In my previous blog post, I shared why the very thing that makes your C-suite great at their jobs – their visibility and accessibility – can also make them prime targets for attack. So the next question is how can you prepare them for that attack, while also protecting and maintaining the goals of your company? Here are a few simple best practices we all should employ.
- Assume compromise. The best starting point for this discussion is to just assume the C-suite is under attack and assume they will be compromised. Assume that your executives (and all employees for that matter) are going to make mistakes, and these mistakes will lead to vulnerability. With the breakneck pace of business and the many demands of being an executive in today’s digital world, it’s easy to open a malicious email attachment or set down your smartphone in an airport lounge, opening your organization to cyber attack. We’re all human after all, and humans make mistakes.
- If you can’t trust the network, don’t connect to it. All people who are highly exposed, especially executives with access to sensitive business data, should use trusted network connectivity at all times. If you have to connect to an untrusted network, say the free airport Wi-Fi or local Starbucks network, always use a VPN to tunnel your traffic to somewhere you can trust.
- Manage your home network. Untrusted networks at home are not only a personal problem, they’re a company problem too. If your executives have weak, unmanaged home networks, they are back to square one. Home networks hosting weak IoT devices, or a router with out-of-date firmware and default passwords, are just as dangerous as the worst public Wi-Fi. Again, start assuming compromise, expect an attack and take precautions.
- Use smart multifactor authentication. Because you’re assuming compromise for your executives, it’s imperative they have smart multifactor authentication in place for key apps and services. Knowledge-based authentication (“please confirm your mothers maiden name…”) is not a viable solution. A quick Internet search can determine a visible executive’s high school mascot, mother’s maiden name or favorite pet’s name. There are lots of options for multifactor authentication that go beyond basic personal knowledge. Use them.
- Practice least privilege. Often companies expect their company executives should be given all the access they could ever need. I’ve seen access control plans that basically provision executives’ access to all key systems – just in case – you never know. However, when we assume compromise, we must also think least privilege. Don’t give people access unless they actively use it. For key systems, think fine-grained access, with self-service access request and automated provisioning and de-provisioning. Give the right people the right access at the right time, and then take it away when they no longer need it. This should be the policy from the top-down.
- Physical security goes beyond a name badge. When you say “physical security” most people think locked doors, name badges and tailgating. But physical security goes a lot further than that and includes the space around you and who can see your executives’ screens. We’ve all been on a flight and looked over a shoulder or into the seat next door and seen something on the laptop. Providing privacy screens for your executives is cheap and easy. It helps to remind everyone that information leakage can be via line-of-sight as well as a line of bad code.
- Education and awareness. Executives are the allowable exceptions to so many business rules, but security education and awareness shouldn’t be one of them. They are busy and often times miss out on security training because of this. IT tends to cut a wide path for the C-level executive. While they may shut off an employee’s network access when they haven’t completed their security training, not so much for the CEO. However, it’s imperative that your executives understand the risks and the mitigations we all need to keep top of mind.
At the end of the day, security is like any other business initiative. In order for it to be successful, it must start from the top down. Your organization’s executives should be the primary security evangelists for the company, showing your employees that they too are willing to make the right trade-off between convenience and control for the good of the company and its information security.