Another way to demonstrate to executives how much of a target they are is to have them look in their email spam filters to see how many phishing emails have been sent to them, Taule says. Fortunately, these emails didn’t reach the inbox and trigger an attack, but the sheer volume of these attempts should get the point across.
The best and most effective way to make the case for security is to put on a challenge, Siciliano says. “Most people, especially Americans, think ‘it can't happen to me’, which is a societal norm based on myths that these things only happen to other people in other places,” he says. “Essentially challenging that executive to determine his or her vulnerabilities and showing just how vulnerable that person is, in both their physical and virtual environment, will get their attention.”
3. Ensure that executives’ personal and work devices are secure
Many business operations and interactions today take place via mobile devices, and a lot of executives are likely to be using the same devices for work and personal reasons. It’s ideal if they use different devices, such as smartphones, for work and home, but executives often won’t accept this, Taule says. You might want to consider pushing for a company policy dictating how many and which devices can have for work and how they can be used.
In any case, it’s imperative that any devices executives use for business be highly secure and have the latest protections. All sensitive data should be encrypted and the devices should be protected via an enterprise mobility management (EMM) platform.
Part of ensuring the security of mobile devices includes evaluating not just the devices used by the executives, but those of their immediate family members within the household as well, Siciliano says. That means determining whether each of the devices has password protection, updated operating systems, updated antivirus software, and so on.
“It's important to keep in mind what devices are ‘shared,’ meaning if a child is sharing the same device as the executive and what kind of trouble the child may get the executive in,” Siciliano says.
4. Educate executives about attacks such as phishing
Business executives are among the biggest targets of phishing and whaling attacks, in large part because they have such a high level of access to important data. It’s vital that executives know what to look for that would indicate such an attack.
“This begins with security awareness training and conducting phishing simulation training,” Siciliano says. “Any third-party apps revolving around encryption and isolating email communications is a must.”
Another way to address these threats is to have executive assistants screen emails for indicators of phishing, to remove the burden the executives themselves, Taule says.
Sign up for CIO Asia eNewsletters.