A Secret Service Agent's Guide to Protecting the C-Suite from Hackers
Cybersecurity is on the minds of most businesses today, but there’s one area where companies often screw up: failing to protect their key executives when they’re on the move.
In today’s environment, there are an abundance of well-funded and sophisticated hacking groups out there, many with nation-state or organized crime affiliations and interests, who are looking for any way possible to defraud or steal information from American business interests. Like any other criminal, hackers look for weaknesses in the security perimeter before they attack -- and often, that sweet spot is to be found in the personal security of key company figures. One example is “Darkhotel,” the Korean-speaking hacking group that targeted countless business executives via hotel Wi-Fi from 2010 to 2015.
As a former Secret Service agent, it was my job to protect the President from both physical and digital attacks. (Few realize this, but the USSS was one of the first federal agencies to develop a strong cyber defense and intelligence unit.) From a cyber standpoint, this meant implementing a robust security perimeter around the President’s personal devices and communications (e.g. stripping down the phone, limiting access, multiple layers of encryption, constant monitoring and defense), particularly when the President was outside of the White House.
Businesses, from startups to Fortune 500s, need to adopt a similar mindset when it comes to their own commanders-in-chief, because cyber attacks are a low-cost, low-risk way to steal intellectual property, business intelligence and ultimately the company’s money -- and the C-suite (along with other key figures, like a head engineer or programmer) is definitely a focal point for criminals.
Consider these statistics:
- Business email compromise (BEC) scams on executives have grown steadily since 2010. According to the FBI’s Internet Crime Complaint Center, this type of attack increased by 1,300 percent from January 2015 to June 2016. More than 14,000 U.S. companies fell victim, with total losses estimated at over $960 million, between 2013 and 2016.
- Spear-phishing criminals are honing in on smaller companies. In 2015, 43 percent of targeted attacks focused on small businesses, as opposed to 35 percent for large enterprises, according to Symantec’s Internet Security Threat Report.
- American businesses lose $300 billion annually due to intellectual property theft, according to the Commission on the Theft of American Intellectual Property.
- Cybercrime is on the verge of becoming the number one economic crime for U.S. businesses, reaching 54 percent of organizations reporting such a crime in 2016, according to PwC’s Global Economic Crime Survey.
No business can be fully secure unless it is taking ample steps to protect the digital assets of its leadership. Here are six steps to take:
1. Whitelist the email.
Only a small, select group of people should be allowed to email key executives; all other addresses should be blocked. Known as email “whitelisting,” this greatly reduces the risk of phishing attacks on the executive.
Additionally, use strong anti-malware and anti-phishing solutions to boost the executive’s email security.
2. Use multiple layers of encryption.
Every VIP should be protected by multiple layers of encryption. This acts as a fail-safe in the event that an attacker breaks through the other defenses.
Every device that connects to Wi-Fi (phone, tablet, laptop, desktop) must have a VPN, or virtual private network, which will encrypt all data in transit. Next, a full-disk or file encryption program should be used to secure data that is stored on these devices. Limit the executive’s communications to encrypted channels only, like PGP for email, or encrypted communications like Wickr Pro. All web sessions need to be done over HTTPS (SSL/TLS encryption); there are browser plugins like EFF’s HTTPS Everywhere that will force a secure connection on every website.
3. Strip down the phone.
Just as the U.S. President uses a smartphone with very limited functionality, a business executive’s phone should also be stripped down as much as possible, with only essential functionality as needed. The more boring it is, the better.
That means eliminating all non-essential apps, especially games, scaling back the phone’s connectivity options by disabling Bluetooth, disabling Wi-Fi auto-connect and turning off geolocation sharing for all apps (with the exception of “Find My Phone”). Social media can also pose a risk, but if your business depends on using it, at the very least make sure geolocation data is turned off in the app (there are online tools that can track a user based on this data) and be careful about oversharing, as sensitive information can be used against executives and employees in social engineering attacks. Also, use public Wi-Fi sparingly, even when a VPN is utilized.
4. Use a burner device.
Executives are most at risk when traveling overseas, particularly to countries like China and Russia. When making these trips, it’s important to be a little paranoid.
Burner devices, or “phones to go,” are an effective way of reducing the risk from compromised devices. This isn’t cheap, but it’s worth the investment and inconvenience. Malware and man-in-the-middle (MiTM) attacks are more likely during foreign stays, so by putting aside the phone or laptop after a trip, the executive will prevent an infected device from getting “behind the firewall” after he or she returns.
It’s also important to have a remote lock/erase feature installed on all devices in case they are lost or stolen.
5. Harden the home office network.
Home offices can be an easy target for hackers, since they are likely to have less security than the corporate office.
At a minimum, make sure a robust firewall and antivirus/anti-malware agents have been installed. Also, keep all devices (laptop, desktop, server, Wi-Fi router) fully updated on software/firmware settings, security patches, etc.
6. Contain the internet of things.
Most executives have -- or will have -- "smart" devices in their homes, in addition to connected cars, wearables and other internet of things products.
These complicate the security picture, as many IoT products have been found to be vulnerable to hackers. Limit IoT usage to only well established, trusted brands with a proven track record of security. Avoid installing IoT apps on the work phone. Also, keep these devices off the executive’s home Wi-Fi network -- if you have two internet lines installed, relegate them to the all-purpose/family network.
An executive’s personal security can be the Achilles’ heel of any company, from startup to Fortune 500, so it’s critical to implement a defense-in-depth approach that will keep their digital assets safe.