Few things are more devastating to an organization’s operations and reputation than a cyber breach. The good news is that at long last, cyber security has finally gained the attention of the boardroom. This is a big step forward, but challenges certainly remain, including a lack of cyber expertise and ongoing risks around company executives.
To that end, one of the many subsets of a cyber security program that needs more scrutiny is the idea of digital executive protection (DEP).
Look at almost every breach that’s happened lately, and unless you’re dealing with very sophisticated threat actors, the attacks are coming from either email or text messages on employee phones that are connected to corporate networks. Not protecting these threat surfaces at this point is simply irresponsible, given that the vast majority of cyber threats are initiated this way.
DEP – which involves the removal of personally identifiable information (PII) from online sources, proper executive cyber education, and insulating the people that surround executive team members, like family or support staff – is critical and needs to be recognized by board members. Having cyber security experience at the board level is an important part of this protection strategy.
Cyber challenges at the top
The reality is that cyber security can be an inconvenience to people. Having to go through several procedures just to accomplish simple tasks can be quite time-consuming for individuals who have a lot on their plates, like most executives do.
Cyber security team members are rarely elevated to the executive level and, while cyber security is gradually making its way to the boardroom, as it should, an overall culture shift needs to happen. Without cyber security expertise and knowledge coming from the c-suite or boardroom levels, implementing cyber can be a real challenge. A recent report from WSJ Pro (The Wall Street Journal’s research arm) found that while survey participants said their board included at least one cyber security expert, just 30% felt their board’s ability to oversee a cyber security crisis was ‘expert’ or ‘advanced’.
The number of executives being targeted by threat actors is skyrocketing. Most cyber-attacks we are seeing nowadays are carried out by stolen PII or phishing links. In fact, a 2023 survey found that executives are four times more likely to fall victim to phishing attacks than any other white-collar employees. The battlefield is changing, and cyber security operators haven’t shifted their focus quickly enough.
Building a digital executive protection program for your executive team
It starts with building defenses based on the profiles of the executives. Giving them training and an easy plan for what they do when they get unsolicited emails that include links or attachments.
Connect executives with a dedicated staffer who has knowledge of the current landscape. Having a dedicated individual or team that understands how bad actors are working, who to forward suspicious emails to and what the proper procedures are is pivotal.
Set a reasonable level of encumbrance on how executives want to operate, for the sake of safety. If you load 100 or more protection measures on their system, inevitably they will sidestep those measures in favor of job efficiency.
Best practices for digital executive protection success
An effective DEP program incorporates these four steps:
- Ensure executive PII is scrubbed and continually monitored: making sure executive PII isn’t available to the entire world is important for many reasons, whether it’s a physical threat in a consumer-facing business or a cyber threat in a digital business. Scan, delete, repeat.
- Educate the executives and executive teams on best practices in cyber: IT departments are all cognizant of cyber security best practices; many times, the barrier is getting enough face time with the executive team members. Prioritize that time and internalize that education.
- Insulate the people around each executive: imagine an executive brings their child to work. The child has a tablet and connects it to the corporate Wi-Fi; suddenly that tablet is part of the threat surface for the enterprise. So, whether it’s executive assistants or family members, training them on the best practices that the executives should be following, is key as well.
- Have true cyber expertise on the board: understanding threat vectors and the motivation of the threat actors at the highest levels of an organization is the single most important thing that a company can do to effectively manage cyber risk.
Security at the highest levels
Individuals’ behavior online outside the workplace can affect the corporation as a whole. That’s why digital executive protection has become more important. As cyber security increasingly becomes a board-level issue, organizations need to ensure they don’t overlook the importance of DEP as part of a holistic strategy. Part of this consideration should also include ensuring you have cyber security expertise within your board. Training executives and those around them is crucial, too. Follow the steps outlined above to create a strong foundation of executive cyber security.
About the author
Adam Jackson is founder and CEO, 360 Privacy