Executives are high-value targets for threat actors. They routinely have access to critical systems and highly confidential information, and sign-off on important transactions and decisions.
And yet, keeping executives safe can be one of the biggest challenges for CISOs. Without a deep knowledge of security risks, executives may see efforts to keep them safe as onerous rules and restrictions that reduce their efficiency. These rules are often seen as pushing the balance too far in favour of security at the expense of usability and convenience. This can ultimately result in non-compliance which puts the executive, and the organisation, at risk.
What is a “Protection Program” for executives?
When we worked together in a previous role, NZITF member Mike Seddon suggested a novel solution to the problem of executives not buying-in to efforts to keep them safe: reframe the rules and restrictions as VIP protections. Mike proposed that these rules, policies, and procedures should be packaged into an “Executive Protection Program”; an exclusive club for the organisation’s most important personnel.
This shifts the focus of these additional rules and requirements to the real reason executives need extra protection; because they are so important—both to the organisation, and to malicious actors who see them as high-value targets.
Who should be part of the program?
The kinds of executive protection policies you put in place will depend on the level of risk involved with each executive, taking into account their level of sign-off, access and oversight.
Consider that certain non-executives may also be worth placing in a protection program. In particular, anyone with a high level of access and budgetary sign-off, such as senior staff working in finance and procurement, or project managers accepting RFPs. Executive Assistants often have as much access to data and more exposure to threats than the people they support. Ultimately, any staff member empowered to make high-impact decisions is a potential target for fraudsters.
Some questions to include in your risk analysis are:
- What systems and accounts does the executive have access to?
- Does the executive have financial sign-off? If so, for how much?
- What sensitive data might the executive have on their laptop and phone?
- What can the executive authorise with an email or phone-call?
- How frequently is the executive expected to travel overseas, and to where?
- What powers do border protection officers have in those countries?
- What are the data protection laws in those countries?
Designing an “Executive Protection Program”
Based on the level of risk you’ve identified, you may want to consider implementing some of the following security policies as part of your protection program:
Enable two-factor authentication (2FA) on all the executive’s accounts. While this is a good policy for all employees, protecting executives with 2FA is particularly important.
Have executives use a VPN or TLS encrypted services whenever they work remotely. This helps ensure that nobody can eavesdrop on connections to the company network.
Apply enhanced monitoring rules for executive behaviour. Configure your security tools so that you can observe the behaviour of executives in greater detail. Be prepared to accept a higher number of false positives in return for more chances to catch, and stop, attacks against the executive.
Implement additional low-friction authentication/verification procedures. Some attackers are able to fake computer-based authentication, like sending SMS to the executive. Even voice confirmation can be faked. A CEO who is televised or recorded speaking at shareholder meetings could provide enough material for a skilled impersonator to convincingly assume their voice. If the technology continues to advance, AI deepfakes may also be able to impersonate the voice or likeness of executives. As a result, organisations should consider adding additional layers of verification, such as code words or phrases that are unique to the executive, and regularly rotated.
Provide “loaner” devices when the executive travels overseas. Given the increasing number of countries that allow border security agents to seize and inspect devices as a condition of entry, there is a risk that data and accounts on executive’s work devices will fall into the wrong hands. To mitigate this risk, consider providing executives with ‘loaner’ devices that are as close to stock as possible and able to be bootstrapped with the necessary software and accounts once the executive is across the border. Also consider restricting the executive’s access to a minimal subset of systems while they are traveling.
Avoid using electronic devices given to executives as gifts. Executives may receive phones, laptops, or other electronic devices as gifts during business dealings or negotiations. We recommend that executives should immediately dispose of electronic devices given as gifts by other organisations or governments (prior to reaching the executive’s hotel room or office). These devices could potentially be compromised with malware. They’re just not worth the risk.
Avoid connecting externally provided USB sticks to company devices. USB sticks can be compromised with malware and should, wherever possible, be avoided as a data transfer method. If retrieving data from a USB stick is necessary, the device should be checked on an air gapped machine.
Pre-screen emails for phishing and other kinds of attacks. If your executive has a personal assistant with access to their emails, it is worth training this staff member to recognise and flag possible phishing emails and whaling attacks before they ever reach their intended target. Most importantly, executives and executive assistants should know how to escalate if they suspect they may have fallen for a scam, and have no fear in doing so.
Monitor the location of log-ins and network connections. Know where the executive is expected to be located on any given day, whether they are working from company headquarters or attending a conference in Beijing. Alert on any logins or connections that originate from an unexpected location.
Make it seamless
Your executive protection efforts should be inspired by other seamless, high-end experiences. The less friction involved, the more likely executives are to comply with the policies of the program. Here are some ideas for reducing friction:
- When an executive is scheduled to travel, have loaner devices prepared, ready and on their desk in advance. Make it seamless to setup and be productive on loaner devices.
- Devices for travel should be the same make and model as the executive’s usual work devices. If loaner devices are seen as inferior to the executive’s regular devices, the executive will chafe at being asked to use them.
- Have security personnel monitor alerts relating to the executive and, where possible, investigate them without needing to query the executive directly. In many cases, executive assistants or automated systems (such as corporate travel systems) will have the necessary information.
Include additional benefits
You can further positively reinforce participation in protection programs by giving members additional benefits. The kinds of benefits that are appropriate will depend on your organisation, but some ideas include:
- More frequent device upgrades.
- Higher spec phones and laptops.
- Priority access to IT support for program members.
- On-call security personnel to deal with any security concerns or queries.
Buy-in is critical
The most critical aspect of executive protection is increasing buy-in from those you are trying to protect.
By reframing security policies around the person’s value and importance to the organisation, rather than around burdensome rules and hoops to jump through, you can increase compliance and, most importantly, help ensure the safety of your highest-risk personnel.
Cosive is a consultancy that thrives on solving the toughest problems in cyber security. Contact us if you’d like to discuss ways to keep your executives and other high-risk staff safe from attacks.