The damage from executive email account takeovers can run into millions of dollars, as recent examples show.In 2019, Toyota Boshoku Corporation lost $37 million after the information in a payment direction from a third-party was changed, sending millions to the fraudsters. The recent SolarWinds attack was bad enough, and now Nobelium, the group responsible, has since launched a campaign of email attacks appearing to originate from USAID after its Constant Contact email account was compromised.Recently, Microsoft 365 Defender researchers disrupted an attack against infrastructure hosted in multiple web services after a phishing attack on a cloud provider netted stolen credentials that were used to access target mailboxes.\u00a0CISOs responsible for securing sensitive C-suite email accounts face the dual challenge of securing accounts with wide-ranging permissions coupled with a significant educational role with the largely non-technical executive. But with brute-force attacks on the rise and account takeover attempts for C-suite mailboxes escalating by a staggering 671%, according to the latest report from Abnormal Security, now is the time to review executive account protections and security procedures.Why C-suite BEC attacks are so damaging\u00a0Ransomware might make the headlines, but business email compromise (BEC) attacks, particularly in the C-suite, can pave the way for huge losses, both financial and reputational, thanks to the authority and financial privileges attached to these accounts. Terry Thompson, adjunct instructor in cybersecurity at Johns Hopkins University with more than 40 years of professional experience in security and intelligence, has seen first-hand incidents where a hacker gains the email address of one or more executives from the C-suite, usually via social engineering or by compromising the email account.\u00a0The hacker can then send an email to the CFO directing payment of a fake invoice to a linked bank account.\u00a0\u201cThe combination of social engineering and clever use of email made to look like it's from the boss\/CEO is a real threat in BECs,\u201d Thompson tells CSO. The added importance of securing these accounts, he says, comes with the \u201cgreater vulnerability and risk to the organization, which will be exposed to ransomware, email spoofing, and related threats.\u201d An executive\u2019s account can also be compromised from below and then used to launch attacks. \u201c\u2018Whaling' BEC attacks target a subordinate and use that person's compromised email to get to the CEO,\u201d he says.C-suite executives are the most trusted with corporate secrets and confidential data, and their communication is more likely to be read and their instructions followed. \u201cIn many cases of BEC, the cybercriminals would find critical\/confidential data inside the emails of C-suite victims,\u201d says Alex Holden, founder and CISO at Hold Security and a member of the ISACA Emerging Trends Working Group.By their nature, C-suite email accounts present specific challenges. \u201c[C-suite executives] are more likely to change technology and more likely to insist on breaking the rules. They are also more prominent and therefore easier to target and imitate for abuse,\u201d says Holden.Thompson, Holden, and other experts offer the following advice for CISOs to work with C-suite executives to reduce email account takeover risk.Train the C-suite to recognize BEC threatsPreparing the C-suite through training exercises can help them identify suspect emails. Thompson recommends twice-yearly tabletop exercises to raise awareness of the threats and practice responses to a breach or BEC before it happens.\u00a0These exercises should ideally be conducted in a non-threatening \u2018quiet\u2019 time to help everyone in the C-suite become more security conscious and help with resilience if\/when a company is victimized by a BEC or data breach. \u201cThese exercises can also identify and iron out any confusion caused by language barriers,\u201d he adds.Put technical controls in placeWith education comes technical protections. While the layered security approach is common across cybersecurity defenses, there are a few differences when it comes to the C-suite, says Michael Del Giudice, principal in the consulting group at Crowe, which specializes in information security and data privacy for the public sector and implementing governance, risk, and compliance solutions. \u201cFirst off, use your education to make sure you work with them to help identify anything that looks suspicious\u2014syntax, language, misplaced characters, urgent requests,\u201d he says.There needs to be controls behind this line of personal defense\u2014the layers. \u201cComplementing that with technical controls, implementing things like multifactor authentication on email so even if they do get credentials it will still prevent them from authenticating,\u201d Del Giudice tells CSO.Del Giudice believes two main variables limit account takeovers: The first is to decrease the number of times someone takes an action that the attacker wants. \u201cYou want it to be as close to zero as possible,\u201d he says. The other is to increase the number of notifications when someone gets a message that seems suspicious. \u201cThat may be our first clue that something going on and we need to start to investigate.\u201dWhen an account takeover occurs in the C-suite, the CISO first needs to be aware there\u2019s an issue, ideally well before funds start moving into the criminal\u2019s coffers. To Del Giudice, it begins with having the right monitoring\u2014"An alert if someone's forwarding mail to a specific mailbox,\u201d he says. \u201cLook for anomalous types of behavior that may flag something that could be an issue. Make sure that there is a banner on all email that's coming in from outside the organization.\u201dEmphasize the need for the C-suite to set an exampleHold Security\u2019s Holden says that the C-suite has an important role as exemplars of the best security behavior. \u201cC-suite members are not regular employees; they are the most prominent employees. They are role models and not above the rules,\u201d he says. \u201cThey are supposed to be the most protected individuals in the company. They may need more reminders to lead the cyber security initiatives by example and not to be the exception.\u201dYet training the C-suite can be complicated, according to Holden. While they need customizations to stress their unique responsibilities to the company in terms of cybersecurity, they should also adhere to a higher standard. \u201cViolations of the policies should be dealt\u00a0with privately, but with significant actions to ensure that C-suite executives stay secure,\u201d he says.Communicate BEC risk to the CEO in business languageJohns Hopkins University\u2019s Thompson says the challenge in securing and educating the executive rests on communications between the CEO and the CISO and finding a language to express the risks. \u201cWith different education and professional backgrounds, it was hard to find common ground when they spoke,\u201d he says. He has seen a lack of understanding of the importance of cybersecurity among non-technical people who run most corporations. This can also worsen when CIOs and CISOs struggle to explain threats, vulnerabilities, and risks in business terms the C-suite can understand and translate into business risks. \u201cThe main challenge is for the CISO to be able to express the threats, risks, and solutions in plain language so that non-technical people in the C-suite can understand and act on the CISO's recommendations,\u201d he says.