Thursday, 16 March 2023 The human element has long ranked among the highest threats to organisations’ cybersecurity. Employee-driven data breaches triggered by ignorance, carelessness or, even worse, malice are the stuff of nightmares for any enterprise. But the importance of managing insider risk has reached new heights due to factors such as remote work and increasingly sophisticated attack vectors designed to manipulate and deceive. Organisations need to recognise that employees and IT security must be viewed under the same lens, with as much invested in countering internal risk factors as shoring up IT system defences. This is especially important now that those in the top echelons of corporate life are cybercriminals’ number one target. While any employee can become a victim, it is the C-suite executives who hold the keys to highly sensitive company information and financial accounts, making them a hacker’s most valuable and attractive prize. Many organisations are still playing catch-up with the demands of providing sufficient cybersecurity to a mobile workforce, and problems are particularly acute among executives operating outside the protections provided by their physical offices. The use of personal accounts and devices for work related functions is making C-suite members even more vulnerable with often more relaxed security than what would be enforced in the corporate environment. It is little wonder that attempts to blackmail executives are now appearing alongside those to steal company data alone. An executive working remotely on a non-company issued device is a green light for a hacker to break into their personal network. Once inside, criminals will look for any personal information, such as photographs, emails and even browsing history, that could cause embarrassment or compromise their victim’s career if released publicly. They will then lock the information down and demand a substantial ransom in exchange for its return. The dealings of C-suite executives also make them particularly vulnerable to ‘social engineering’ – the term used for insidious tactics for manipulating or deceiving victims in order to gain control over a computer system or steal personal or financial information. A threat actor may, for instance, pose as a telco via a phone call or email to trick a victim into handing over identification data and bank details. Cases are arising in which threat actors target multiple executives at the same company with social engineering methods that give C-suite members the impression they are dealing with close colleagues and business partners. Serious data breaches can occur as a result. The speed of digitisation is also playing a part, with some organisations taking a piecemeal approach to adding infrastructure that allows them to maintain the pace of business but compromises cybersecurity at the same time. Another issue to address is the potential for sensitive data to walk out the door – literally. A departing executive presents an opportunity for information to wind up in a competitor’s hands. Appropriate processes and employee exit strategies around limiting and removing access need to be in place. Current financial pressures faced by today’s workforce has created yet another avenue for cybercriminals to exploit. A worker hit by higher mortgage repayments and cost of living pressures is more susceptible to being roped into aiding a ransomware attack in return for a tempting financial reward. These offers often arrive in the form of a message flashed across a screen or an email, and they can be enough to spur a sufficiently disgruntled employee or cash-strapped staffer to break the law by willingly sharing company credentials. Engaging independent expertise and advice is often the only way organisations can pinpoint which of the operational vulnerabilities detailed above are exposing them to heightened internal threats. But one that any mitigation process almost always brings into focus is company culture. A positive, supportive workplace environment is far less likely to produce unhappy employees who choose to perpetrate data breaches and steal information. By the same token, workers at all levels should be educated to not only recognise and report such vectors as phishing emails or social engineering but also allowed to feel safe in owning up to mistakes – such as inadvertently clicking on a suspicious link – with no fear of retribution. The consequences of an employee sweeping their cybersecurity slip-up under the table for the sake of their career can be diabolical. Encouraging openness is as critical as providing clear-cut information on identifying potential threats.