Hackerpocalypse. That is the term used by Cybersecurity Ventures to describe the onslaught of cyber-crime that cost $3 trillion globally in 2015 and is projected to double to an annual price tag of $6 trillion by 2021. This amount includes theft of intellectual property, personal and financial data, embezzlement, fraud, destruction of data and reputational damage.
Two recent reports point to two unlikely culprits: C-level executives and former employees.
According to the iPass 2017 Mobile Security Report, the widespread use of mobile devices for workplace tasks has led to an increase in mobile cybersecurity risks. However, according to 500 CIOs and IT decision makers in the U.S., U.K, Germany and France, the greatest cybersecurity threats are posed by C-level executives.
According to the report:
- Organizations consider C-level employees, including the CEO, to be at the greatest risk of being hacked.
- Coffee shops are regarded as the most dangerous public Wi-Fi venue.
- Organizations are increasingly concerned about growing mobile security risks, and man-in-the-middle attacks are deemed the greatest threat.
- U.K. organizations demonstrate the least concern for mobile security threats and public Wi-Fi risks by far.
- U.S. organizations consistently rank among the highest for concerns about mobile security, yet their actions rarely follow suit, as they continue to allow the use of public Wi-Fi hotspots and encourage the use of MiFi devices.
Why are C-level execs such cybersecurity threats? Two professors from Carnegie Mellon University explain.
Vyas Sekar is an assistant professor of Electrical and Computer Engineering at Carnegie Mellon’s College of Engineering and a researcher at CyLab. He was recently awarded a National Science Foundation grant to help develop a software-based solution to the problem of IoT security. Sekar says those in the C-suite have a “risk of exposure”.
“C-level executives are public facing, traveling and connecting from possibly unsecured locations/networks while they are traveling, such as airports, hotels and client sites,” he explained.
Jason Hong is a professor in the School of Computer Science at Carnegie Mellon University and a co-founder of Wombat Security Technologies, a company that focuses on cybersecurity training as an online service. He believes that executives, who are usually pressed for time, end up making split-second decisions. “Imagine you have 100 new emails in your inbox and only 15 minutes to go through as many as you can before your next meeting.” These individuals aren’t typically stopping to gauge the legitimacy of each message. “You see an urgent email from ‘accounting’ asking you to look over the budget and click on it – but it turns out that it’s a fake document that has malware in it.” Hong says it’s not hard to see how an executive could fall for that.
But, he believes there’s another reason. “Executives tend to be explicitly targeted by smart and patient attackers,” Hong says. “Not only are executives strapped for time, they also have access to the most interesting information.
And by “interesting,” Hong means they have valuable data that can be leveraged. Sekar explains, “Attackers are economic agents too and want to maximize their return-on-investments.” As a result, C-level executives are excellent targets. “Assuming the cost of launching an attack (finding an exploit or social engineering strategy) is fixed, attackers can maximize their return by targeting C-level executives since they will likely have access to more privileged information and services, such as employee data and proprietary knowledge.”
So, what can C-level executives do to limit their chances of becoming a statistic? Sekar offers the following advice:
- Be much more vigilant and obtain better security/usability training to avoid falling prey to scams in the first place.
- Use enterprise-grade VPNs to avoid getting snooped on while traveling.
- Enterprises can adopt more fine-grained security postures (e.g., stricter access controls when traveling) and track the behavior of these high-profile C-level executives’ IT assets (e.g., laptop, tablet) to check for signs of compromise as soon as possible to minimize the damage.
And, Hong adds these additional tips:
- Use two-factor authentication where possible
- Don’t install software you weren’t expecting to install (for example, if you receive an email to install a software update)
- Verify unusual requests for sensitive information
- Have strong, unique passwords for important accounts, such as email, banking, etc.
- Have a PIN or passcode on your smartphone, in case you lose it.
The Curse of the Ex-Employee
Another study reveals that ex-employers are also a source of security breaches. According to a new report by OneLogin, over half of ex-employees still have access to corporate applications, and 20% of the 500 respondents admitted that the failure to deprovision these former workers resulted in a security breach.
Almost half of the IT decision makers were aware of ex-employees who still had access to corporate applications. At least 50% said these accounts were active for more than a day, while 25% said the accounts were active for more than a week–and 25% didn’t know how long the accounts of former employees remain active. A whopping 44% aren’t sure that these individuals are ever removed.
Alvaro Hoyos, chief information security officer at OneLogin, wasn’t surprised by the survey’s reports. “The number of applications any given user needs access to has skyrocketed over time and this increases the risk of access issues accordingly.”
Hoyos also notes that the findings are based on awareness of access issues. “There is always the risk that a percentage of respondents did not feel this was an issue, or for the ones that know it’s an issue, the magnitude of it might be worse, such as termed users with access for longer periods of time.”
So, why aren’t companies deprovisioning former employees immediately? Hoyos explains that there could be a variety of technical and business issues. “There may be a need to maintain communication continuity with third parties and the need to transfer ownership of documents, licenses, and other data to another employee prior to deprovisioning,” Hoyos says. “Technical issues tend to boil down to a lack of visibility into what applications the employee had access to, or not having an automated way of comprehensively removing their access from the sometimes hundreds of apps a given user might have access to.”
Hoyos recommends that companies have a baseline control in place to mitigate risks. “However, preventive controls will eventually fail, whether due to technical or human error, and that’s where detective controls are crucial in being able to detect a malicious ex-employee.”
Detective controls? “This can be as simple as periodic reviews of application access, or more real time in the form of monitoring alerts that trigger on anomalous activity,” Hoyos says. “Identity and access management solutions can, in many cases, automatically provision and deprovision end users with a single request, as well as provide visibility into their access, and trigger alerts on employee account activity, again, either after the fact or in real time.”