Security awareness

Security Awareness for Executives

December 19, 2017 by Chiragh Dewan

Introduction

Executives have always been looked upon as whales, so to speak, by hackers. They have more privileges and more sensitive information with them than most of the employees in a company. It is in the company’s best interest that they do everything in their power to avoid their executives from being hacked. If compromised, the hacking of executives would potentially do more harm than a regular employee being hacked.

To keep executives from being compromised, specific protocols need to be in place. However, the entire responsibility does not fall onto the IT department of the company. All divisions must work together to spread awareness and ensure that the protocols are being followed. For example:

  • Regular training organized by the relevant department can help ensure that all the executives are up-to-date with the phishing attacks/viruses/malware/ransomware that are compromising people.
  • The HR (Human Resources) department can help by providing latest policies and their impact to the executives.
  • The risk management department can provide information on previous examples of a breach and how they were handled.
  • Periodic audits can help determine the risks that might affect, and they can be patched to avoid those vulnerabilities to be exploited by a third party.
  • The IT department can keep the services up-to-date and apply patches to any known vulnerability that comes into light.

Every department of a company can play an essential role by helping educate others on the impact of a breach on their division and what disastrous effect it can have on the company.

Secure Passwords

Having a secure password is one of the most crucial and fundamental security practices that everyone should follow. Since the executives of a company may possess specific valuable information with them in their laptops/desktops/phones/tablets/email, etc., having a secure password and updating those periodically lowers the chance of a compromise.

Remote Work

Even though the concept of remote work has only recently caught on with the employees of a company, executives have long had the habit of working remotely through their phones or laptops. As there are advantages of the new software that allows us to do that, there are some disadvantages as well. In an office environment, specific protocols are usually in place which help to secure the employees from being attacked. These include:

  • Specific mail protocols that limit the attachments sent or received.
  • Plug any external device to the system such as a pen drive, mobile phone, SD card, external hard disks, etc.
  • Surfing known sites that may spread viruses or malware.
  • Additional network security such as firewalls and honeypots.
  • Downloading files from untrusted sources.

These are the standard security measures that an organization routinely takes; however, these practices may not be in place when the person is working from a remote location. Implementing these precautions can help the executive not fall for phishing attacks and thus will prevent the company from massive losses.

Since it is not always possible for executives to work from their office, regular training programs can help them ensure that they are taking all necessary precautions they can while accessing sensitive information remotely.

Reporting

Reporting is one of the most crucial parts. Many times people often ignore the problem since they are worried about the repercussions and by the time they realize what the right thing is, it’s too late. Usually, people don’t realize that they’ve been hacked for day or weeks and in some cases, even months. It’s always a good practice to keep the anti-virus updated, use strong passwords, limiting/restricting access, etc.

Anytime you see a file(s) that you do not recognize, folder(s) renamed, file(s) deleted, file(s) or folder(s) location changed, malicious processes running in the background and so forth, always contact someone from your IT team to have a look at it. Proper protocols should be in place which would ease the reporting process for everyone in the company.

Social Media

We live in a world where everyone with a smartphone is always engrossed in their social media accounts such as Facebook, Twitter, Instagram, Snapchat, etc. Social Media has always been and will remain the hidden gem for all hackers. Information Gathering is the first and the most crucial step in compromising a victim, and with the rate and speed people post every aspect of their lives with almost hour to hour update, it’s a priceless chest for hackers to know all they want to know about their target. Executives should be a tad more careful as to what they post publicly as anything could be used against them.

VAPT (Vulnerability Assessment and Penetration Testing)

Periodic checks and scans can help an organization figure out that their vulnerabilities and patch them before an attacker has an opportunity to exploit those. The reports should be in a format that people without a technical background are able to understand and grasp the implications of what might happen if those are left unpatched.

Reputation

No matter how or why a company is hacked, telling the employees, investors and the customers is always the hardest part. Although the full disclosure is always preferred, no matter what size the company is, the image of the company is still at stake. Over the past few years, people have been more concerned about their privacy and online data than ever before. When a company discloses that their customer’s information is now in the hands of hackers (which can include their name, email address, phone numbers and in some instances their credit card information, driving license, social security number, and a lot more personal information), they stand to lose even more than what the hackers took.

Market Share

Apart from the company’s reputation going down the drain, the reason why any hacker or a group of hackers would target a company are generally for two reasons:

  • To gain monetary value
  • To retrieve IP/trade secrets, etc.

Losing proprietary information can damage any company. Their competitors can use their trade secrets against them which would not only leave them with a poor market image, but the company would also end up suffering massive losses.

Getting the band together

The best way to protect against potential losses is to get all the departments and department heads to work together. The IT and security departments need to recognize that achieving business goals is the primary aim of this exercise; only then will things work smoothly and with minimum contingencies.

Posted: December 19, 2017
Chiragh Dewan
View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.

In this Series
Related Bootcamps
Incident Response