Stop helping cyber-criminals steal from your company!
We’ve had to learn new phrases this past year—spear-phishing, whale phishing, business email compromise, social engineering, Bitcoin ransom payments, zero-day exploits, and on and on.
In 2020, successful CEOs and owners learned to pivot and deliver products and services to customers during global disruption.
Now, CEOs need to be hyper-vigilant about cyber security.
And so the “Golden Age of the Remote Worker” has reached its 12-month anniversary. Today’s knowledge workers have shown us they can be productive and awesome from their home offices. That’s fantastic news!
What went largely unplanned is the exposed soft underbelly of the work-from-home business model that aggressive ransomware and advanced persistent threat (APT) actors are tearing apart without fear of legal consequences.
So let’s agree to make this the year of fighting back against ransomware and the financial fallout from social engineering and business email compromise attacks.
What’s The First Step toward Better CEO Cyber Security?
Stop making unforced errors. I’m a tennis/pickleball enthusiast. When I lose a match, it’s mainly due to mistakes I’ve made, like serving out-of-bounds or hitting the ball into the net. Repeatedly.
1. The biggest mistake C-level execs make with cyber security?
They opt out of their own cyber security policies.
Stop being the weakest link in your company’s cyber security policy. CEOs and C-level execs are at the most significant risk of getting hacked.
Look, pre-2020 cyber security technology continues to fail us. We have to take a hard look at our behaviors and attitudes toward cyber security.
Gone are the days where an aging business owner is coddled by staff and allowed to use older, familiar technologies because “The Boss” doesn’t have the time or confidence to learn newer, more secure technologies.
Case Study from a cyber security breach last year
A social engineering attack begins with the observation of a CEO’s home.
His wife and children’s names are a matter of public record. Along with their mobile phone numbers, personal email addresses, and social media accounts.
One day, the bad guy sees a landscaping service truck in front of the home. Armed with that information, a spoofed email invoice is sent to his wife’s personal account “from” the landscaping company, complete with the company logo.
She has no reason not to open it since she is familiar with the landscape company and expects an invoice.
She uses her husband’s home office workstation to check her email. Why not?
Included in the email was a link to view what she thinks is a legitimate invoice, but in reality, clicking that link downloads malicious software that gets planted in the CEO’s laptop.
The malware hides there, discovering bank information, passwords, customer lists, HR, accounting, payroll, intellectual property, etc. Then it uploads and shares that information with the attackers the next time the CEO remotes into his office network.
Malware then sends fake emails to customers, employees, and vendors. It then continues to spread itself through your organization the moment a recipient clicks a tainted link.
2. Don’t mix business and personal accounts at home
While working from home your staff’s work PCs or laptops should only be used for business. The proverb, “necessity is the mother of invention,” shows us the need for better cyber security practices working from home.
Apps like BlackCloak focus on protecting an executive’s home network. Trend Micro has a low-cost home security appliance.
DNS web filtering apps from Barracuda, Forcepoint, and others can prevent a user from connecting to known malicious sites.
So many execs have no antivirus on their laptop or home workstation. Here’s a review of the best antivirus software. Any of them is better than having none at all.
3. Always apply the most current security patch update
Once a security patch for your software systems and user devices is made available, see to it that your IT folks implement these vendor fixes FAST. Don’t wait until you fall victim to make security upgrades to your IT environment.
In early March 2021, Microsoft made public a significant finding of multiple vulnerabilities in their Exchange Server email platform. Yet three weeks later, 40% of these on-premises email servers remain unpatched even after Microsoft made available a one-click security update patch.
4. Make security upgrades to your technology now
Stay-at-home isolation and the use of home workstations—no longer behind a central office security stack—let your staff mix business and personal accounts on poorly-secured home devices and networks.
The initial cash outlay for proactive, orderly security upgrades is minor compared to the cost of paying a ransom or lost time & productivity having to redeploy your business’s entire infrastructure from offsite backups.
5. Enforce dual-factor login authentication and passphrases
The technology to do this has been available for years. Yet, so many businesses still have not made either of these cyber security best practices a priority.
Even if the bad guys have stolen passwords for every user’s login across all the software platforms you use to run your business, all is not lost.
What happens next, a secondary login PIN pushed out via text to a user’s mobile phone will prevent unauthorized access even if a password is stolen. This works 100% of the time!
Take advantage of password management applications that hide passwords behind a single, unique to you, easy to memorize passphrase.
Here’s an example: “when i was a kid we lived in a big house on maple street” That’s a 56-character passphrase that’s easy for you to remember, but would take centuries to crack via brute force attack.
The best part is that all of your other passwords get managed by the application. Complex, randomly generated, regularly-rotated, 20-character passwords that you never have to memorize.
6. Oversharing of family and personal information
Two decades of social media and virtual assistants have changed how we communicate. Today it’s vital that we understand how these technologies have evolved to expose us to great harm.
As a CEO or owner and proud parent—see sharenting—your accounts, and those of your socially active kids and grandkids, are being scanned for clues to support future social engineering campaigns against you.
The Cybersecurity and Infrastructure Security Agency published a social media guide for students and parents. It’s a quick read that’s worth a look.
According to a Consumer Watchdog report, patent applications from Amazon and Google revealed how their Alexa and voice assistant smart speakers are ‘spying’ on you. They are ALWAYS listening to everything you say within earshot.
Here’s a great resource to help you change that. “How to keep Amazon, Apple, and Google from listening to your Alexa, Siri, and Assistant recordings.”
A final thought about better executive security
Consider active participation in a CEO/Business Owner peer advisory group.
While not precisely a cyber security mistake, I can’t advocate strongly enough that this would be a game-changer for you and your entire organization. It certainly has been for me.
See how other business leaders are handling current business issues, including cyber security and remote working. I’ve been a Vistage member for a dozen years, yet there are many quality C-suite executive peer programs tailored to your needs and available time.
You won’t believe how much stronger and more secure you and your company will become!
