![[Jcount.com]](https://www.jcount.com/wp-content/uploads/2014/08/jcount150X50.png)
![[Jcount.com]](https://www.jcount.com/wp-content/uploads/2014/08/jcountstartupslogo1.png)
Corporate executives share all the benefits for their companies’ success, but they also share the blame for failures. In the cybersecurity arena, executives are not only sharing an increasing amount of the blame for successful data breaches suffered by their companies, but they are also becoming the stepping stones for cyberattacks that are causing millions of dollars of losses. The experiences of different C-level executives can provide valuable guidance for corporate leadership in the C-level suites as companies try to manage the cybersecurity risks that they face every day.
The Target Story
Target Corporation suffered a massive data breach in 2013 that exposed the personal and financial data of more than 40 million target customers to cyberthieves. In the wake of that breach, Target’s board fireda number of the company’s executives, including its CEO and president, who were deemed to be responsible for target’s lax cybersecurity practices. Target set the table for other C-level executive firings in the wake of cybersecurity breaches, including Sony CEO Amy Pascal and others. These firings emphasize the reality that cybersecurity is now a board-level issue. An executive’s failure to pay proper attention to data security can lead to the loss of his or her position.
Using Executive Information to Launch a Spearphishing Attack
Spearphishing is a longer-term hacking strategy in which a hacker targets specific individuals in an organization using credentials that have been stolen from one of the organization’s executives. In 2015, for example, San Jose-based Ubiquiti Networks lost more than $40 million to cyberthieves who had sent emails to lower level employees that appeared to come from a company executive. The emails directed employees to wire funds to overseas accounts, from which the money subsequently vanished. Ubiquiti was able to recover a bit more than $8 million after it discovered the scam, but it still suffered a significant loss that affected its balance sheet and profitability. A company’s executives should establish more stringent controls over fund transfers to avoid having their information used as a tool for cyberfraud.
Social Media Risks
Social media is not a risk in itself as much as it is a potential conduit for cyberattackers to get information about executives that can then be used for other forms of attacks against the company. Hackers use information gleaned from an executive’s media account, for example, to determine the executive’s whereabouts. A spearphishing attack will be more likely to succeed when an executive is travelling or is otherwise unavailable for confirmation of a request. Companies need to impose strict controls on social media usage by executives to avoid these situations.
Internal Cybersecurity Risks
By some measures, external cyberattacks account for only one-fourth of all corporate data breaches. The remaining threats are internal, and originate with a company’s employees, either through their own negligence or as a direct internal attack. To the extent that cybersecurity awareness starts in the executive suite, corporate executives needs to implement employee awareness and education programs that encourage employees to improve cybersecurity practices, including using stronger passwords and avoiding public Wi-Fi hotspots. Executives can also instruct information technology departments to install stronger encryption routines and to require mechanisms such as dual factor authentication for logins to corporate networks. When executives emphasize the importance of enhanced cybersecurity, the rest of the company will follow suit.
Plan for Cybersecurity Failures
Cybersecurity risks will never completely disappear. To plan for risks that cannot be fully eliminated and to account for potential losses and liabilities arising from those risks, executives can instruct their corporations to procure cyberliability insurance. That insurance will ease the recovery of data and replacement of software and systems that are lost or damaged as a result of a cyberattack. It can also help to protect and defend a company against third party lawsuits that are filed in the wake of personal and financial customer data that is compromised during a data breach.
