Cybercriminals constantly troll for targets and, as far as targets go, CEOs sit at the center of the proverbial bulls-eye. Your title, your deal-making authority and the fact that your regular travel schedule makes it easier for others to fall prey to schemes where crooks impersonate you and instruct an employee at your company to transfer funds on your behalf all factor into that appeal.
Think this type of cybercrime only happens to the other guys? Think again. According to the Internet Crime Complaint Center, an intelligence and investigative group within the FBI that tracks computer crimes, more than 12,000 businesses worldwide were targeted between October 2013 and February 2016 by fraudulent CEO email scams (generally via hacking, phishing emails or email spoofing). The reported cost to affected companies totaled roughly $2 billion—and that figure didn’t include unreported scams or the additional harm caused by theft of personal identities, intellectual property and confidential information. It also doesn’t encompass the irreparable damages caused to affected individuals, families or corporate brands.
CYBERSECURITY EVERYWHERE, ALL THE TIME
Your IT department most likely has dedicated personnel and a complex layer of products designed to look for hackers, perform behavioral analysis and content control and prevent leaks of confidential information, among other equally important tasks. But each facet of that corporate security regimen requires your company to “acquire technology, then implement, integrate, operationalize, manage, troubleshoot and refresh it across branches, clouds, SaaS applications, mobile devices and remote users,” explains Babak Pasdar, CEO and founder of Bat Blue, a leading cloud security company based in Clifton, New Jersey.
“The CEO and other C-suite executives, as privileged, remote users at home, are part of this unsustainable exercise at the office, which is the equivalent of changing the wheels on your car while you’re driving at 100 mph,” Pasdar explains. In other words, the vast majority of companies are struggling to keep up with security across their own networks, meaning the home networks of busy CEOs who probably aren’t vigilant about changing their Wi-Fi passwords once a year are often unguarded.
Those home networks, in turn, become the gateways through which cyberthieves infiltrate companies. “There’s an enormous incentive to break into an executive’s home network,” says Roderick Jones, CEO of Concentric Advisors, a Kirkland, Washington-based global provider of comprehensive risk analysis and customized security strategies for large corporations, international brands and high net worth individuals.
“The typical executive’s home network—including desktops, laptops, printers, smart phones, gaming devices, smart TVs and various other electronics—makes for a wider attack surface that provides multiple ways in. To a hacker, an executive’s home looks like a small business, which is why institutions need to think about extending the perimeter of their cyber defense for the safety of the company, its executives and its investors.”
One way to fend off would-be infiltrators is to bring the same security vigilance you practice in the office to the homefront. “CEOs, COOs, CFOs, general counsel and the board of directors should have the company’s IT department set up their home networks,” advises Casey Fleming, CEO of Black Ops, a Washington, DC-based full-spectrum information security advisor to senior executives and corporate boards. “There should be one network for work-only, and a completely separate one to be used for the family. That’s how you start to protect corporate information.”
Once you’ve called in IT expertise, it’s also important to heed their advice. In other words, don’t pull out your CEO card when the experts tell you that an application isn’t sanctioned for enterprise usage. “C-level folks are part of the problem in that they’re the first ones to break standards,” explains Pasdar. “They’ll say, ‘Look, I know this is against our standard, but I really want this app, phone, laptop or whatever.’ Don’t make exceptions for yourself.”
BEYOND THE USUAL SUSPECTS
Personal computers, printers, smart phones and tablets are all obvious points of vulnerability—but the pervasiveness of technology is creating new home security gaps of which CEOs need to be aware.
“You may have an alarm system that requires the use of your home Wi-Fi, or you may have Wi-Fi-enabled home automation, such as a thermostat, controlled doorlock or a sensor-equipped refrigerator that tells you when you need to go shopping for more milk or eggs,” says Bat Blue’s Pasdar. “All of this is manifesting itself in the homes of executives where a Wi-Fi controlled
doorlock ends up on a network with VPN access to confidential corporate data. Those devices aren’t designed for MacAfee or Symantec. That’s a real challenge,” he says.
In theory, the threat doesn’t even stop at the devices that you overtly or tacitly connect to the Internet. “If you don’t have your router locked down, any device that you leave plugged in 24/7, such as a refrigerator or a coffee machine, can have a $1.57 communications chip in it that routes all of your Internet traffic somewhere else—including email, web searches and photos,” points out Black Ops’ Casey Fleming. “When the Internet of Things advances and all those devices become even smarter, something as seemingly benign as a Smart TV, a wireless baby monitor or a Wi-Fi camera [can] record everything the camera sees and send that info back to China, Russia, India or anywhere else in the world.”
While that level of technological espionage may sound like something out of Will Smith’s next action film rather than your reality, there’s no denying that cybersecurity in the home is a huge and growing issue—and one that CEOs would do well to take seriously.