The Big Target for Cyber Crime? Your Company’s C-Suite

A business man in his 50s or 60s with gray hair sits at a desk with large computer looks down to read his mobile phone.

As reducing the risk of cybercrime has become an expected part of operating a modern business, there’s one group that’s actually more vulnerable than most: C-suite executives. Recent research by Verizon reveals that corporate VIPs are 12 times more likely to be the target of cyberattacks than others at their company. That’s because they have access to highly sensitive and often valuable information.

Protecting your business from a data breach or cyberattack means focusing not just on the majority of employees, but also paying special attention to reducing threats aimed at yourself and your executives. Providing additional education, implementing extra protection, and improving security protocols for business travel will all help decrease the likelihood that cybercriminals access company data via the people who lead your organization.

Common Scams that Target Top Company Leaders

One of the most common attacks that target corporate VIPs is known as Business Email Compromise (BEC). Such scams cost businesses $26 billion over the past year, and they’re not going away anytime soon. The FBI reports a 100% increase in BEC from 2018 to 2019.

In these attacks, fraudsters typically pose as a CEO or high-level executive and make a request for a payment or wire transfer from someone in the finance team. The emails often look very similar to the executive’s emails and may even contain personal information about the person.

For example, in one instance reported by the BBC, the finance officer at a company received an email from the CEO about an acquisition in progress. The email read, "Hey, the deal is done. Please wire $8m to this account to finalize the acquisition ASAP. Needs to be done before the end of the day. Thanks." The finance officer wired the money to the account and didn’t suspect any foul play until the acquired company began asking about the payment.

In cases of BEC, attackers often use fake forwards or fake “Re:” in the subject lines to suggest that the email is part of an ongoing conversation. This is a newer technique, but one that's on the rise. Other attacks targeting executives include more straightforward phishing emails aimed at gaining access to company data and even account takeovers. With the latter, a criminal may gain access to email or social media and send out emails with financial requests to unknowing victims, or they may simply hold the account for ransom.

How to Educate Executives on Cyber Crime

One of the first things companies can do to prevent their executives from falling victim to fraud is to educate them about their vulnerability. Organizations need to ensure that their top people understand the types of threats they’re more at risk of encountering and what measures they can take to identify them.

In many cases, this can be difficult because executives have limited time and need more convenience. In fact, those at the top can be less apt to follow security procedures mandated for the majority of employees. However, the acknowledgment of risk by the C-suite is paramount for reducing it. Then establishing strict protocols for emailing (not using personal accounts for work, for instance), social media, and smartphone use for executives can go a long way toward reducing risk.

In addition, executives and the organizations they lead should understand and communicate the full extent of their digital footprint—personal and professional—so that they maintain a high level of security across all their accounts.

Shoring Up the Business

Companies should also increase their organizational security on the whole, an initiative that benefits executives, customers, and the entire business. Securing corporate email is a critical part of the equation, with experts recommending endpoint protection that automatically removes malware attachments.

Implementing device security, especially for hardware that’s going overseas, is especially important. Additions such as multi-factor authentication to access devices, and using travel-only devices that contain limited corporate information helps reduce access to sensitive data during business travel.

Creating a continuous process for patching operating systems and protecting network endpoints also improves general cybersecurity. Updating systems and devices constitutes good cyber hygiene for any organization. Finally, creating a regular training plan for employees, including executives, that outlines potential threats and highlights best practices for email, devices, and data, ensures that your organization remains informed about the threat—as well as what they can do to protect themselves and the company.

Cyber threats pose a risk to businesses big and small. Educate your leaders—and everyone else—to reduce the chance that your company suffers an attack or minimize the damage if one does occur.

Learn more about how your company could be targeted and additional ways to protect your organization.

The views expressed by the author are not necessarily those of Fifth Third Bank, National Association, and are solely the opinions of the author. This article is for informational purposes only. It does not constitute the rendering of legal, accounting, or other professional services by Fifth Third Bank, National Association or any of their subsidiaries or affiliates, and are provided without any warranty whatsoever. Deposit and credit products provided by Fifth Third Bank, Member FDIC.