In today’s digital landscape, an organization’s C-suite and senior executives hold the most valuable corporate data and sign-off authorities, representing the highest potential risk over email. Whether it’s inbound spear phishing attacks or outbound mistakes resulting in a damaging data breach, the C-suite is vulnerable.
But what do cybercriminals want from these individuals? Are breaches always a result of external actors, and what can organizations do to protect their top decision-makers?
Decoding cybercriminals’ fascination with the C-suite
Sometimes referred to as a whaling attack, threat actors will often dedicate more time and resources to a phishing email against a senior executive or C-level, using a less generic approach than they would against the rest of the workforce.
As a form of spear phishing, cybercriminals usually carry out heavy reconnaissance on the individual and the organization to leverage convincing impersonation and social engineering tactics. Because the attacks often lack an attachment or link-based payload, it is difficult for technologies that rely on signature-based detection to identify them.
They may pretend to be another stakeholder within the organization, a trusted business associate or someone within their supply chain, using minor, hard-to-notice typographical errors in an email address, or a compromised legitimate account. If a compromised account is used to send the phishing email, it can be nearly impossible for an individual to identify the email as malicious, but the attacks often bypass traditional technologies that use reputation-based detection methods.
Cybercriminals aim to trick an individual into revealing valuable corporate information, transferring funds out of the organization, or heavily disrupting operations. Their considerable influence and authority, makes the C-suite an attractive target.
Reasons threat actors target the C-suite
In short, C-level executives have insights, access and control over privileged company data, systems, and finances. Such information and access are highly coveted by cybercriminals, due to their potential for exploitation and illicit gain.
Secondly, senior executives are often busy, with a significant workload and tight deadlines, meaning they have less time to thoroughly review emails and determine their legitimacy. Egress’ 2023 Data Loss Prevention Report revealed that 66% of employees use a mobile phone to access their email outside of work, and this percentage is likely higher for time-pressed C-suite executives on the go. Mobile devices make spear-phishing attacks more difficult to identify, as usually only the display name is shown, so it is harder to spot an incorrect address.
Additionally, those in C-suite roles may find themselves in the spotlight, leading lives that are fairly public. Whether this is via an active social media account or speeches at conferences and events, cybercriminals have a wealth of open-source information (OSINT) readily available to them. This can then be used to craft convincing spear phishing or impersonation attacks.
How the C-suite has been targeted over a 90-day period
Egress data reveals that, from the C-suite, chief executive officers (CEOs) were the number one target for phishing emails, receiving 23% of attacks, closely followed by chief people officers (CPOs), who received 21%. Down from first place since Egress did a similar investigation in 2023, chief finance officers (CFOs) ranked third with 19%.
Having access to systems, data, and funds, it comes as no surprise that CEOs and CFOs have placed in the top three targeted C-levels. Similarly, senior HR executives are privy to sensitive personal data including recruitment, employee relations, and payroll, making them high-value targets for threat actors.
Another interesting note is that C-suite members whose roles related to information security, compliance, and technology tend to rank very low – likely because cybercriminals still anticipate a lower success rate due to their elevated cyber awareness.
Risk isn’t just an inbound issue
The human element accounts for 74% of all breaches, so, when thinking about an organization’s riskiest users, it is negligent to consider that employees are only vulnerable to external actors. In fact, in 2023, 91% of organizations experienced security incidents caused by outbound data loss within Microsoft 365, including misdirected emails and attachments, and data exfiltration.
These outbound events could include employees replying to a phishing email, clicking the wrong recipient in the Outlook autocomplete drop-down, accidentally sending the wrong attachment, or sending work to a personal device to look at after hours.
As innocent as these actions may be if they are carried out by a senior executive, the consequences could be devastating, and if that data is sent to an unauthorized recipient it could amount to a full-scale data breach. Therefore, organizations must consider how to protect their senior executives, not just against external actors, but also against outbound incidents.
How can organizations protect their senior executives?
The most common way an organization can help their C-suite is by providing them with regular security and awareness coaching. It is commonly known that, in the workplace, attitude comes from the top down, so not only is it important for the C-suite to show an enthusiasm for security awareness, but as the highest-value targets, they are the ones that need to be the most vigilant.
As an attack sent to a C-suite is likely to be much more targeted than those sent to the masses, organizations also need to ensure that they are tailoring coaching to each department or individual, based on the jobs they do and the attacks they receive.
In response to frustrations with static DLP being inadequate in dealing with the human element of outbound mistakes, three-quarters (74%) of cybersecurity leaders have considered turning off Outlook autocomplete to prevent misdirected email and attachments.
However, only 20% have disabled the functionality – the likelihood being that removing autocomplete would cause immense friction to workflow and manually typing in an email address could give opportunity to an equal number of mistakes. This is even more true for busy C-suite roles, who don’t have time to write out a long address every time they want to communicate over email.
You may also like…
Q&A: The disconnect between the C-Suite and IT practitioners on AI readiness
Securing client-facing apps in a hostile, risk-filled 21st century