Why executives must be included in security programs

By Andrew Huntley, regional director of ANZ and Pacific Islands for Barracuda

There are never enough hours in the day for most Australian executives. The stresses of running a modern business can stretch even the most productive, and early rising, individuals to the limit. Unfortunately, this may have serious repercussions for cybersecurity.

The Verizon 2019 Data Breach Investigations Report claims that senior executives are many times more likely to be the target of a breach or serious security incident that in previous years. Why? Because they have a crucial combination of not enough time to vet social engineers, along with privileged network access and organisation-wide authority.

To mitigate the risk from rising attacks on the C-suite, organisations need to refocus their training efforts and tighten technical controls.

Under increasing pressure

The Verizon report indicates that a third of breaches over the past 12 months featured social engineering tactics. This includes phishing, spear phishing, pretexting, spoofing and other attempts to socially engineer targets into inadvertently installing malware on their network or handing over access credentials.

This isn’t surprising. The human is always considered the weakest link in an organisation’s security chain. We’re curious and helpful by nature, which is why social engineering attacks are popular and profitable for cybercriminals.

The difference, however, is in the types of roles that are being targeted within an organisation. The report claims that senior executives are 12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches than in previous years.

Incidents in this case involve attacks that compromise the integrity, confidentiality or availability of an information asset, while breaches result in confirmed disclosure of data to an unauthorised third party.

It’s not difficult to see why senior executives are beingly increasingly targeted. Time poor and under pressure to achieve results, they’re typically more likely to click through on an email without properly reading its contents or sender.

These misplaced clicks could enable attackers to gain a foothold in corporate networks via covert malware downloads, or even into the executive’s own account.

The growth of CEO fraud

The latest Barracuda Threat Spotlight reveals that 29 percent of organisations had their Office 365 accounts compromised by hackers in March this year, leading to over 1.5 million malicious and spam emails being sent.

These account takeovers can be used as a launchpad not only for data breaches, but also business email compromise (BEC) attacks – often referred to as “CEO fraud.” By posing as the CEO, CFO or similar from inside their own email account, hackers stand a greater chance of convincing finance staff to carry out their money transfer requests without raising the alarm.

The presence of the C-level executive as the sender guarantees that the malicious email gets the attention of employees. Many employees are reluctant to question a request from their CEO and will fall into the trap of responding to the email.

Australian businesses reported more than $3.8 million lost to sophisticated BEC scams in 2018, according to the ACCC’s Targeting scams report.

Reducing dwell time

The time and pressure challenges faced by the C-suite may also partly explain why breaches are going undetected for so long in organisations. According to the 2019 Telstra Security Report, 89 percent of Australian businesses estimate that breaches went undetected, up 12 percent since 2018.

It goes without saying that the longer the bad guys are left undetected within an organisation, the more time they have to exfiltrate sensitive data and the more an incident will eventually cost to remediate and recover from.

With the vast majority of cyberattacks financially motivated, there’s clearly a potentially major business impact from attacks targeting the C-suite.

Training and awareness

Senior executives must be included in employee training and awareness programs. In fact, it may be worth developing specific courses to focus on the kinds of challenges experienced by those at the top of the organisation. Any assistants who manage emails on their behalf should also be included in the training.

To stand the best chance of success, courses should feature real-world simulations of attacks, run in bite-sized lessons of around 10-15 minutes: little and often.

Of course, training is only one piece of the puzzle. You should also have advanced email filtering in place to spot and block phishing and other malicious messages before they hit the inbox. These could include signature matching, heuristic and behavioural analysis and even sandboxing.

Emerging artificial intelligence (AI) tools can also help here, by better analysing organisations’ communication patterns to spot suspicious BEC and phishing emails.

As arguably the weakest part of the weakest link in corporate cybersecurity, the C-suite represents an attractive target for attackers. Don’t become complacent – they’ll keep on plugging away until you do something about it.

About the author

Andrew Huntley is the regional director for ANZ and the Pacific Islands for Barracuda Networks. For more information, visit: