stay engaged, and always be productive." Whether as a writer, video producer, lecturer or educator, Drew has been involved in information risk management since the mid-80s. He has developed and published Information Security standards and guidelines.

During the late 1990s, Drew contributed to re-tooling security policies for some of the largest financial institutions in the world, and worked on early adoption of GRC standards and frameworks (SOX, ITIL, ISO27799, CObIT). An original contributor to the HIPAA Security Policy (1995-1996), Drew wrote one of the early security policy guides, "HIPAA Code Blue."

As former product manager for what was the world's top Host Intrusion Detection System (AXENT/Intruder Alert), Drew also contributed to IT security initiatives (IETF / NIST), and worked with MITRE to build the Common Vulnerabilities Enumeration (CVE) framework. Drew served on the President's Council on Critical Infrastructure Security (precursor to DHS), and worked on the NIST's "Common Criteria" directives.

Drew co-authored some of the industry’s first Incident Response & Information Security Risk Assessment Services while head of the SWAT Team at AXENT/Symantec (1997-2002), and from 2006 to 2011, Drew hosted Asia's "Hacker Halted" security symposium.

As founder of Condition Zebra (2011) Drew developed information security readiness programs & mission-critical risk assessments for ministries of defense throughout Asia. He also co-developed post-graduate programs on cybersecurity at Utah Valley University and Southern Utah University, the latter where he also serves as a member of the faculty in the Graduate Program.

Drew also initiated the first "Gold" funding opportunities for the annual Black Hat Briefings in Las Vegas in 2000. A former speaker at CSI/FBI and N+i events during the 1990s-2000's, Drew is also a member of the “Founder’s Circle” at the annual RSA Security Conference, and has been a contributing source in broadcast media, including MSNBC, CNN, and NPR, and has been featured in USA Today, The Washington Post and publications throughout the US and Europe.

The opinions expressed in this blog are those of Drew Williams and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.