Is Your CEO a Hidden Fraud Risk for Your Business?

Is your CEO’s behavior risky for your business? A business email compromise is a big issue. Here’s how to keep your CEO safe from cybersecurity fraud.  

When you think of cybersecurity risks, your mind probably goes to stored data, WiFi connections and vendor integrations — but your CEO may be one of the biggest targets for fraud in your business. Creating a comprehensive security net around your business will certainly help reduce your risk, but the old adage is true: Security systems have to win every time, the attacker only has to win once. The weakest link in your cybersecurity may not be technical, it’s much more likely to be a human who makes a split-second bad decision. Understand who is at risk, how to prevent attacks to high-profile users, cyber-risk planning and more.

What is CEO Fraud?

Traditional cyberattacks were largely unsophisticated and came in the form of large-scale emails that went to thousands if not millions of individuals at various organizations. From poorly spelled emails to unusual requests to send funds to far-flung locations, it wasn’t difficult to discover that these requests were fraudulent. Fast forward to today’s highly-targeted attacks that are aimed not just at all officers of an organization, but specifically at CEOs. This type of Business Email Compromise (BEC), is not unusual and can cost organizations millions of dollars while causing a great deal of internal consternation and negative media coverage. What business leaders may not realize is that small and mid-sized organizations are every bit as vulnerable to attack as larger businesses — and their small size may make them even more of a target. According to SmallBizTrends.com, 43% of cyberattacks are targeted specifically to small businesses, a statistic that may be shocking as you don’t often hear of small business breaches in the news.

Social Engineering and Executive Whaling

Some of the ways CEOs are specifically targeted include social engineering and executive whaling: email attacks that are hyper-focused on encouraging a single individual to take a precise action such as approving the transfer of funds to an unusual source. Social engineering attacks are not new, but they are becoming a more widespread problem for organizations of all sizes. Hackers take the time to become familiar with individuals in a position of power in your business through the information that can be gleaned from social media. Cybercriminals are looking for everything from the name of children and pets to details about upcoming business trips or the names of vendors that can be found on LinkedIn. These contacts and information are then used to engineer a unique email that brings together enough legitimate-sounding information that an overworked or distracted CEO might take action without investigating further. Strong security begins with technology solutions but is ultimately supported by having security processes in place and providing education to your workforce.

Mitigating the Human Risk of Cybersecurity Breaches

People are accustomed to trusting that antivirus, anti-malware and firewalls will capture all of the potential threats and stop them in their tracks. These technology solutions are the first line of defense, but they are most likely to be successful when there is also an element of active monitoring. Your perimeter defense systems will almost certainly reduce the frequency of these attacks, with email filtering being a crucial tactic in your security toolbelt. Multi-factor authentification or even physical tokens can help reduce the risk of humans taking an action that will put your business at risk. Creating policies that reduce the possibility of loss can also help protect your organization. They could include:

  • Specific steps required to process unusual payments, or payment requests over a certain dollar amount
  • Requiring several individuals to sign off on wire transfers
  • Audio or video confirmation required for large transactions
  • Rigorous password rules
  • Regular reviews of data and business system access
  • Not allowing USB drives to connect to corporate computers
  • Ensure that computers and tablets automatically lock after a short period of inactivity
  • WiFi access policies, including providing a separate WiFi for visitors that don’t connect to corporate networks
  • Ongoing security training for all personnel and contractors — even receptionists and customer service agents

Providing cybersecurity awareness training is recognized to be one of the best ways to protect your organization from the human risk associated with online fraud.

Your C-Suite’s Responsibility for Cybersecurity

Your CEO has a vast responsibility for the business, and that includes ensuring that your organization is safe from cybercriminals. It’s not enough to simply trust that passive activities are enough to keep your business safe. There are more cases of individual executives losing their jobs or otherwise paying the price for a momentary lapse in judgment that resulted in a significant loss for their business. Businesses do not accept that a CEO or other senior executive didn’t understand the risk or was unable to spot the fraud — they are still likely to be held culpable for their risky decisions. CEOs should be taking an active role in ensuring the security of their business from cybercriminals, just as they would want assurance from an operations teams that their building is fully secure and take steps to ensure ongoing protection is in place. “People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics”, notes Kevin Mitnick, self-proclaimed ‘White Hat’ hacker and author of several cybersecurity books.

CEO Fraud: What to Do When the Unthinkable Occurs

It’s happened — your CEO or other senior executive made a poor decision and either authorized payment to an offshore account, re-used a password that allowed for an infiltration of your business or otherwise caused harm to your business. Your first orders of business are to contact your bank to report the unauthorized activity and then immediately contact your local FBI office to report the incident. The Department of Treasury works closely with the FBI and may be able to freeze the funds in your account and reduce the exposure for your business. You’ll want to have as much information as possible available when you make a report, including the individuals involved, the timing of the attack or infiltration and the steps that have been taken to date. Next comes review and remediation: if there was an infiltration of your business data or a ransomware request, you may need to work with your trusted IT services partner to rebuild your data or business systems. Your IT department may be able to begin the investigation, but it’s often best to bring in external security professionals to review policies and procedures to reduce the possibility of this type of attack in the future. Finally, contact your insurance agent to report the incident and make any other stakeholder notifications that are required. It’s almost shocking the amount of damage that can be caused by a simple, thoughtless click or approval of activity via email — which is one of the reasons BEC is such a popular method for hackers to gain access to your organization.

Business email compromises can happen to anyone at all levels of the organization, but CEOs are particularly vulnerable due to their broad access to information. Protecting your organization from being bilked out of millions of dollars or being the target of an IP attack starts with providing your CEO with a solid education on the various attack vectors. It’s vital that your business infrastructure is able to block the majority of risks before they ever reach your CEO, and that requires a proactive and aggressive cybersecurity posture. See how the team at Nexus IT Consultants provides a high level of support to organizations of all sizes throughout the northern Utah area when you contact us at 801-839-7006 for a free cybersecurity analysis. Our mix of business and technology expertise allows us to see across your business to spot all the potential risks and provide recommendations for remediation.