The C-Suite are exposing themselves to phishing attacks

By David Critchley, Regional Director UK & I, MobileIron.

Back in 2018, a debate was sparked in the cybersecurity world after Jeff Bezos was targeted by a malicious phishing attack via his personal WhatsApp account. While in Bezos’ case there were rumours of state-sponsored espionage, the Amazon boss’ hack was by no means the first time a C-Suite executive had been subject to such an attack, but just how typical was the Bezos case? Are the modern C-Suite more at risk from cybercriminals than the rest of their organisation? And if so what are they doing to mitigate that risk?

MobileIron recently conducted a survey of 300 enterprise IT decision makers across Europe and the U.S., including 100 from within the U.K., in addition to 50 C-Level executives from both the U.K. and the U.S. The study revealed that C-level executives frequently request to bypass their organisations’ security protocols, despite being more commonly targeted by cybercriminals.

Prime targets

More than half (60%) of IT decision makers believe that the C-Suite are the most likely to be targeted by a malicious attack. Worryingly, when they considered who is most at risk of being targeted by phishing attacks - consistently the number one threat vector facing businesses today - this number rose to 78%.

And it seems that the bosses are aware of the risks that they face. 54% of C-Suite executives believe that they have been subject to a phishing attack. The C-Suite devise strategy, determine direction and make the biggest decisions. Arguably, this makes their data more sensitive and thus more desirable. They should be taking the necessary steps to bolster their personal security in order to protect the wider ambitions of the enterprise.

The rule makers and rule breakers

As if to add insult to injury, it would seem that C-Suite executives are making the problem worse, by bypassing their organisations’ security protocols. Over two-thirds (74%) of IT decision makers agree that the C-Suite are the most likely part of their organisation to ask for mobile security protocols be relaxed. Additionally, the average C-Suite executive admitted requesting the ability to bypass their organisation’s mobile security protocols twice last year.

Alarmingly, 45% revealed that they had requested to bypass multi-factor authentication – a measure specifically designed to prevent cybercriminals from stealing one’s credentials. With more than 1 million phishing emails, created to try and steal user credentials, being reported to the National Cyber Security Centre’s Suspicious Email Reporting Service in just two months from March – May, it is clear that the threat of phishing and stolen credentials is all too apparent, and any move to sidestep necessary authentication processes is deeply irresponsible.

In order to overcome this issue, businesses should look to deploy a multi-layered phishing protection solution on all employee devices that, crucially, won’t require any action to be taken from the user to activate. In doing so, IT can gain peace of mind that attacks, such as phishing attacks, are being 100% protected against without any risk that the user might switch it off.

The security inquisition

So why, despite the knowledge that they are facing increased threats from malicious actors, do the C-Suite frequently bypass security protocols? There are two possible explanations.

The first is that there is a lack of understanding and education around cybersecurity. Indeed, 58% of C-Level executives believe the IT security is too complex to understand. A further 62% believe that security limits the usability of their devices and that IT security compromises their own security. The second is that the solutions their companies’ have adopted are not user-friendly and/or impeach their privacy.

In both scenarios the bottom line is that the security solutions and protocols many businesses have in place are not serving their purpose. Cybersecurity should be about more than just mitigating risks; whether you’re a C-Level executive or not, it needs to be about ensuring the enterprise user has the optimal IT environment to maximise their productivity. It should be seamless and shouldn’t interfere with enterprise users day-to-day.

In order to ensure that their cybersecurity protocols aren’t compromising the C-Suite’s device privacy, while gaining maximum visibility into cyberattacks, businesses should enrol their devices in a unified endpoint management (UEM) platform. It provides the visibility and IT controls needed to secure, manage and monitor every device, user, app, and network being used to access data. The digital workspace can be separated from employees’ personal data and applications by using either Apple device management or Android Enterprise profiles. This safeguards the user’s privacy, while maintaining control over business data.

A secure culture

It is down to the C-Suite as the leaders of modern enterprises to create a culture of security. Cybersecurity cannot be an optional extra, and it can’t be one rule for those at the top and another for everyone else. The C-Suite must set a security standard that trickles down through the rest of their business. Crucially, rhetoric needs to be backed up with firm actions, and if a business’s security protocols are being bypassed, then they aren’t fit for purpose. IT departments need to ensure that cybersecurity works for everyone – including the C-Suite. In doing so, they will remove the need for C-Suite executives to break protocol all together.”

By Jennifer LuPiba, Senior Product Marketing Manager at Quest Software.
The cybersecurity landscape continues to evolve as cyber criminals become ever more sophisticated, a...
By Vincent Berk, Chief Security Architect, Riverbed Technology.
By Darren Guccione, CEO & Co-founder of Keeper Security.
By James Preston, Security Architect for ANSecurity.
There is no doubt that enterprise IT infrastructure has undergone radical changes over the last few...
By Mario Espinoza is Vice President of Data Protection at Palo Alto Networks.
By Tod Beardsley, research director, Rapid7.