5 Tips to Minimize Risk and Safeguard Your Business

If you are a high-level executive and concerned about cyber security, as you should be, then these 5 tips will help keep you and your company safe.

Over the past several years we have seen many developments in how companies and their executives are targeted by bad actors who are looking to exploit them.

1. Physical Security - Evil Maid Attack
   1. Your executive team may have scaled back their travel during the pandemic, but many companies are still sending their team out into the world. This means that their hardware is at risk by a wide array of threats. It no longer matters if your executive team is staying within the U.S. or traveling abroad, if they have physical hardware with them, it is being targeted. Executives should always use full disk encryption and consider a two-factor authentication method for their system like the popular YubiKey tool. The reason this threat is called the evil maid attack is becauseit only requires the executive to leave their laptop in a hotel room for a few minutes for someone to gain access to the device and clone the drive or otherwise infect the machine with keylogger. Concerned executives should consider speaking to a physical security expert who can brief them on some of the dangers related to their hardware and what can occur during travel to data they are bringing with them.
2. Physical Security - Payroll Attacks
   1. An email could arrive at your payroll team, coincided with a vacation, that is urgent and begs the payroll team to transfer accounts or make emergency edits to keep the business safe. These convincing emails are often spoofed messages or abusing hacked credentials and will lead to a tremendous loss of money for the company when payroll makes these edits that then send money to bad actors. This type of attack is usually backed up by convincing use of social media open-source investigations on users, their email style, and even use recordings of phone calls that are then spliced and edited to allow confirmation phone calls to sound legitimate. It is important that all emergency and routine changes to payroll or financial transactions are managed through a detailed failsafe system that accounts for many of these dangers before any changes are ever made.
3. Physical Security - Education
   1. All employees, including the Chief Executive Officers, should undergo regular training on a wide array of threats. It is vital that all employees understand that there is no single threat matrix that can defeat all bad actors. They must be educated in a wide array of attacks so that they can make independent decisions to varied and chaotic events that benefit themselves as well as the company. Did the email from IT asking them to turn on their company come in from a legitimate requestor, or are they experiencing the start of an attack? Should they reply to the unsolicited sales email they received? If they get an email with a link claiming to be a contract, should they open it, or ask for assistance from IT before doing so? Numerous questions can arise every day, and the better trained and educated the users, the more likely they will choose to do the right thing.
4. Cyber - Whale Phishing
   1. Whale phishing is the act of targeting the highest echelon of a company instead of the little fish lower on the totem pole. A CEO will receive emails, phone calls, text messages, and even hand delivered notes every day that could be a threat. A CEO needs to understand that everything they do and say could be of value to an attacker, and what they post on social media could also benefit an attacker. A bad actor will often appear to be a legitimate source and will have the knowledge and acumen to trick even very savvy cyber professionals, so it is important that companies implement a many-tiered method of protecting data and processes. This starts with the IT team and their attempts to block individuals from ever encountering messages from bad actors, to well-educated users who can identify flaws or issues and raise the flag for investigation, and finally to having a layered security system that stops mistakes from happening by having several eyes on an event like a payment before it can be finalized.
5. Cyber - Expect the Unexpected
   1. Bad things are going to happen. Full stop. Regardless of how many safeguards or what expensive and fancy technology you deploy, you are going to run into issues that simply cannot be avoided. Have a plan and train for these events. Do you know who needs to be contacted in the event of an emergency? Do your subordinates? Do you foster a culture that encourages employees to raise the flag, or do they fear reprisal for false positives? You as a CEO must set the culture for your work force and encourage all employees to take a vested interest in the safety and security of the company, and that means promoting a positive culture that appreciates all attempts to safeguard the organization and her riches. One of the greatest dangers to a corporation, company, or agency is the human element. Encourage that human element to report issues, and if they see something then they should say something without fear that they will be punished if they were wrong. It is better to be woken at 2AM by an errant alert than to awaken at 8AM to a crypto locked company that will lose millions in recovery and many more millions to lose business.

The CEO has an incredibly important role in the trajectory of their security as well as the security of their entire organization, and it is the decision-making process they follow that will dictate whether their company can survive a breach or will be blindsided by an event that will dismantle their organization. The top three potential threats to a CEO are completely physical, and only two threats are remotely cyber. Many CEOs attempt to avoid the use of technology in order to minimize risk, but the truth of the matter is that the threats that are targeting them are not based in cyber space, but instead of manipulating the CEO to take an action that benefits the bad actor in some way. It is invaluable that the CEO of any organization take the time to educate themselves, understand the response plan for their organization, and to expect that they will be a victim at some point and to plan accordingly.

Interested in studying cyber?

More about UAT’s Cyber Programs

Our cyber security degree majors and cyber security lab are recognized by industry and government entities alike for their ability to help generate the future innovators of the cyber security industry. We focus on creating true leaders who will have mastery in ethical hacking and uphold the highest industry standard of cyber integrity in our quickly evolving world of cyber security technology and online security.

Visit the University of Advancing Technology for more information on all our cyber security majors. 

Ready to start? Apply now at uatfastapp.com.