The C-Suite Needs Cyber Bootcamp

Education and preparation are key to cyber-attack prevention and resiliency. So why is the c-suite being left out of the conversation?


From start-ups to the Fortune 500, no company is immune to cyber-attacks. C-suite executives are just as if not more likely as their employees to face a business email compromise attempt. But are companies doing enough to educate and protect their executives?

“There's just so much more at stake when you're talking about the c-suite. These are folks who have access to the crown jewels of the company, especially in the case of the CFO or financial director,” shared Patrick Coughlin, Co-Founder and COO at TruSTAR at a recent WSJPro Cybersecurity Executive Forum.

Not only are financial executives highly likely to become a target, the risk associated is greater. Financial executives in particular have access to the bank account as well as critical business intelligence about pending deals and that could easily be leveraged from an extortion perspective.

Frequency of travel is another element that makes the c-suite an attractive target to hackers. “A lot of executives do a lot of work at home as well as abroad, so that infrastructure may or may not have the same degree of security that they would have in the office setting,” said James Trainor, FBI cyber expert and SVP, Cyber Solutions Group at Aon.

Despite the fact that c-suite executives are frequent targets, organizations often exclude them from cyber security training or under-prepare them for an attack. Coughlin shared, “People are a little surprised that they should be doing something extra for the c-suite than perhaps they would be doing for others.”

As many speakers at the forum pointed out, education and preparation are key to cyber-attack prevention and resiliency. Joe Leonard, SVP, Technology Group and CISO, Federal Reserve Bank of New York explained to the audience, “Breach preparation is really having a playbook of communications prepared. What you’ll find in many breaches is what comes out in the beginning, or the initial tagline, turns out not to be accurate or it’s not the full story. You have to be clear and crisp in the messaging and make sure it’s the message that you want to land in our Twitter, YouTube culture.”

With preparation and communication so tightly connected to resiliency, it’s imperative that organizations adequately train their employees, including the c-suite. But their efforts are falling short, as evidenced by the headlines we read every day. Are companies doing enough to arm their employees and executives against the next attack?

Trainor says no. “It really depends on the company. Some companies, certainly here in New York City, the financial services industries, are far more proactive. They have the resources to devote to that. But not in any other sectors without question, definitely not.”

Coughlin added, “If you're a Fortune 500 c-suite executive, perhaps there's some sort of cyber bootcamp that you should be going through if you haven't already at some point in your career. But the threat extends beyond just the Fortune 500. For a start-up who has just raised some venture capital funding and a press release goes out, you better believe that they're going to receive a business email compromise attempt, because hackers are squatting all over those announcements. They're waiting to see when big flows of money are happening even to smaller companies and they'll send that fishy email, they'll spoof the CEO's email address and send it to another co-founder saying, ‘Hey, can you wire me money?’”

While at the FBI, Trainor saw four to five business reported emails compromise incidences a day, with losses ranging from $10,000 to $50,000. In many cases, an executive was fooled to wire transfer funds to an account. “Typically it's done when the executive is traveling so when the CEO's traveling, that's when the financial office will get this notification, at the 11th hour, a crisis. The key takeaway on this is, if you're a victim of business email compromise, you really have about 72 hours to freeze the assets, you need to contact your bank, have them contact the bank that the funds were initially wired to, and certainly contact the FBI.”

Coughlin pointed out that there can also be a sense of shame associated with “falling for” a hacker’s trick, which may discourage employees from acknowledging or reporting a potential breach. Companies have to, instead, empower their employees and executives with education and support. “We make them think they're stupid if they click on a fishing email. I think we have to sort of flip that discussion and talk about it more in terms of when it's going to happen. When you do receive this kind of an email, when you do accidentally click on a malicious attachment, what do you do? Because if you remove that stigma from it and you talk to people that it's their responsibility to protect the company, watch what happens because then they start to take on that security mission.”

Elena Kvochko, CIO, Group Security Division at Barclays Bank recommended companies focus on creating a security culture, though admits it can take time. Kvochko explained that, because most companies grew either through organic growth or acquisitions, they tend to operate in silos. But when it comes to security, companies need to make cyber an important and functional part of the business that isn’t siloed off from other teams. “No matter how you structure your technology teams, I think what's important is to be able to have a holistic perspective across your business lines and product lines to be able to see if there’s an anomaly or incident happening in one part of the organization, you’re able to connect it to other potentially related events that are happening.”

The sooner organizations understand that cybersecurity risk is not a technology problem, but a people problem, the more protected and resilient they’ll be. C-suite executives are very susceptible to phishing and may require extra, specialized training to protect themselves and the organization against the next cyber-attack.