Now that the fall season is in full swing, and school has everybody focused about something other than Game of Thrones, let\u2019s continue with the second half of the possible homework topics to review with the Executive teams\u20261.\u00a0Socially engineering the executive\u201cDon\u2019t call me Ishmael!\u201dIn the Digital Age, the term \u201cwhaling\u201d is used to describe the technique social engineers and hackers use to gain access to senior executives, thus, \u201clanding the big one.\u201d Often, it\u2019s nothing more than an innocuous email from \u201cThe CEO\u201d (using his or her header information), to an unsuspecting subordinate, asking for some bit of important or relevant information (like a \u201cforgotten\u201d password or user name), which leads to a cascading compromise into targeted assets, like bank accounts, trade secrets, client lists, etc. According to a Verizon 2015 study of 150,000 phishing emails, 23% of recipients (especially executives) opened phishing messages, and 11% open attachments.Executives, writes former CSO Editor-in-Chief, Joan Goodchild, \u201cAre often no more security smart than your average employee and can be compromised with many of the common social engineering scams.\u201d \u00a0That said, however, executives can take a few quick steps to reduce the risk of finding themselves on the end of a hacker\u2019s harpoon:Be sure that you recognize who your emails are coming from. If you don\u2019t recognize the address, you probably want to stay away from discovering what is swimming under the surface. CSO Managing Editor, Ryan Francis wrote about 10 of the most common email slipups that can swim in, under the CEO\u2019s net. \u00a0If you suspect that an email allegedly coming from a known source is suspicious, call the sender. It never hurts to eliminate all doubt before getting hooked. Minnesota Attorney General Lori Swanson writes, \u201cCall the sender directly and ask about the email.\u201d Whalers, Swanson writes, \u201cprey on people\u2019s desire to respond quickly to requests from their boss or supervisor, [and] taking the time to verify the email could save you and others much more time and money down the road.\u201dIf there\u2019s an attachment, ask the basic questions:\u201cDo I know what this attachment contains?\u201d\u201cDo I know where it originated?\u201d\u201cDo I know who sent it to me?\u201d\u201cAm I expecting it?\u201dWhen in doubt, stay out of the water! If executives (or anybody else), see something suspicious show up in their In box, don\u2019t let curiosity send everyone in (and possibly, the whole organization), to the bottom of the sea!2. Decision-maker email threatsIf an executive wants to find out how big that virtual "Kick Me" sign is on their back, just have them check their Spam and Junk folders. Chances are, and if the IT Department is doing its job, those folders are stuffed full of phishing attempts. In her \u201cMax Productivity\u201d column, PCWorld writer, JD Sartain provides helpful processes through which executives can actively participate in reducing the fishing expedition.How can CSOs advise their chief executives? Advise them that opening things they're not expecting (and not from sources they have not verified), is a good baseline, and it might be helpful to reinforce these three watchwords:ValidationEncryptionAuthentication3. Safe web browsing with corporate devicesSecurity officers might ask, \u201cWhat can our executive do to operate more safely than not while trying to work\/live in a digital environment?\u201d In his article, \u201c10 Ways to Secure Browsing,\u201d CSO contributor Joseph Guarino writes about IE, for example, \u201coffers nearly 1,500 configurable settings, so you would be hard-pressed to say it's not flexible enough to meet your security requirements.\u201dThe Web is a constantly moving source of fluctuations, temperaments and exploits. Nonetheless it has become the backbone through which most of the modern world communicates everything from recipes to national defense. In To safely browse the Web, here are a couple of steps to consider:Use Strong Passwords:\u00a0 Bad guys still like the easiest path to gain access into a target. Passwords may be a headache to remember, but if constructed properly, they\u2019re an even greater headache to crack. Use passphrases, rather than simple key strings.Biotechnology:\u00a0 Many mobile devices now offer some sort of biometric component, such as a thumb print or eye scan, which adds a layer of protection from the Wild Wild Web.Incorporate a VPN:\u00a0 VPNs provide an encrypted connection for Internet access through a \u201cSecure Tunnel.\u201d Executives should consider mandating the use of only encrypted access for all mobile users with corporate-owned mobile devices, through which the Web may be \u201cmore safely\u201d accessed.Partitioning and Device Scrubbing:\u00a0 Many executives consider the option of partitioning their mobile devices to protect part of their more sensitive data from externally facing controls. Part of segregating a device often also includes the ability for a host site to have access to \u201cScrub\u201d all externally facing histories and related files, keeping corporate mobile devices under strict access control.\u201cKnow Thyself\u201d:\u00a0 Just because you receive a text message doesn\u2019t mean you know where it originated, and you certainly don\u2019t have to respond to it. A good rule of thumb is, \u201cIf I don\u2019t know you, I don\u2019t WANT to Know YOU!\u201d4.\u00a0Securely working from homeIt's one thing to grab a laptop and head to the woods for the weekend, but it's a whole 'nother thing to head home, open up that laptop and start accessing secure files. What if little Suzy wants to do a quick Instagram with her BFF, or Junior wants to jump onto a gaming site with Dad's new, powerful device?Computerworld\u2019s Mary Brundel writes, \u201cHome workers should be granted access to view and change data only from a distance.\u201dWhile similar to other issues mentioned here, the need for executives to be extra vigilant where threat exposure is concerned, is magnified when next-of-kin become at-risk accomplices to or victims of malicious activities. A couple of precautionary considerations before heading from the boardroom to the living room might include:Keep sensitive and proprietary data encrypted.Consider using a back-up or "portable" mobile device for off-site, after-hours and for personal use, and limit what can be accessed.Make sure your organization has a check-in \/ check-out procedure, for both equipment as well as for file management.Be sure the "Scrubbing" policy includes a timely response window, to keep data latency and availability to a minimum while "in the wild."Is everything backed up and stored in a secure location?5. Secure destruction of sensitive information"Sensitive Information" is considered any data which, if compromised, would have an adverse impact on the owner connected to the object. On a regular basis, sensitive data becomes outdated and may require revisions or complete replacement. Depending on which business sector an organization finds itself, however, could determine how outdated sensitive information is archived or destroyed.Here are a few basic considerations executives should take when considering the destruction of sensitive data:The organization may have a GRC-directed mandate or requirement (i.e., SOX, HIPAA, etc.), for archiving and maintaining archived data for a period of time?There should be a clearly defined and authorized procedure for handling, retrieving, archiving and destroying sensitive information.An audit procedure for tracking data handling throughout its lifecycle should be clearly defined, managed and routinely reviewed.The destruction of sensitive data should be managed by a designated group and whose procedures should be verified by a separate group. This two-party model ensures compliance with policy while maintaining propriety over sensitive assets.It\u2019s a lot to look at, but these safeguards could make the difference in keeping the boss in safer waters and out of somebody\u2019s frying pan. The watchword of the day: never assume the Corner Office full understands what it means to be \u201csecure,\u201d and never expect senior leadership to know the best methods to apply to keep themselves safe. That\u2019s where we come in.