IT specialists at Atlas VPN have published data showing that senior management and C-suite executives are most likely to suffer from a malicious attack within a company.
C-suite executives often disable mobile security protocols for their employees or themselves, typically, because the latter do not have the right tools to be productive. At times, bypassing certain security measures helps employees to perform some tasks faster.
Rachel Welsh, the COO of Atlas VPN, said: “Organisations should not be prioritising productivity over security: saving an hour of work can cost thousands of dollars.
"Companies need an in-house IT professional to maintain high productivity and protect themselves from spyware attacks, which would ensure systems are running on the most advanced security solutions.”The number of spyware attacks increased by 35% in 2019.
For more than half (54 per cent) phishing attacks were most common, with spyware the second most common threat - 46 per cent of C-level executives were targeted by spyware in 2019.
Sarb Sembhi, CTO & CISO, from Virtually Informed, said: "While the attackers collect and trade in contact information on the C level executives, we cannot change that, we can change and adapt what we do to not be affected by attacks covered in this report.
“We must respond with better more relevant awareness training, better tools for wherever we work, and no circumvention of security controls for the C suite.
"It is important for C-suite to realise that being a club member does mean greater responsibilities including better protection against such attacks.”
Data analysed by Atlas VPN shows that:
- 84 per cent of C-level executives were cyber threat victims last year, with 46 per cent of them being subject to a spyware attack
- Spyware and other attacks occur due to lack of resources that ensure productivity: C-level executives request disabling security protocols to have some tasks performed faster.
- In 2019, the Russian Federation had the highest rate of spyware activity: the region accounts for 25.6 per cent potentially affected users.
- The number of spyware attacks increased by 35 per cent in 2019: in 2018, 27 thousand Kaspersky antivirus software users experienced a spyware attack, and the number jumped to 35 thousand last year.
Jake Moore, a cybersecurity specialist at ESET said: “The C suite is still seen as an easy target due to their assumed heavier workload, higher levels of management access and lesser knowledge in cybersecurity - a recipe for disaster.
"When bad actors target C suite staff they are clever with the tactics employed and use manipulation techniques to force them into clicking where they shouldn’t.
“Users are reminded to update their operating systems as well their browsers to remain safe from spyware, and to be vigilant against targeted phishing emails with attachments.”
Javvad Malik, security awareness advocate at KnowBe4 said that criminals do their homework and will specifically target executives with legitimate-looking spearphishing emails which can result in all forms of malware being delivered.
"Therefore, it's important that all users within an organisation, including C-level executives, their personal assistants are provided with regular and relevant security awareness training.
"Not only can security awareness help executives and all users identify potentially malicious emails, but they are more likely to report to IT if they feel like they may have inadvertently clicked on an email, therefore minimising any potential damage."
Brian Higgins, security specialist at Comparitech.com said the research findings are hardly surprising.
"The Cyber Security community have been debating how best to impress upon Board-level, C-Suite business professionals the vital importance of effective Cyber Security training and business practices for years.
"Back in the 90’s fraud and money laundering were endemic across the economy until European Regulations forced businesses to act and mandated Board-level responsibilities.
"The European General Data Protection Regulation (GDPR) went some way to elevating information security to similar levels of importance; mandating consideration at board-level again in the form of Data Protection Officers (DPO) or Chief Information Security Officers (CISO) and introducing considerable fines for data breaches.
"Unfortunately, these measures don’t extend to the wider issue of Cyber Security and, as this research suggests, senior board members will often circumvent policy over profit leaving themselves and their business vulnerable to infiltration or manipulation by cybercriminals.
He added that the UK National Cyber Security Centre has developed a freely downloadable ‘Board Toolkit’ which "should not only be required reading" for every board member but can also be very useful in convincing them "quite how devastating the consequences can be if they fail to take their wider security responsibilities seriously."
Dr Francis Gaffney, director of threat Intelligence at Mimecast said threat actors regularly use social media posts to identify and target key individuals within organisations.
Gaffney said: “They use sophisticated pattern-of-life analysis to identify working and social networks to see who may have access to key systems and information, who is most likely to work directly for, or are able to influence executives.
"Once the threat actors have a target to exploit, they may choose from a number of different attack methodologies; and often spyware is a key weapon in their arsenal.”
He added that installing spyware via the compromised target allows the threat actor to customise their attack to the specific executive to ensure maximum value.
“Spyware can help the threat actor monitor who the executive works with most, what data they access, and their entire C-suite network,” Gaffney said.
“Once this process is complete, other malware such as ransomware, sophisticated impersonation attacks (including Deepfake), or exfiltration of PII can now be deployed to obtain financial benefits. Indeed, findings from our latest State of Email Security report found 65 per cent of IT leaders reported an increase in the volume of impersonation fraud over the last 12 months.
“From our analysis, CEOs are currently the most targeted candidates for impersonation in these ‘project-related’ impersonation attacks and this is likely to remain so.
"Our research has shown that 36.4 per cent of IT professionals surveyed in the UK say their organisation’s CEO is the most targeted exec within their organisation."
He said that variations of further development of this type of tactic is also likely to include impersonation of other key and senior personnel within organisations, in an attempt to induce compliance with the instructions given.
Gaffney added: “This level of threat shows that C-level executives cannot afford to prioritise speed over security. Layered security which includes dedicated protection from impersonation attacks is key, along with other proactive measures such as employee training.
"Likewise, when downloading new software, it is recommended to use reputable sites and research the reviews of other customers. The cost of products on these sites may cost more but will save you problems in the long run. Only then will businesses and individuals be resilient and be better equipped to prevent fraud."